After covering the seven rights people have under UK GDPR, we’ll begin to dive into each other in further detail. The first one is the right to be informed. The aim is to provide people with clear and concise information about what organisations do with their personal data.

What to say

What organisation’s need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source.

Article 13 and 14 of the UK GDPR specify exactly what people have the right to be informed of. Generally, you must make sure to provide the following information:

• The name and contact details of your organisation,
• The name and contact details of your representative,
• The contact details of your data protection officer,
• The purposes of the processing,
• The lawful basis of the processing,
• The legitimate interests of the processing,
• The categories of personal data obtained,
• The recipients or categories of recipients of the personal data,
• The details of transfers of the personal data to any third countries or international organisations,
• The retention periods for the personal data,
• The rights available to individuals in respect of the processing,
• The right to withdraw consent,
• The right to lodge a complaint with a supervisory authority, and
• The details of the existence of automated decision-making, including profiling.

If the personal data was collected from the data subject, you must inform them of whether they are under a statutory or contractual obligation to provide the personal data.

If the personal data was obtained from other sources, you must inform the data subject of the source of the data.

When to inform

Every time you collect someone’s data from them, you must provide them with the above information.

If the information is collected from a third party, you must inform the people within a ‘reasonable period’, within at least a month of obtaining it. If you use the collected data to get in contact with them (e.g. collecting email addresses from a third party to provide marketing emails), then you must inform them within that initial communication.

You must always actively provide the privacy information listed above. It can be placed on your website, or somewhere else with easy access, but you must make data subjects aware of the information and its location.

Next week, we’re covering the right of access, and if you want any more information on what to tell people, how to tell them, or any other advice on dealing with data privacy rights, feel free to contact us.