What is the right to be informed and why is it important?

The transparency requirements of the UK GDPR create a number of overarching legal obligations for how you collect and use people’s personal data. The right to be informed encompasses some of the primary requirements in this area. It is about being open with people and providing them with clear and concise information about what you do with their data.

Articles 13 and 14 specify the types of information that you need to provide individuals with; we call this ‘privacy information’.

If you only obtain personal data as part of simple transactions, then it should be relatively straightforward for you to develop a clear and effective way to provide privacy information.

However, more complex uses of data can make it more difficult to convey all the required information, especially if you try to contain it in a single notice. The UK GDPR recognises this and allows you to use several different techniques to deliver the information.

Further Reading

Relevant provisions in the UK GDPR - See Articles 12-14 and Recitals 58-62

Further reading – ICO guidance

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.

WP29 adopted guidelines on Transparency, which have been endorsed by the EDPB.

Why is it important?

Being open and upfront about what you do with their personal data helps you to deal with people in a clear and transparent way and empower them. This makes good sense for any organisation and is key to developing trust with individuals. Fostering trust in this way can help to improve the public’s confidence in public sector institutions, while private sector organisations can use it as a means of distinguishing themselves from their competitors.

Using personal data in ways that are invisible to people can create risks. It can leave people unaware of uses of their personal data that may lead to discrimination or disadvantage, and prevents them from exercising their rights. Being transparent helps to mitigate against these risks. Actively telling people about your use of their personal data will help them retain control over it and anticipate the potential consequences of its use.

Combining the provision of privacy information with preference management tools, such as a dashboards, not only helps to empower individuals to understand what you do with their personal data, but also to exercise a degree of control over that processing. If individuals have more choice and are more engaged in what you do with personal data, you may be able to obtain more useful information from them. In turn, this can assist you to deliver better and more effective products and services. Providing privacy information also helps you with your broader compliance.

How can it help our broader compliance?

The right to be informed is not an end in itself and you should not treat it as a tick-box exercise just to achieve compliance with Articles 13 and 14 of the UK GDPR. Providing individuals with privacy information in meaningful ways will also support compliance with a number of other provisions in the UK GDPR such as:

• Fairness – Fairness is about using personal data in a way that people would reasonably expect and considering what effects it may have on them. Drafting privacy information can encourage you to think more carefully about the impact and consequences of your processing. Making sure that what you tell people is clear and understandable will help to shape people’s expectations about what you do with their data.
• Purpose limitation – The principle of purpose limitation says that you must have specified, explicit and legitimate purposes for what you do with personal data, and any further use of the data must be compatible with those purposes. Privacy information that clearly and concisely sets out what you do with personal data will help you meet these requirements. It will also be useful to consult when you are assessing the compatibility of any further uses of that data.
• Consent – When relying on consent as your lawful basis for processing, one of the key elements is that it must be informed. Although requirements for consent requests are separate to the requirements for privacy information, there are clear links between the two. In both cases, providing people with clear and easy to understand information about who you are and what you plan to do with their personal data will help you to be more confident that people are properly informed.
• Legitimate interests – When relying on legitimate interests as your lawful basis for processing, you take on extra responsibility for protecting people’s right and interests. Making sure that people understand and reasonably expect what you do with their personal data is key to relying on this lawful basis. Providing clear, intelligible privacy information will help you do this.

Further Reading

Relevant provisions in the UK GDPR - See Articles 4(11), 5(1)(a)-(b), 6(1)(a) and 6(1)(f), and Recitals 32, 39 and 47

Further reading – ICO guidance