Important guidance about the General Data Protection Regulation’s (GDPR) transparency requirements has been released from Europe. The Article 29 Working Party, an advisory body that oversees data protection in the EU, issued a paper that provides practical guidance and clarity about the obligations of data controllers with respect to informing individuals about the collection, use and protection of their data. The GDPR requires that notices must:

  • be concise, transparent, intelligible and easily accessible (Article 12.1);
  • use clear and plain language (Article 12.1);
  • the requirement for clear and plain language is of particular importance when providing information to children (Article 12.1);
  • be provided in writing “or by other means, including where appropriate, by electronic means” (Article 12.1);
  • be provided verbally where requested by the data subject (Article 12.1) ; and
  • be provided free of charge (Article 12.5).

The guidance released in December clarifies how each of these requirements effectively can be met.

In providing advice, the Article 29 Working Party focuses on how privacy notices can be written in a way that communicates effectively to individuals – clear, straightforward vocabulary, unambiguous language, and words that are readily understood by the target audience (e.g., children, vulnerable populations). It also discusses how notices can be presented to be optimally useful – online, paper and verbal notices. In the case of website notices, it encourages the use of “layered notices” that present information to users in manageable amounts and that present the most critical information first. Of utmost importance is that the notice be set apart from general terms and conditions, so that users can easily locate it.

The importance of notice as a means to inform individuals and empower them to exercise their data protection rights is clear, and “cut-and-paste” or “boilerplate” notices are a relic of the past. Notices now must be current and accurately reflect a company’s data processing and protection activities. To develop GDPR compliant notices, companies must have a comprehensive view of their data activity, and invest the appropriate resources to state clearly how they process and protect individuals’ data.

 

Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.