'Transparency': The Extras

It's always a genuine pleasure to host Data Matters on a Friday afternoon–it's basically a catch up with old friends, chatting about a subject close to our hearts.

Our most recent session on Transparency was a good case in point–in fact it was one of our most-watched episodes so far and had the most questions asked. You can catch the episode here.

As you'll see, we ran out of time before we could answer all of your questions, and Emma Butler and Gemma Haines were determined to address a couple more–so a big thank you to them for their time on Friday and for going 'above and beyond' here...

Q: Can you tell me if the right to access your data, as a a data subject would entail a right to access metadata as well? 

GH: Yes, and in fact this is an area least touched on in most cookie policies and is much trickier to manage. When a user consents they will be assigned a consent ID which will be stored in the cookie of the chosen cookie tool. This is random and will be regenerated every time a user clears their cookies and re-consents. To locate and provide this data you will need this consent ID which can be found in the inspect element of a browser. Dependent on how your chosen cookie tool works, you should then be able to identify the category of cookie consented to and the data should reside in the data collection point used (e.g Google Analytics).

Q: What actions should a data controller take following an update to their privacy statement to bring it to the attention of the data subject, mail shots can be expensive and lead to fatigue.

GH: My first piece of advise is to keep privacy notices simple and wide enough to cover most of your processing, where possible. I am not suggesting that you make it so wide that you aren’t doing what you say, but keeping this just 'wide enough' will limit your need for change. In terms of methods for notifying, emails provide the means for you to demonstrate that you have informed your customers but are more of a tick box; another acceptable method could be a banner or just-in-time notices on your website.

Q: What role do you think icons and images should play in privacy notices? Do you think they would help, or hinder, the requirement to be transparent?

EB: I'm not a fan of icons to represent headings or privacy concepts. It would be impossible to agree on a set of common icons, so they can hinder by confusing people and taking away from what you are trying to communicate. They can pretty-up a privacy notice as a design feature, but I don't think they work well as a replacement for clear text. 

Q: Do the panel find privacy notices helpful? I’m fortunate to work in the area so can read through them OK, but in my opinion they introduce more concern rather than confidence as it is more about how organisations share data, not how they protect it, not to mention that the notices are never embedded as part of the customer experience when, for example, buying a product or service. It’s just stuck on at the end of the process or hidden in small font at the bottom of a web page.

EB: They are one part of how you do transparency. The focus of their content may change depending on the organisation in question. In some cases, the sharing might be more relevant than the security measures; in others, the opposite. I also think there are limits to how far you can explain to the average person all the security measures you have in place. I don't think it would be helpful to an individual to list all your measures like your change management policy, how you restrict access to systems, physical office security, encryption, datacentre security, and so on. And you also need to be careful not to reveal anything that could allow someone to get around or hinder any of your measures. As I said on the livestream, the privacy notice shouldn't be the primary way you communicate data collection and use.

If you have questions for any of our special guests on our upcoming shows on Data Security, Retention and Deletion Policies, Awareness & Training, Records of Processing Activities or Vicarious Liabilities–or indeed if you'd like to appear in our Autumn season–then please do get involved by signing up today: https://bit.ly/DataMattersSignUp