Skip to content
Step 1 /
hub The essentials

Rule 2 of 4

You now know you are required to collect as little data as possible (rule 1). The second core rule is about being open: transparency.

group Personal data
  1. check Data minimisation
  2. 2 Transparency this module
  3. 3 Security
  4. 4 Rights of data subjects
flag Introduction

Transparency

Communicate and raise awareness. People have the right to know which data you use about them, how, and why. And you have the duty to tell them clearly.

target What you will learn in this module
  • check_circle Why you must communicate proactively and in plain language
  • check_circle Which documents come with this
  • check_circle Who you communicate to and how long you may retain data
menu_book Theory · 1 of 4

Plain, human language

You must communicate in specific, understandable terms, suited to your audience.

So: no over-complex sentences and no vague, catch-all legal language. Write as you would speak to a customer.

info Remember

If your audience does not understand your privacy notice, you do not meet the transparency rule, no matter how legally correct it is.

menu_book Theory · 2 of 4

Be proactive

You do not wait for someone to ask, you must inform proactively. In practice:

  • A Privacy notice The document that sets out which personal data you process, how and why, and what rights data subjects have. Tailor it to your own business; a generic template is not enough. Writing a privacy noticearrow_forward on your website: which data, how, why, and the rights of data subjects.
  • A separate Staff privacy notice A privacy notice specifically for your staff: it explains which data you process as an employer (pay, appraisals, attendance, …), why, how long, and which rights your employees have. Add it as an annex to the employment contract. Staff privacy notice: what you must tell employeesarrow_forward , as an annex to the employment contract.
  • A Data processing agreement An agreement with parties that process personal data on your behalf (your processors). Required where you share data, e.g. with software suppliers. What is a data processing agreement?arrow_forward where you share data, e.g. with suppliers.
  • Internal awareness, e.g. annual GDPR training for all staff.
celebration You are doing great! 🎉

By taking this course you are already working on that awareness. Pass it on to your colleagues so the whole team is on board.

menu_book Theory · 3 of 4

Transparent to whom? And how long may you keep data?

groups All stakeholders

Existing and future stakeholders: customers and prospects, employees and applicants, suppliers and prospective suppliers, and third parties of every kind.

schedule Retention period

Communicate clearly how long you retain data per process, and do not keep it longer than strictly necessary. Example: unsuccessful job applications you delete after 18 months.

menu_book Theory · 4 of 4

In practice: how to approach it

  • Provide a customer and a staff privacy notice, specific to your own business.
  • Maintain a Records-of-processing register A simple overview that lists which personal data you use and for what. It is the foundation for being transparent and for demonstrating compliance. Records of processing: do I need one?arrow_forward of which data you use and for what.
  • Have a data processing agreement where you share data with third parties.
  • Have managers and staff complete annual GDPR awareness training.
cases Example · 1 of 2

”Did not my web developer take care of this?”

Case 1 A generic privacy policy + cookie banner

“My web developer put a privacy policy and a cookie pop-up online, so I am GDPR-compliant, he said."

check_circle Not enough. Transparency requires you to specifically document which personal data you use, and the how and why around it. A generic privacy policy and a cookie pop-up will not cut it.
cases Example · 2 of 2

"We keep everything, just in case”

Case 2 Keeping job applications for years

“We keep applications from candidates we did not select ‘just in case’ for years.”

check_circle Too long. Do not retain longer than strictly necessary and communicate the retention period. Unsuccessful applications, for example, you delete after 18 months.
quiz Practice · question 1 of 2
info Not for points, choose the correct answer to continue
"My web developer put up a generic privacy policy and a cookie banner. Am I compliant with the transparency rule?"
Correct: a generic privacy notice and a cookie pop-up are not enough. Transparency requires a specific description of your processing activities, tailored to your own business.
quiz Practice · question 2 of 2
"What does the GDPR say about how long you keep personal data?"
Correct: do not keep data longer than necessary for the purpose, and be transparent about the retention period for each process.
summarize Summary

What you take away from module 4

  • bolt Communicate proactively and in plain, human language, suited to your audience.
  • bolt Provide a customer and a staff privacy notice, a records-of-processing register, and data processing agreements where you share data.
  • bolt Inform all stakeholders: customers, prospects, employees, applicants, suppliers, and third parties.
  • bolt Communicate the retention period and do not keep data longer than strictly necessary.
workspace_premium Module complete

Module 4 complete 🎉

You now know how to communicate transparently and which documents come with that. In module 5 we look at the third rule: security.

lock_open 4 of 8 modules

On your way to your “GDPR essentials for SMEs” certificate

Complete all 8 modules and pass the final exam (at least 70%) to receive a personal certificate in your name, with a verifiable code.

check_circle Modules 1-4 completeradio_button_unchecked Modules 5-8radio_button_unchecked Final exam ≥ 70%
workspace_premium