The General Data Protection Regulation (GDPR) sets out eight fundamental rights of individuals in respect of their personal data. These are the rights of information and access to personal data, rights of rectification and erasure, right to restriction of processing, right to data portability, right to object and rights relating to automated decision-making (including profiling).
The right to be informed of the processing of personal data exists under the current Data Protection Act 1998 (DPA) but the GDPR sets out in much greater detail what information must be provided to individuals (data subjects) and when such information must be provided. Although the guidance on the GDPR from the Information Commissioner's Office (ICO) is not yet complete, many organisations have started updating their existing privacy notices in order to include the additional information requirements. However, that is only one part of compliance with the right to be informed - organisations also need to consider their processes to ensure that these new privacy notices are provided to the data subjects at the appropriate times.
Article 13 of the GDPR applies where the personal data is received directly from the data subject. In those circumstances, the relevant data protection information must be provided to the individual "at the time when the personal data are obtained" (i.e. immediately) and the only exception to this is where the data subject already has the information. This sole exception means that where there is an ongoing relationship (e.g. an existing customer or an employee), the organisation does not need to provide the privacy notice at every interaction. Rather, the organisation must supply the information on first contact and whenever there is a change to the privacy notice or to the processing activities.
Article 14 of the GDPR applies where the personal data is not received directly from the data subject, for example where a potential employer receives a CV from a recruitment agency rather than directly from the applicant. The recipient organisation is obliged to provide the necessary data protection information at the earliest of: within one month of receiving the data, on first communication with the data subject or, where applicable, on first disclosure to a third party. In the recruitment example, this would mean that if the potential employer emails the applicant to acknowledge receipt of the CV, they would need to provide a privacy notice at that stage. If the potential employer does not email to acknowledge receipt, they would need to provide a privacy notice in any event within one month of receipt of the CV. If the potential employer sends the CV to another company within the same group, they would need to provide the notice at the time of such disclosure.
There are several exceptions to the requirement to provide information under Article 14 of the GDPR, including where the data subject already has the information, where the provision of information seriously impairs the objectives of the processing (e.g. a bank complying with anti-money laundering regulations), where the processing is required by law (e.g. HMRC obtaining PAYE employee data) or where there is an obligation of professional secrecy (e.g. doctors or lawyers acting in their professional capacity). The ICO has not yet commented on the scope of these exceptions, but, as a result of the principle of transparency which runs throughout the GDPR, they are likely to be strictly interpreted to the benefit of the data subject.