Transparency
Any information or communication in relation to data processing must be easily accessible and clear to understand.
Explanation
One of the responsibilities organisations have in accordance with data protection regulations is related to clearly and fully communicating the data processing that takes place when data subjects use their services/products.
Best Practice
- Offer bite-sized chunks of info during the data collection process that explains what each data field can be used for.
- Offer granular consents (for any type of data collected ie: PII & cookies) and an easy way for users to update these (i.e.: preference centre)
- At the very least include a distinct section in the organisation's privacy notice and make it intuitive for the users to navigate there, e.g. by providing the contents of the privacy notice and linking them to the relevant section.
How We Measure
- Consumer understanding (via surveys etc.)
- Tracking complaints and legal actions (reactive and could be detrimental to a brand)
- Assessment via 3rd parties and auditors to prove compliance with the transparency (among other) principle
- Governance procedures: constantly monitoring the use of new tools/implementation of new strategies
- Audit trail of consent given (type of consent, date, channel)
Examples:
When a customer signs up to a service and their mobile phone number is requested, it should be made clear to them either during registration or via the published Privacy Notice, why their mobile phone is required and how it will be used. By extension, if the relying party shares my mobile phone number with other organisations that could in turn be using data for other purposes. It must be made clear who those parties are and why they require my data / what they use it for.