In the beginning (well Article number 5 but close to the beginning) there is the 1st Principle of the General Data Protection Regulations or GDPR to give it the shorthand. The 1st Principle goes like this, “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. Note the use of the word ‘shall’, it means that it isn’t an option!
Helpfully, to support all articles contained in the regulations, there is accompanying guidance called a ‘recital’ which accompanies it and provides context to what the article actually requires to achieve compliance. In this case, recital 39 is where we find out more.
To avoid eyes glazing over, I’ll summarise Recital 39 and identify some salient points.
- Processing should be transparent to natural persons (you and me)
- The principle of transparency requires that any information and communication relating to the processing of personal data is easily accessible, easy to understand and in plain English
- Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise those rights
- In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of collection of the personal data.
- In particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.
There’s other stuff too, about committing to the data being adequate and relevant to the purpose it’s collected, accurate, kept secure and confidential etc.
At this point, you’re probably wondering what the point of this article actually is, well it’s about the increasing use of templated privacy notices. I’ve developed a habit of looking at Privacy Notices on web sites and find myself being pretty dismayed at the overwhelming amount that are obviously downloaded from a web resource and pasted into a website. At best the business owner (Data Controller) has tried to personalise it to their business and at worst, the privacy notice bears no resemblance of the processing activity being undertaken. This isn’t transparency, far from it and I’m left wondering why organisations pay such little regard to it.
The thing is, being transparent is, in my view, a key ingredient of demonstrating accountability, something that is explicitly required to comply with the requirements of the GDPR. Transparency is defined as the quality of being clear and transparent and providing clarity, so a privacy notice that outlines the full range of lawful basis conditions, indeterminate retention periods and is held together with the words ‘may’ and ‘might’, creates the opposite to transparency, which is opacity. Also relevant is the fact that these notices must be communicated in a way that is easy to understand and in clear and plain language, not in legalese terms.
The GDPR looks at data protection and privacy from the viewpoint of the data subject, not the data controller or processor. Personal data is provided for a purpose not given away for without a regard for its security or privacy. For some reason, personal data isn’t attributed the same degree of monetary value in daily life as physical assets are. Consequently, being absolutely transparent about what is done with that information and how it is kept private and secure doesn’t seem to warrant the effort it must be lawfully afforded.
In 2015, MBA@UNC published a study of the value of personal data to legitimate data brokers in the USA. Data brokers buy and sell data for the purposes of marketing activities, risk management and people search. Just nine of these companies generated $426 million in revenue in 2012, see full analysis here https://onlinemba.unc.edu/blog/data-brokers-infographic/
The opposite of this legitimate monetising of personal data is the criminal use of it. Simon Migliano at Top10VPN, https://www.top10vpn.com/privacy-central/privacy/dark-web-market-price-index-feb-2018-us/ blogs about research his organisation undertook on the Dark Web, in an effort to determine the value of personal data in the underworld.
The results were interesting in that per person, the value of our data (in US terms) is $1200.00 in total. One reason for the seemingly low figure could be that there is such a substantial amount of stolen data available, that the market forces have suppressed the value.
What is also of note, is that the aggregation of small and seemingly insignificant pieces of data together creates a much more valuable offering. Migliano talks about “a popular type of listing here (Dark Web) is what are known as “Fullz”. These bundles of “full” identifying information, sometimes are either packaged with financial details or sold separately. We found listings featuring individuals’ name, billing address, mother’s maiden name, social security number, date of birth and other personal data”.
There is much more evidence that substantiates the value of personal data. The law (GDPR), requires every one of us who uses personal data in our enterprises, to treat in accordance with that law because it safeguards that data and controls its commercial use as well as mitigating against harm caused by illegal use of it. Let’s not forget how GDPR supports a basic Human Right too. Article 8 of the European Convention on Human Rights provides a right to respect for one’s “private and family life, his home and his correspondence”, subject to certain restrictions that are “in accordance with law” and “necessary in a democratic society”.
The use of templated solutions such as pre-populated Privacy Notices might be tempting to use for a number of reasons, maybe cost, advocated by a ‘professional membership’ association, ignorance of the law, provided as part of a web package. But, they do not reach a sufficiently high enough bar to demonstrate your accountability and so I contend that they are not compliant with the GDPR requirements.
It’s in everyone’s interest that data controllers demonstrate compliance and the Information Commissioners Office (ICO) provide guidance and a check list as to what specifically is required here. Alternatively, get in touch here