The General Data Protection Regulation (GDPR) introduces a more prescriptive framework about the information we must provide to people whose data we are processing. In this blog DPP’s Phil Brining explores privacy notices under GDPR and outlines a radical approach to them.
This blog started out as a bit of a whacky abstract thought while travelling over the M62 musing on the GDPR. What if privacy notices could be iconized and conveyed in a similar manner to food labelling? What if a set of icons could convey the information clearly and accurately to data subjects? The GDPR introduces a more prescriptive framework about the information we must provide to people whose data we are processing extending the information that we must make available, the manner and timeframe in which it should be made available, and the penalties for contravention of these rules. What if a standard set of icons could be developed across Europe to inform data subject?
Before getting into the radical approach it is useful to look briefly at the Data Protection Act 1998 (DPA) and the official guidance on privacy notices provided by the Information Commissioner (ICO).
Existing Privacy Notices/Statements
There are now lots of acceptable privacy statements in use these days but we now need to start planning a new approach that complies with the GDPR requirements.
GDPR Privacy Statements
So what does GDPR say on the matter? Well for starters Article 14 entitled, “Information to the data subject” builds on the provisions of the Directive as follows.
Data Controllers are required to provide the data subject with at least the following information:
- The identity and contact details of the data controller (or their representative) and where there is one, the data protection compliance officer.
- The purposes of the processing including the legitimate interests pursued by the data controller if that is one of the conditions for lawful processing relied upon to legitimise the processing.
- The period for which the personal data will be stored.
- Countries or organisations that the processor may transfer the data to and the level of protection afforded by that country.
- The source of the personal data if it has not been collected from the data subject themselves.
- Whether providing personal data is voluntary or obligatory and the possible consequences of not providing the information.
- Any other information necessary to guarantee the fair processing in respect of the data subject.
- Recipients or categories of recipients with whom the personal data are likely to be shared with.
- The data subjects’ rights including: right of access to one’s own personal data, right of correction, erasure and to object to processing, and the right to lodge a complaint with the ICO.
WOW! Hence my musing, about how successfully this could be conveyed graphically via icons rather than via verbose text.
Some important considerations.
As you can see GDPR takes a more prescriptive approach and the wrap-up statement, “any other information necessary to guarantee the fair processing” uses exceptionally strong language: “necessary to GUARANTEE the fair processing!” The requirement to specify the legitimate purposes a controller is undertaking means that you need to have been through that thought processes and determined your legitimate interests and have balanced these against the legitimate interests and rights of the data subjects. Setting out the retention period for personal data isn’t that easy if you are complying with the new 5th GDPR Data Protection Principle of de-personalising data as soon as possible – you will inevitably end up with differing retention periods for different processing activities as you will be aiming to depersonalise data as soon as possible for higher risk activities and therefore you may have complex data retention periods to convey in a privacy statement.
There are other considerations too such as how to inform data subjects about the organisations or categories of organisations with whom they will share the personal data. I’m sure that the guidance when published will elaborate on when categories will be sufficient as opposed to a list of organisations and I am guessing that for instance “printers and mailing houses” and “email broadcast suppliers” would probably be sufficient rather than naming the individual sub-contractors. Or perhaps “marketing support companies” would suffice? On the flip side I am guessing that if you have a data sharing agreement between two government agencies to routinely share personal data – e.g. a Housing Association and a Local Authority – then you’d be advised to name the specific recipient.
One very big point to consider is the apparent requirement to convey all of the privacy notice information to data subjects in cases where the data subject is not the source of the data. This suggests bought-in data, shared data, friends and family schemes etc (A14(2) and (3) need to be supplied with this information by the controller.
Some other factors to note.
