This informal CPD article, ‘Are you meeting Data Protection transparency requirements?‘, was provided by Essex County Council, the local authority for Essex, who have a vision for Essex to be a county where individuals, families and communities can thrive and prosper.
The Data Protection Act 2018 applies the UK GDPR (General Data Protection Regulation) standards. This legislation places specific requirements on those processing personal data for business reasons to be transparent about their use of personal data. Let’s look at the specifics. Transparency means being open and honest with people about why you are using their personal data, so it is not used in ways they would not expect. Transparency is fundamentally linked with fairness.
The right to be informed
The UK GDPR provides the individual with the right to be informed. These are set out in Article 13 & 14. To comply with the law you need to ensure that you:
- Provide individuals with how you use their personal data including: your purposes for processing their personal data, how long you will hold and use that personal data, and who it will be shared with.
- Provide this information to individuals when you collect their personal data from them.
- Provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month if you did not collect it directly from them.
- Provide the information in a way that is concise, transparent, intelligible, easily accessible, using clear and plain language.
- Consider using a combination of different techniques including layering, dashboards, and just-in-time notices.
- Regularly review update your privacy information where necessary. You must bring any new uses of an individual’s personal data to their attention before you start the processing.