Last updated: 
5 days 14 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Article 29 WP draft on Transparency

Monday, December 18, 2017 - 13:34

The Article 29 Working Party has published its draft guidelines on transparency. For those of us who have already been working on GDPR privacy notices, there don’t seem to be any surprises: this is largely a compilation of the relevant sections of the Regulation and other guidance. In particular, it seems to have been strongly influenced by the UK Information Commissioner’s guidance on Privacy Notices.

Transparency is required in three areas: providing information to data subjects to ensure processing is fair; informing data subjects about their rights; and facilitating the exercise of those rights. Most of the guidelines deal with the first of these, commonly known as privacy notices or fair processing notices. Although the guidelines don't explicitly admit the tension between the GDPR requirements to be "concise" and also "specific", they do suggest how to prioritise information. Data subjects must always be informed of the processing that will have most impact on them, and especially any processing or consequences that may surprise them. This matches the Information Commissioner's view that telling people the blindingly obvious is not a priority! However data controllers should avoid the temptation to rely on vague wording; a number of words and phrases are singled out as undesirable, including "to develop new services", "for research purposes" and "for personalisation". In the on-line context, layered notices are repeatedly mentioned as a possible solution, though with a possibly new twist that such notices should allow individuals not just to choose the level of detail, but also the specific areas they want information about.

Finally, there's a reminder that existing notices should be reviewed before May 25th, and pages 31-35 have a table (less pretty, but containing more detail, than the Information Commissioner's version) of the information required in different circumstances.