Thoughts on transparency principle in data protection
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via firstname.lastname@example.org; twitter: @moshoke
May 3, 2021951 views0 comments
It’s easy to assume that the data protection principles’ especially transparency relies on or ends at publishing privacy notices on websites. Proper transparency methodology, carefully mapped into the data protection framework, can vault a company ahead of its competition into a position of increasing its reputation and increasing their customer loyalty. Those with well-defined transparency, flawless execution and skilful integration of the transparency principle can enjoy substantial returns on investment (ROI).
But if transparency is a core principle, and needs masterful execution, what should company stakeholders pay attention to when implementing transparency? First, let’s explain transparency before answering the question. Transparency requires “that information and communication relating to the processing of personal data be understandable, accessible, clear and easy to understand.
If, as a data subject, you go to a company’s privacy notice, for instance, to get some detailed information about how they process your personal information and end up feeling confused and unable to get what you are looking for, then the aim of transparency is defeated. Transparency requires that customers can find the information they need without pushing them into further confusion.
There are certain elements that stakeholders, therefore, must employ when executing the transparency principle.
The first element requires concise, intelligible and easily accessible information. This element means presenting information in a way that is efficient and concise to avoid information fatigue. For example, in an online context, instead of letting data subjects go through long privacy notices, companies can employ a layered privacy notice that allows data subjects to navigate to the particular section of the privacy notice. This action enables the data subject to go to the information they want. Intelligible factor means an average member of the intended audience understands the information and data subject should know in advance what the scope and consequences of processing their data entail.
The easy access element means that the data subject should not seek out the information; it should be easy to locate. For example, it is hard for data subjects to find where the privacy notice exists when visiting certain websites which is bad practice. Good practice means a data subject can quickly notice where the privacy notice exists on a website without much hassle.
Another element focuses on Clear and Plain Language. The company should consider how communication with the data subjects would be most effective. The language requirement is critical here. It makes no sense to communicate to the customers in a language that they would find confusing. For example, saying “We may use your data to develop new services” as seen in many privacy notices, is wrong. It is unclear what the services are or how the data will help develop them. A good practice will be “We will retain your shopping history and use details on the products you have purchased to make further suggestions to you.” Here, the customer knows the data the company collects and what they will use it for in the future.
It is good practice to avoid using these language qualifiers: may, might, some, often, and possible. When companies use these qualifiers, they should demonstrate that it flows per the principle of accountability, which means they can show why the use of that language pushes the transparency agenda.
Timing for provision of information. Providing information on time is a vital element of transparency obligation and the obligation to process data fairly. The information must be provided “at the time when personal data are obtained.” Data controllers or companies must inform data subjects or direct them to the correct information within a reasonable period after obtaining the personal data. For example, a customer fills his bank details in a Learnfly Academy website and later finds out that he can’t remove those details without going through a very rigorous administrative process. The data controller fails to inform data subjects about this and, therefore, fail to meet the transparency principle.
There are so many other elements that make the transparency execution excellent. Company stakeholders or data controllers should seek professional advice. The context of each situation must be gauged, including the potential impact it could have on the data subject. Transparency as a principle plays a critical role in any data protection framework and deserves utmost attention.