From a data protection point of view, it is important for organisations to comply with the GDPR but it is also important for individuals to receive sufficient information to allow them to make a decision over whether they want their personal data to be processed by those organisations. We are seeing the importance of transparency grow in recent regulations such as gender pay gap and environmental and social governance, both of which require transparent reporting from organisations.
One of the most important reasons for ensuring transparency is effective is trust. Consumers are placing more importance on their trust in organisations before deciding to make a purchase, set up an account, or share personal data.
The GDPR outlines what information we need to provide to individuals, including where we have received their data from a third party. The European Data Protection Board (EDPB) goes on to provide guidance on the correct methodology to use when presenting this information. The core concept is that we need to inform people:
This information must be provided using plain language, taking into account the target audience, and in a manner that is easy to access and navigate. Many privacy/transparency notices are very legal and use complex language that is not going to be understood by the majority of people. They are also difficult to navigate, oftentimes resulting in incessant scrolling before getting to the desired information.
Before creating privacy notices it is vital that you are fully aware of all your processing activities. This means undertaking a Record of Processing Activity (RoPA) exercise. An accurate RoPA should contain most if not all of the information that is required in the privacy notice.
Tip: Make sure you have a process for reviewing your RoPA that triggers making subsequent updates to the privacy notice to ensure it remains up to date
Once you have all the required information you need to choose the correct language for your privacy notice. It needs to be clear and unambiguous but also targeted to your audience. If you anticipate that people under 18 are going to be using your services then the notice needs to be legible by younger people. Similarly if, for example, you provide services for people to learn English as a second language, it is recommended that the language used in the privacy notice is very basic and easy to understand.
The EDPB has good guidance on how to ensure your privacy notice meets the requirements of the GDPR, available here.
Recent actions being taken by regulators across Europe, and especially by the Data Protection Commissioner here in Ireland, demonstrate the repercussions of getting this wrong.
WhatsApp has received a fine of €255 million, part of which for transparency violations. It was found by the DPC after an extensive investigation that WhatsApp had not met its obligations to provide the required information.
Similarly, Facebook has been issued with a notice of intention to fine up to €36 million for similar infringements. See more about these two fines in our latest data protection newsletter.
With regards to trust, consumers are becoming more aware of their privacy rights and expect certain standards. For business-to-business organisations, having a bad privacy notice or other transparency information can result in exiting the sales process before it has begun as more organisations are improving their due diligence process and reviewing these notices. There is a risk that business is being lost before there is a chance to discuss it.
In 2018 there was a rush to push out privacy notices on websites and information booklets across the EU. Some organisations have not revisited these since, others have updated them but have not had them reviewed externally. Transparency efforts need to be continuous and form part of compliance monitoring processes and frameworks.
It is recommended that organisations review their notices to ensure they meet the requirements but also deliver value to their customer and stakeholders.
We have insights into developments that affect your business. We can provide you with unique perspectives and thoughtful solutions so you can meet new challenges and seize opportunities.
Since the beginning of the year, several articles and speeches from the Central Bank of Ireland (CBI) have singled out the Payments Institutions (PI) and Electronic Money Institutions (EMI) sector as being of increased risk, with concerns that an operational or financial failure could cause a significantly impact the European Economic Area (EEA) financial system.
Mazars is delighted to have supported Aerospace Software Developments (ASD) on its sale to Descartes Systems Group.
Mazars and the Compliance Institute work together to provide unique insight into the views and expectations of financial services professionals and their preparedness for the individual accountability framework (IAF) and the senior executive accountability regime (SEAR).
Tailored solutions for assurance and value creation in a changing world
Mazars supports you in achieving and maintaining data protection & privacy compliance.
Mazars provides outsourced data protection officer (DPO) services to organisations that do not wish to directly employ a DPO
Build technological resilience so you can operate with confidence
Mazars has partnered with Europrivacy to provide companies with General Data Protection Regulation (GDPR) compliance certifications. This is the first GDPR certification to be created since the launch of the GDPR four years ago, and has been authorised by the European Data Protection Board (EDPB). This certification positions companies as front-runners in data protection with a strong competitive...
Sustainability and ESG must be at the heart of every organisation's business model
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.