With GDPR now less than a month away, our Data Protection Officer Emma Butler will be publishing a series of posts on GDPR and what it means for individuals.
There’s a whole load of guidance and information out there, but none really seems to break it down quite like we think it ought to be.
In this first post, Emma looks at your right to be informed.
GDPR puts a strong emphasis on transparency and as a result, unlike current law, these obligations are now listed as an individual right.
As well as setting out what information organisations have to provide to individuals, GDPR sets out requirements for how to communicate that information. Specifically, organisations must provide information:
GDPR is also clear that the need to communicate in ‘clear and plain language’ is particularly important for any information aimed specifically at children. Some organisations are therefore looking at whether they need to rewrite their privacy information so it can be understood by children, or even to provide a separate version.
GDPR distinguishes between where you get personal information directly from a person and where you get it from elsewhere in terms of what you need to tell people. However, in reality, it’s broadly all the same information apart from one or two things. However organisations decide to tell you, they should make you aware of the following.
If they are getting the personal information from you directly: at the same time.
Rather than giving you a lot of information to read, organisations should get creative and tell you what you need to know, when you need to know it, and give you the ability to find out more details if you want to. Consumers will have more meaningful interactions with organisations and better relationships if they have the most relevant information at the right time.
If the organisation gets the personal information from elsewhere: within a reasonable period of time afterwards, but within one month at the latest.
If they intend to use the personal information they collected to communicate with you: in that first communication at the latest.
If they intend to disclose the personal information to another person or organisation: at the time of that first disclosure, at the latest.
There are some scenarios where organisations don’t have to provide you with the information. Regardless of where they get the personal information from, they don’t need to provide you with any information that you already have.
Where an organisation gets your information from somewhere else, there are some specific circumstances where they don’t need to provide you all the information. These are things like where it is impossible or extremely difficult, such as where they have no contact details for you. In these cases the organisation instead has to take other appropriate steps. This could be by making the information publicly available, such as in a privacy notice.
The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains the exemptions in current law that mean that an organisation may not have to provide you with some information in certain circumstances.
As organisations work to comply with GDPR you may find they send you or alert you to updated privacy notices setting out how they collect and use your personal information. Many people don’t bother to read privacy notices, and you may think that a lot of the information provided is not interesting or relevant to you. However, organisations should be making the information clearer and it should be easier to find details that do interest you. Understanding how organisations use your personal information helps you decide whether to trust them with it.
Transparency is one of our core business principles, so we try very hard to make our privacy information as plain English as possible, so everyone can understand it. We are though also looking at testing it with under 18s and discussing whether we can simplify it further or if we need a children’s version.
You can contact our Data Protection Officer on firstname.lastname@example.org.