Transparency is fundamental to the existing European data protection framework. The law already places extensive obligations on organisations to be open and honest about the ways that they use
Transparency is fundamental to the existing European data protection framework. The law already places extensive obligations on organisations to be open and honest about the ways that they use information about individuals. However, the draft EU Data Protection Regulation unveiled by the European Commission last week gives this issue a reinvigorated central role.
We are of course familiar with today's requirements to provide information as to:
- The identity of the data controller (or any representative).
- The purposes for which the data is being collected and processed.
- Any further information needed to ensure that the data is processed fairly.
But the Commission (and needless to say the data protection authorities) want to expand that list to cover the following additional information:
- The specific "legitimate purposes" of the controller, where the processing in based on this legal ground.
- The period for which the personal data will be stored.
- The different rights available to individuals established by law.
- The right to complain to a data protection authority and the contact details of the authority.
- Whether the personal data will be transferred internationally.
- Whether the provision of personal data is obligatory or voluntary (when collected directly from individuals).
- The source of the data (when collected from third parties).
At a time when less is more and clarity is everything, this extended requirement poses a tricky challenge.
If we add to the mix the expectation that any information relating to the processing of personal information must use clear and plain language which is tailored to the relevant audience and must also be easily accessible, it is obvious that most organisations will be faced with the daunting prospect of undertaking a full scale review of their public facing documents and policies to meet the renewed transparency requirements.
One could take the view nobody bothers to read privacy policies but the possibility of a fines of up to €500,000, or up to 1% of annual worldwide turnover for some enterprises for breaches of this obligation is incentive enough to get a head start on their review of such policies and procedures now.
We are of course familiar with today's requirements to provide information as to:
- The identity of the data controller (or any representative).
- The purposes for which the data is being collected and processed.
- Any further information needed to ensure that the data is processed fairly.
But the Commission (and needless to say the data protection authorities) want to expand that list to cover the following additional information:
- The specific "legitimate purposes" of the controller, where the processing in based on this legal ground.
- The period for which the personal data will be stored.
- The different rights available to individuals established by law.
- The right to complain to a data protection authority and the contact details of the authority.
- Whether the personal data will be transferred internationally.
- Whether the provision of personal data is obligatory or voluntary (when collected directly from individuals).
- The source of the data (when collected from third parties).
At a time when less is more and clarity is everything, this extended requirement poses a tricky challenge.
If we add to the mix the expectation that any information relating to the processing of personal information must use clear and plain language which is tailored to the relevant audience and must also be easily accessible, it is obvious that most organisations will be faced with the daunting prospect of undertaking a full scale review of their public facing documents and policies to meet the renewed transparency requirements.
One could take the view nobody bothers to read privacy policies but the possibility of a fines of up to €500,000, or up to 1% of annual worldwide turnover for some enterprises for breaches of this obligation is incentive enough to get a head start on their review of such policies and procedures now.