In detail
What is the right to be informed?
The transparency requirements of the UK GDPR create a number of overarching legal obligations for how you collect and use people’s personal data. The right to be informed encompasses some of the primary requirements in this area. It is about being open with people and providing them with clear and concise information about what you do with their data.
Articles 13 and 14 specify the types of information that you need to provide individuals with; we call this ‘privacy information’.
If you only obtain personal data as part of simple transactions, then it should be relatively straightforward for you to develop a clear and effective way to provide privacy information.
However, more complex uses of data can make it more difficult to convey all the required information, especially if you try to contain it in a single notice. The UK GDPR recognises this and allows you to use several different techniques to deliver the information.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 adopted guidelines on Transparency, which have been endorsed by the EDPB.
Why is it important?
Being open and upfront about what you do with their personal data helps you to deal with people in a clear and transparent way and empower them. This makes good sense for any organisation and is key to developing trust with individuals. Fostering trust in this way can help to improve the public’s confidence in public sector institutions, while private sector organisations can use it as a means of distinguishing themselves from their competitors.
Using personal data in ways that are invisible to people can create risks. It can leave people unaware of uses of their personal data that may lead to discrimination or disadvantage, and prevents them from exercising their rights. Being transparent helps to mitigate against these risks. Actively telling people about your use of their personal data will help them retain control over it and anticipate the potential consequences of its use.
Combining the provision of privacy information with preference management tools, such as a dashboards, not only helps to empower individuals to understand what you do with their personal data, but also to exercise a degree of control over that processing. If individuals have more choice and are more engaged in what you do with personal data, you may be able to obtain more useful information from them. In turn, this can assist you to deliver better and more effective products and services. Providing privacy information also helps you with your broader compliance.
How can it help our broader compliance?
The right to be informed is not an end in itself and you should not treat it as a tick-box exercise just to achieve compliance with Articles 13 and 14 of the UK GDPR. Providing individuals with privacy information in meaningful ways will also support compliance with a number of other provisions in the UK GDPR such as:
- Fairness – Fairness is about using personal data in a way that people would reasonably expect and considering what effects it may have on them. Drafting privacy information can encourage you to think more carefully about the impact and consequences of your processing. Making sure that what you tell people is clear and understandable will help to shape people’s expectations about what you do with their data.
- Purpose limitation – The principle of purpose limitation says that you must have specified, explicit and legitimate purposes for what you do with personal data, and any further use of the data must be compatible with those purposes. Privacy information that clearly and concisely sets out what you do with personal data will help you meet these requirements. It will also be useful to consult when you are assessing the compatibility of any further uses of that data.
- Consent – When relying on consent as your lawful basis for processing, one of the key elements is that it must be informed. Although requirements for consent requests are separate to the requirements for privacy information, there are clear links between the two. In both cases, providing people with clear and easy to understand information about who you are and what you plan to do with their personal data will help you to be more confident that people are properly informed.
- Legitimate interests – When relying on legitimate interests as your lawful basis for processing, you take on extra responsibility for protecting people’s right and interests. Making sure that people understand and reasonably expect what you do with their personal data is key to relying on this lawful basis. Providing clear, intelligible privacy information will help you do this.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 published the following guidelines which have been endorsed by the EDPB:
Guidelines on Transparency
Guidelines on Consent
What can happen if we get it wrong?
The right to be informed is a fundamental aspect of the UK GDPR and a key obligation for all organisations collecting and using personal data. The ICO prioritises guiding, advising and educating organisations about how to comply with the law, but serious breaches of the right to be informed could leave you open to the highest tier of fines.
Over and above any fines you may be subject to is the reputational damage you could suffer for getting it wrong. If you’re not honest with people about what you do with their data, or you hide important information behind overly complex and legalistic language, people will be less willing to put their trust in you and provide you with their personal data.