Privacy by design is a principle contained in the GDPR (A23) as is the requirement to undertake and record privacy impact assessments (A33). Therefore there is a legal obligation to consider and to be able to demonstrate consideration for the information rights of data subjects. The GDPR requires controllers to maintain documentation (A28) and to implement an audit and review function (A22(3)) to ensure monitoring of its arrangements requiring us to review the success of our privacy notices. The DPO has a set of tasks laid out in the Regulation (A37) and a more general obligation to ensure that the Regulation is being adhered to by their employer. There are obligations for controllers to be transparent (A11) and to provide understandable, clear information (A7(2)). And so in the round there are several inter-related requirements aimed at providing a culture and regime in which privacy and good data governance should thrive.
There are a few exemptions of course (A14(5)) which broadly are where the data subject already has the information that we are obliged to provide them with; as well as situations where the data are not collected from the data subject and providing the required information is impossible, or would involve disproportionate effort. The first exemption appears to relate in the main to legacy data provided they have the full extent of the information we are obliged to provide, and I am sure there will be a test as to what would constitute disproportionate effort. Two other exemptions are where the data collection is expressly laid down by law, or where providing the required information would impair the rights and freedoms of others. I believe that we should start providing this enhanced data to data subjects asap so that we’re compliant well before 2018.
Penalties for not complying.
The penalties for not complying with the information provision requirements are regulatory action, middle tier fines of up to €500 or 1% of annual global turnover, and compensation for damage suffered through unlawful processing (and you may have been following the Google v Vidall Hall case in this respect).
So finally let me stick my neck out and have a go at drafting a privacy statement that might comply with GDPR a task which I am sure the law-makers will have carried out during the drafting of the Regulation.
Example 1 CCTV Notice
XYZ Limited of Brooklands, Somertown (www.xyz.com) is a housing association based in the United Kingdom. We are monitoring this area using HD CCTV for the purpose of crime prevention and prosecution of offenders, for identifying accidents and incidents and emergency situations. We may also use CCTV footage for our own legitimate business purposes including internal training. We will retain CCTV footage for no more than 28 days unless the footage is being used to investigate an alleged crime or an incident in which case it may be retained for up to 2 years following the conclusion of any investigation. We are processing CCTV data generally without your consent in pursuit of our legitimate interests to provide such a service and to protect the general interests and well-being of our data subjects. Further information about how we have balanced our legitimate interests and yours is available on our website www.xyz.com.
You have the following rights: request access to CCTV data relating to you, the rectification or erasure of CCTV images of you (subject to other conditions) and the right to object to our use of CCTV monitoring. Please contact our DPO Mr Smith [email protected] for any further information. You also have the right to complain to the Supervisory Authority (ICO at ico.org.uk) about our data processing activities.
We employ G4S to provide the CCTV monitoring services on our behalf and therefore will share CCTV data with them. We also will share CCTV data with the Police, and with DEF Guarding who provide security patrols around our properties. All our CCTV data is stored on equipment located in New Zealand which has been assessed by the European Commission as providing adequate provisions to safeguard your personal information. A copy of the CCTV data is also stored on G4S’ server in the United States of America – G4S have been deemed to provide adequate levels of protection by the European Commission.
Due to the nature of CCTV data collection is obligatory.
Xyz Limited Jan 2016.
Admittedly the privacy notice above may be contrived but I found it an interesting exercise trying to draft a GDPR compliant notice.
And that’s how I got to thinking of taking a different approach. I wondered if it might be possible to convey the information provided above in a better format. I’m not a graphic designer but hopefully you’ll get the concept.
I keep saying that I like the Regulation and that it is easy to read and understand and I hope that you recognise the paradigm shift that it presents to which I have previously referred. I like the fact that the Regulation is strategic and aims to change the relationship between data subject and controller. The privacy notice provisions are one of the ways that the balance of power will move in favour of the data subject. Data controllers will have to have more detailed and considered privacy notices and communicate with data subjects whose data they acquire from third parties. I think that it is interesting to consider whether a standardised set of icons could be used across the European Union to allow consumers to quickly assimilate the risks to their privacy presented by various data controllers and their processing activities.
Data Protection People will be running a regular Blog to encourage discussion, consideration, and understanding about the changes but please contact us if you have any questions.
Philip Brining 28th January 2016