In the beginning (well Article number 5 but close to the beginning) there is the 1st Principle of the General Data Protection Regulations or GDPR to give it the shorthand. The 1st Principle goes like this, “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. Note the use of the word ‘shall’, it means that it isn’t an option! Helpfully, to support all articles contained in the regulations, there is accompanying guidance called a ‘recital’ which accompanies it and provides context to what the article actually requires to achieve compliance. In this case, recital 39 is where we find out more. To avoid eyes glazing over, I’ll summarise Recital 39 and identify some salient points.
- Processing should be transparent to natural persons (you and me)
- The principle of transparency requires that any information and communication relating to the processing of personal data is easily accessible, easy to understand and in plain English
- Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise those rights
- In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of collection of the personal data.
- In particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.