It seems fitting that on Data Privacy Day, a day designed to raise awareness of privacy issues (and not, as reported by Wikipedia, an international public holiday), we touch on the issue of “transparency” e.g. how to ensure individuals understand how their data is being processed. The EDPS, in its 14th January Opinion, describes transparency of processing as being of paramount importance for individuals, because only “if individuals know about data processing, can they exercise their rights”.
Within Europe the processing principles already embody “transparency” in a number of guises. For example, it is generally accepted that for data processing to be considered “fair and lawful” individuals must understand, via notice or otherwise, what that processing involves. The EDPS suggests that this does not go far enough, and that there is a need to be more prescriptive and impose legal obligations on businesses to provide information to individuals which is “easily accessible and easy to understand, and in clear and plain language”.
This can be a hard standard to achieve in practice. Conveying information about the use of personal data in a simple and easy to read form, whilst being comfortable that legal requirements have been met and internal risks mitigated, is a dark art. However, technology helps. In the on-line world, a layered wiki approach can provide a more flexible solution, with consumer facing plain English up front, linked to more detailed and legalistic provisions.
Whether or not law makers decide to legislate for plain English and clarity, it is something all businesses should strive for. It reduces the risk of complaints by consumers which makes commercial sense and means you are more likely to escape the scrutiny of the regulator.
When drafting privacy notices, test them out with real people that are unfamiliar with your products / services and the law, and see if they understand what is happening with their data; if they don’t, rewrite them.