On 2 February the ICO announced that it had published a new code of practice relating to privacy notices, transparency and control, which aims to keep pace with the increasingly complex digital landscape and also take into account the broader transparency rules under the GDPR. The ICO’s current guidance, from 2010, is here.
‘Transparency’ under the GDPR
Although organisations are already required to provide certain details in relation to the identity of the data controller and the purposes for which the data is being collected, the GDPR will increase the amount of information which must be provided to individuals, including the rights available to them, information on data transfers and the source of the data. All information must be presented in a concise, transparent, intelligible and easily accessible form, using clear and plain language and tailored to the specific audience (including children). Organisations which fail to meet these requirements face a fine of up to 4% fine of worldwide annual turnover.
Key changes in the new code
- The new code recommends a more blended and innovative approach to privacy notices and suggests a variety of techniques such as embedding appropriate explanations at each stage of data collection, pop-up notifications/reminders and the use of symbols and explanatory videos.
- An increased emphasis on giving the individual control over how their data is used, with a focus on tools such as privacy dashboards.
- New sections which address the communication of privacy notices on mobiles and other small screens and Internet-of-Things devices, which specify that individuals should not have to zoom in to read information, and highlight the importance of a layered approach where there is restricted space.
- An emphasis on privacy notices as part of the big picture, highlighting the need for privacy by design and the use of privacy impact assessments.
- A focus on what should be included in privacy notices when dealing with ‘big data’.
- The inclusion of best practice standard wording for seeking consent for marketing.
Consultation and next steps
The ICO is seeking views on the new code, and you have until 24 March to submit a response. In addition, the ICO is proposing to develop a suite of resources to support the code, such as a tool to automatically generate a privacy notice and examples of ‘just-in-time’ privacy notifications, layered privacy policies and dashboard tools. The ICO will be amending the code again once the final GDPR text is approved, as well as overhauling other guidance, including updating the ‘Guide to data protection’ to include advice on the transparency and provision of information requirements under the GDPR.