Revisited under the GDPR Hugh Jones - Sytorus Transparency Revisited under the GDPR Hugh Jones - Sytorus

Principle of Transparency Not just at the point of data acquisition Applies throughout the data life cycle Fundamental to the Principles of Fairness and Accountability Challenges the expectations being set with Data Subjects Controller must be able to demonstrate transparency of processing Information must be accessible and understandable

Entire Life Cycle before or at the start of the data processing cycle i.e. when the personal data is being collected either from the data subject or otherwise obtained; throughout the whole processing period i.e. when communicating with data subjects about their rights; and at specific points while processing is ongoing, for example: when data breaches occur, or when information is requested, or in the case of material changes to the processing.

Transparency Defined? Not specifically defined in the articles of the GDPR Recital 39, however, provides some clarification Information in relation to the data processing should be: easily accessible and easy to understand, that clear and plain language be used. Clarity in relation to the identity of the controller Explanation of the purposes of the processing Information to ensure fairness in respect of the natural persons concerned Clarity on the Subject’s right to obtain confirmation and communication of processing

Transparency inferred GDPR Articles in relation to Subject Rights indicate characteristics Information in relation to processing: must be concise, transparent, intelligible and easily accessible (Article 12.1); clear and plain language must be used (Article 12.1); particularly when providing information to children (Article 12.1); it must be in writing “or by other means, including ….by electronic means” (Article 12.1); where requested by the data subject it may be provided orally (Article 12.1) ; and it must be provided free of charge (Article 12.5).

Transparency Tips – what to do Avoid language qualifiers (“may”, “might”, “some”, “often”, “possible”) Short, structured sentences and paragraphs Active, rather than passive language Should not be technical or legalistic Any translations should be consistent with the original Vocabulary, tone and style should suit the intended audience Provided clearly in writing, or using standardised icons and images

Transparency Tips – What to avoid Imprecise, not easily understood by the intended audience “Words of two syllables or less” – avoid complex language Information is overly technical, avoid ‘information fatigue’ Not mixed in with contract T&C’s No Privacy Statement / Fair Processing Notice / FAQ’s Unclear scope and consequences of processing Failure to provide Article 13 and 14 explanations Explanation is hidden or difficult to navigate

Data Protection Consultancy and Assessments Tailored training courses Privacy Engine portal DPIA, PAL Capability Tracks Risks, SAR’s, Breach Reporting Repository for contracts, policies, training Full suite of DPO Reporting templates Contact us at info@Sytorus.com