Three Steps to Transparency Heaven

June 2022

A strategic approach to transparency

Transparency is enshrined in one of the key data protection principles: Principle (a): Lawfulness, fairness and transparency….

You must be clear, open and honest with people from the start about how you will use their personal data. 

There’s also a requirement to consider a data protection by design and default approach. To legitimately take this approach requires some planning and clear communication between teams about which data is used for what. 

It’s obvious that most companies can pull together a privacy notice. However, as with many things to do with GDPR, creating engaging communications which deliver the correct information in a digestible format appears easier said than done.

Recent fines related to lack of transparency

In May we saw a €4.2m fine for Uber by Italian Data Protection Authority (the Garante) for data protection violations. Amongst other things, the privacy notice was incorrect and incomplete whilst there were not enough details on the purposes of processing and the data subject’s rights had not been spelled out.  

Earlier this year, Klarna Bank AB was fined by the Swedish Data Protection Authority (IMY) for lack of transparency. 

Be warned, the regulators are taking a look at these documents.

Step 1: Creating your Privacy Notice

Privacy notices have become rather formulaic since 2018 and my colleague Phil wrote a handy checklist of what must and should be included. Take note and have a look to see if you have ticked all the boxes. 

Step 2: Housekeeping your Privacy Notice

The privacy notice is a dynamic document. Keeping it up to date is important. 

  • New data processing activities: Make sure you’re made aware of new technology, new teams, new business processes which may all generate new data processing activities that need to be notified. 
  • Record of Processing Activities: Create a routine to keep your RoPA up to date and that any changes are clearly flagged to the DP team.
  • Regulatory changes: Review any change in regulatory guidance. International data transfers are a perfect case in point where the guidance has changed. Changes may necessitate an update to your privacy notice.
  • Supplier due diligence: Review your supplier arrangements – are they carrying out new data processing activities which need to be captured in the notice. Are new suppliers in place and have they been audited/reviewed?
  • Marketing innovations: Ask your marketing team about their plans as digital marketing developments move at breakneck speed. The use of AI for targeting and segmentation, innovations in digital advertising as well as the evolution of social media platforms all present privacy challenges. In addition you may need to inform consumers of material changes. 

Step 3: Breathing life into your Privacy Notice

It’s a marketing challenge to get people to pay attention to the privacy notice.

  • Use different communication methods – not everyone likes reading long screeds of text. Look at creative communication methods such as infographics, videos, cartoons to get the message across. Channel 4 are an exemplar as are The Guardian.
  • Use plain English – whenever you write it down, make sure it’s couched in terms your target audience will understand. Various reports place average reading age as 8, 9 or 11. Plain English, short sentences, easy to understand words should be deployed to get your message across.
  • Include information tailored to different target audiences: Companies will sometimes carry out data processing for clients, for consumers and for employees. Trying to cram all this information into one document makes it nigh on impossible for anyone to understand what’s going on. Separate it out and clearly signal what’s relevant to each group.
  • Use layers of communication – the ICO advocates a layered approach to communicating complicated messages. If you create a thread through your messages from clear top-level headlines with clear links to additional information, there’s a higher chance of achieving better levels of comprehension.
  • Keep it short and sweet – having read some of the documents produced by corporates, I am struck by how repetitive they can be. Not only do you lose the will to live, but comprehension levels are low and confusion levels are high. All of which is rather unhelpful.
  • Be upfront and transparent – do not obfuscate and confuse your audience. Although it can feel scary to tell individuals what is happening with their personal data, audiences appreciate the openness when processing is explained clearly. They need to know what’s in it for them. 

Overall, this is a major marketing challenge. Explaining how you use personal data is an important branding project which allows a company to reflect their values and their respect for their customers.

The marketing teams need to get close to their privacy colleagues and use their formidable communication skills to make these important data messages resonate and make sense.

Four years on from GDPR, now is a good time to take a look at your privacy notice to see if it needs a refresh.