Most organisations failing to inform users about use of their personal data

The ICO has led a global investigation of website privacy communications on behalf of the Global Privacy Enforcement Network (GPEN) and found many organisations’ data protection practices are lacking.

Globally, GPEN came to the conclusion that in relation to privacy communications, organisations tended to be vague, and lacked specific details. A majority of organisations reviewed also demonstrated failures in:

• specifying how and where information would be stored;
• adequately explaining whether data would be shared with third parties and what information would be shared;
• providing users with a clear means of removing their personal data from a website;
• making it clear how a user could access data held about them; and,
• providing information on the safeguarding of data.

The findings come as instant messaging giant WhatsApp has received a further warning from the Article 29 Working Party, which found that the information provided on WhatsApp’s privacy policy was “seriously deficient as a form of consent.” It also did not inform users that by agreeing to the terms and conditions, they would be agreeing to their personal data being shared with Facebook group companies. There are also concerns that WhatsApp users are unable to freely consent to data being shared and the Working Party have requested that the company introduces these controls in order to comply with the GDPR.

Clearly, many companies worldwide still have a long way to go to meet upcoming GDPR requirements. These requirements are not only applicable to organisations based within the EU, but also those that do business within the EU. The UK government has confirmed that despite Brexit, the GDPR will apply to the UK.