February 27, 2018, by Richard Hyde
GDPR – Information Requirements
One of the important goals of the General Data Protection Regulation is ensuring that data subjects know about the processing of their data and the rights that they have under the Regulation. Therefore, businesses that process personal data must provide notices to data subjects that inform them about the data that is being collected. The requirements governing these notices are set out in article 13 of the GDPR.
First, the notice must set out the name of the data controller, which will be the business or organisation that decides what data will be collected and how. It is important to remember that in some cases there will be multiple data controllers, and if there are, all should be named on the notice. Second, the data protection officer (‘DPO’) should be named and contact details provided. Each data controller must nominate a DPO before May. Third, the notice must identify why the data is being processed. If the data is being used for a number of different reasons, each of these should be set out in the notice. If a purpose for processing the data is not identified in the notice the data controller may not be able to undertake such processing. Therefore, businesses need to look into the future to determine the reasons for processing that may arise. However, businesses must bear in mind the principle of data minimisation, which means that only data that is relevant to the purposes identified should be collected. Once the reasons for processing are identified, the notice must also identify the legal basis for processing. the possible legal bases are set out in article 6 of the GDPR. Explicit consent is one possible basis, but others include that data is necessary for the performance of a contract (so it will be necessary to collect address data to dispatch goods sold online by post) or is necessary for the compliance with a legal obligation. If the basis for processing is the legitimate interests of the data controller, the specific interest relied upon must be identified. Finally, where the information is to be transferred to a third party, the potential recipients of the data should be identified.
Other information must be provided if it is necessary to ensure fair and transparent processing. For example, information on the length of time that data will be retained should be set out in the notice. This period should be “no longer than is necessary for the purposes for which the personal data are processed.” Details of the data subjects rights should be included. All of this information should be provided “concise, transparent, intelligible and easily accessible form, using clear and plain language.” where the data subject is likely to have particularly weak language skills, for example because they are a child, the notice should be written so that a child can understand it. Some thought has been given to using pictures to help understanding.
In the run up to may businesses need to revisit the notices that they provide to data subjects, and amended them to ensure that informed decisions can be made about whether and how data will be provided and processed.