As a fundamental principle of data protection, as well as ethical business, transparency is a key concept that needs to be constantly worked on and improved. We have seen from recent actions and regulations that it is more and more important that organisations have put in place the correct processes to deliver accurate and relevant information to individuals.
Why is transparency important?
From a data protection point of view, it is important for organisations to comply with the GDPR but it is also important for individuals to receive sufficient information to allow them to make a decision over whether they want their personal data to be processed by those organisations. We are seeing the importance of transparency grow in recent regulations such as gender pay gap and environmental and social governance, both of which require transparent reporting from organisations.
One of the most important reasons for ensuring transparency is effective is trust. Consumers are placing more importance on their trust in organisations before deciding to make a purchase, set up an account, or share personal data.
The GDPR outlines what information we need to provide to individuals, including where we have received their data from a third party. The European Data Protection Board (EDPB) goes on to provide guidance on the correct methodology to use when presenting this information. The core concept is that we need to inform people:
- What we do?
- With what data?
- Why are we doing it?
- About whom?
- Who are we sharing it with?
- How long we are storing it for?
- How to access their rights?
This information must be provided using plain language, taking into account the target audience, and in a manner that is easy to access and navigate. Many privacy/transparency notices are very legal and use complex language that is not going to be understood by the majority of people. They are also difficult to navigate, oftentimes resulting in incessant scrolling before getting to the desired information.
How do we become transparent?
Before creating privacy notices it is vital that you are fully aware of all your processing activities. This means undertaking a Record of Processing Activity (RoPA) exercise. An accurate RoPA should contain most if not all of the information that is required in the privacy notice.
Tip: Make sure you have a process for reviewing your RoPA that triggers making subsequent updates to the privacy notice to ensure it remains up to date
Once you have all the required information you need to choose the correct language for your privacy notice. It needs to be clear and unambiguous but also targeted to your audience. If you anticipate that people under 18 are going to be using your services then the notice needs to be legible by younger people. Similarly if, for example, you provide services for people to learn English as a second language, it is recommended that the language used in the privacy notice is very basic and easy to understand.
The EDPB has good guidance on how to ensure your privacy notice meets the requirements of the GDPR, available here.
What happens if we are not transparent?
Recent actions being taken by regulators across Europe, and especially by the Data Protection Commissioner here in Ireland, demonstrate the repercussions of getting this wrong.
WhatsApp has received a fine of €255 million, part of which for transparency violations. It was found by the DPC after an extensive investigation that WhatsApp had not met its obligations to provide the required information.
Similarly, Facebook has been issued with a notice of intention to fine up to €36 million for similar infringements. See more about these two fines in our latest data protection newsletter.
With regards to trust, consumers are becoming more aware of their privacy rights and expect certain standards. For business-to-business organisations, having a bad privacy notice or other transparency information can result in exiting the sales process before it has begun as more organisations are improving their due diligence process and reviewing these notices. There is a risk that business is being lost before there is a chance to discuss it.
In 2018 there was a rush to push out privacy notices on websites and information booklets across the EU. Some organisations have not revisited these since, others have updated them but have not had them reviewed externally. Transparency efforts need to be continuous and form part of compliance monitoring processes and frameworks.
It is recommended that organisations review their notices to ensure they meet the requirements but also deliver value to their customer and stakeholders.
Join our mailing list
We have insights into developments that affect your business. We can provide you with unique perspectives and thoughtful solutions so you can meet new challenges and seize opportunities.