The GDPR and data protection law lays down core approaches to be followed when processing data. For example, when you process data you should be transparent and accountable.
Bearing the above in mind, the issues discussed by the recent Data Protection Commission report on “Matters Pertaining to the Public Services Card” show how important it is to get the basics right when processing personal data. So, today we are going to look a little at one of those core data privacy basics: transparency.
Transparency means to be open and accessible about what you are doing with personal data and it is covered in articles 13 and 14 of the GDPR and by the principle referencing transparency in article 5.1(A).
In general, transparency is what it says on the tin. In terms of being open about what you do with personal data, this is covered by the right to be informed. To facilitate this right you need to tell individuals, whose data you process (data subjects), why their data is processed, what basis and purposes the data is collected and retained for. For example, a charity may detail that they process donors data by consent and an employees data by contract.
Transparency will also entail explaining how its processed, any risks involved and how you mitigate these (what controls you have and how are breaches handled), what they can expect in terms of security of their data, other recipients (i.e. who it may be shared with and why) and how long you will keep it for.
If your Company uses automated decision making or profiling, this should be explained and ways to object should be detailed.
Individuals have the right to be informed means you are explaining this to the data subject in a way they can easily access and understand. Many Companies do this through their privacy statement on their website or through notices of fair processing on forms. These privacy notices will often be a summary of their data protection approach about the specific or general processing they conduct, written in plain understandable language for the benefit of the data subject whose data they process.
Transparency also means having your procedures in place so the person whose data you process can activate on their rights as held under the GDPR. Data subjects have rights of access, to be informed, erasure, rectification, restrict processing, to object and rights in relation to automated decision making. While all the rights are important to be able to explain how and when these apply, and when they don’t apply when the data subject activates on these.
In terms of transparency, the right of access is one of the most important. A data subject has a right to access their data and the GDPR sets out a timeframe for this. The right of access when done right can show how your Company uses data correctly and manages data securely. Be sure to also mention that they have the right to contact the Data Protection Commission if they are unhappy with how you have processed their data.
A few things to remember with transparency - there are instances where rights are restricted for national circumstances (as detailed in article 23 or the GDPR and given effect by national legislation such as Section 60 of the Data Protection Act 2018). Also, there will be times where the data may be processed for purposes other than the purpose for which the data was collected (as detailed in section 41 of the Data Protection Act 2018). While these restrictions or processing are legal and correct, you may want to consider how you will explain the application of these in (if it is relevant to your service) so that data subjects are informed. For example, it would be ridiculous to ask a criminal (who has burgled your premise and was captured on your CCTV system) for consent to transfer the data to the police. What may be a more appropriate way of informing data subjects, would be to simply mention in your privacy statement or privacy notices, that you may share data with the Police (under the relevant legislation) for preventing, detecting, investigating or prosecuting criminal offences.
Building transparency in an organisation is an ongoing process and requires knowing what you have and why, having the necessary procedures in place so people can access their data (and their rights), the ability to communicate all this clearly to the data subject and the diligence to maintain and update these communications and processes as things evolve.
Enguard can assist with the issues GDPR raises as part of our audit package. We also provide cyber security services, staff training and can assist with drafting policies and procedures. For further details please call us at Enguard on 0818 252 052 or email email@example.com. We would love to hear from you!
Disclaimer: Please note the above article is an opinion piece based on current sources of information available at time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers.