Transparency

The GDPR is designed to ensure that organisations are transparent in their processing activities and when they communicate with data subjects.

Transparency is now embedded as a key principle of the GDPR. The GDPR particularly emphasises the need for transparency in privacy notices, and also when communicating with data subjects in relation to their rights or data breaches. Such communications should be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The requirements are even stronger if the information is addressed to a child. 

The GDPR also emphasises the need for organisations to make data subjects aware of the “risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing”.

Practical steps to take now

Consider how the transparency requirement will affect your privacy notices:

  1. Are they easily accessible and not buried in longer terms and conditions? 

  2. If the notice is “layered” e.g. via “click through” headings, is the most intrusive and surprising processing apparent from the first layer? Is it clear from the headings where the rest of the information can be reached?

  3. Is the language clear and concise? Are the fonts and colours easily legible?

  4. Will the notices be intelligible to the likely audience (e.g. consider children, people with disabilities)? 

  5. Do they make clear what the most important risks or most intrusive processing activities are?

  6. Are the notices appropriate to the type of activity or technology? A notice that only appears on a website may not be appropriate for CCTV monitoring for example.

  7. Will the notices be reviewed at appropriate intervals? 

  8. How will data subjects be notified of changes so that they can exercise their rights before the change comes into effect?

  9. Consider also how the transparency obligations will affect your other communications with data subjects. 

  10. Download our checklist and check that you are providing the right information about what personal data you process, why and how.

Main contacts