The UK GDPR sets out seven principles, the first principle states that an organisation must process personal data lawfully, fairly and in a transparent manner in relation to individuals. Those individuals have the right to be informed about the collection and use of their personal data, and by doing so, you are being transparent under the UK GDPR.
- The name and contact details of your organisation
- The name and contact details of your representative
- The contact details of your data protection officer
- The purposes of the processing
- The lawful basis for the processing
- contractual obligation
- legal obligation
- vital interest
- performance of a public task
- legitimate interest
- The categories of personal data obtained
- The recipients or categories of recipients of the personal data
- The details of transfers of the personal data to any third countries or international organisations
- The retention periods for the personal data
- The rights available to individuals in respect of the processing
- The right to withdraw consent
- The right to lodge a complaint with a supervisory authority
- The source of the personal data
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data
- The details of the existence of automated decision-making, including profiling
The message is simple, if you are processing someone’s personal data, then they have a right to know about it.
Requirement of law, safeguarding
Article 12 of the UK GDPR states organisations need to provide any information relating to processing of an individual.
Articles 13 and 14 of the UK GDPR goes onto explain what individuals have the right to be informed about.
Third party services
Customers are interested in their privacy
The UK GDPR existence solely came about so individuals' can have control and rights over their personal data. So why wouldn’t they be interested? Everyone cares how their personal data is being used and why. Now with technology being at such an advanced level, and continuously evolving, it means the risks for identification theft are also enhanced; an inconvenience that no-one wishes to experience. Statistics show that people are more sceptical and wary about how their personal data may be compromised.
The European Data Protection Supervisor enforces the message of the GDPR, stating, ‘one of the aims of the GDPR is to empower individuals and give them control over their personal data. The GDPR has a chapter on the rights of data subjects (individuals) which includes the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.’
Article 4(2) of the GDPR describes ‘’processing' as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means...’
If you’re collecting personal data, then yes. You should make sure you check whether you’re inadvertently collecting personal data, as this can often be unclear. Websites and applications often collect data via cookies. These are unique identifiers as they can be used independently or combined with other data to identify someone. As a result, it’s considered personal data collection under the GDPR. A data mapping exercise will help identify personal data you are collecting from your users, including third parties who need to process billing information.