Reflections on Transparency

In the beginning (well Article number 5 but close to the beginning) there is the 1st Principle of the General Data Protection Regulations or GDPR to give it the shorthand. The 1st Principle goes like this, “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. Note the use of the word ‘shall’, it means that it isn’t an option! Helpfully, to support all articles contained in the regulations, there is accompanying guidance called a ‘recital’ which accompanies it and provides context to what the article actually requires to achieve compliance. In this case, recital 39 is where we find out more. To avoid eyes glazing over, I’ll summarise Recital 39 and identify some salient points.

Processing should be transparent to natural persons (you and me)
The principle of transparency requires that any information and communication relating to the processing of personal data is easily accessible, easy to understand and in plain English
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise those rights
In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of collection of the personal data.
In particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.

There’s other stuff too, about committing to the data being adequate and relevant to the purpose it’s collected, accurate, kept secure and confidential etc. At this point, you’re probably wondering what the point of this article actually is, well it’s about the increasing use of templated privacy notices. I’ve developed a habit of looking at Privacy Notices on web sites and find myself being pretty dismayed at the overwhelming amount that are obviously downloaded from a web resource and pasted into a website. At best the business owner (Data Controller) has tried to personalise it to their business and at worst, the privacy notice bears no resemblance of the processing activity being undertaken. This isn’t transparency, far from it and I’m left wondering why organisations pay such little regard to it. The thing is, being transparent is, in my view, a key ingredient of demonstrating accountability, something that is explicitly required to comply with the requirements of the GDPR. Transparency is defined as the quality of being clear and transparent and providing clarity, so a privacy notice that outlines the full range of lawful basis conditions, indeterminate retention periods and is held together with the words ‘may’ and ‘might’, creates the opposite to transparency, which is opacity. Also relevant is the fact that these notices must be communicated in a way that is easy to understand and in clear and plain language, not in legalese terms. The GDPR looks at data protection and privacy from the viewpoint of the data subject, not the data controller or processor. Personal data is provided for a purpose not given away for without a regard for its security or privacy. For some reason, personal data isn’t attributed the same degree of monetary value in daily life as physical assets are. Consequently, being absolutely transparent about what is done with that information and how it is kept private and secure doesn’t seem to warrant the effort it must be lawfully afforded. In 2015, MBA@UNC published a study of the value of personal data to legitimate data brokers in the USA. Data brokers buy and sell data for the purposes of marketing activities, risk management and people search. Just nine of these companies generated $426 million in revenue in 2012, see full analysis here https://onlinemba.unc.edu/blog/data-brokers-infographic/ The opposite of this legitimate monetising of personal data is the criminal use of it. Simon Migliano at Top10VPN, https://www.top10vpn.com/privacy-central/privacy/dark-web-market-price-index-feb-2018-us/ blogs about research his organisation undertook on the Dark Web, in an effort to determine the value of personal data in the underworld.

The results were interesting in that per person, the value of our data (in US terms) is $1200.00 in total. One reason for the seemingly low figure could be that there is such a substantial amount of stolen data available, that the market forces have suppressed the value. What is also of note, is that the aggregation of small and seemingly insignificant pieces of data together creates a much more valuable offering. Migliano talks about “a popular type of listing here (Dark Web) is what are known as “Fullz”. These bundles of “full” identifying information, sometimes are either packaged with financial details or sold separately. We found listings featuring individuals’ name, billing address, mother’s maiden name, social security number, date of birth and other personal data”. There is much more evidence that substantiates the value of personal data. The law (GDPR), requires every one of us who uses personal data in our enterprises, to treat in accordance with that law because it safeguards that data and controls its commercial use as well as mitigating against harm caused by illegal use of it. Let’s not forget how GDPR supports a basic Human Right too. Article 8 of the European Convention on Human Rights provides a right to respect for one’s “private and family life, his home and his correspondence”, subject to certain restrictions that are “in accordance with law” and “necessary in a democratic society”. The use of templated solutions such as pre-populated Privacy Notices might be tempting to use for a number of reasons, maybe cost, advocated by a ‘professional membership’ association, ignorance of the law, provided as part of a web package. But, they do not reach a sufficiently high enough bar to demonstrate your accountability and so I contend that they are not compliant with the GDPR requirements. It’s in everyone’s interest that data controllers demonstrate compliance and the Information Commissioners Office (ICO) provide guidance and a check list as to what specifically is required here. Alternatively, get in touch here

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
GPS	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
IDE	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	5 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Recent Posts

Archives

CaPS Compliance

CaPS Privacy

CaPS Secure

About Us

0330 2020 601

contact@caps-ltd.co.uk

Freedom Works, Spectrum House, Beehive Ring Road, Crawley, West Sussex, RH6 0LG