Proper Notice, Choice, and Purpose Limitation: Keeping it Clear and Simple within GDPR Obligations

Post Date: 07/27/2016
feature image

Under the EU General Data Protection Regulation (GDPR) obligations, companies must provide clear notice to their customers of the purpose for which their data is being collected and consent must be “freely given, specific, informed and unambiguous.” This is an incredibly important requirement for organizations to understand, which can be broken down into two parts, or concepts: Notice and Opt-in (Choice).

What is a privacy notice?

A privacy notice is a statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. However, sadly most privacy notices are complex multi-page documents written to satisfy corporate legal obligations, authored by attorneys, and intelligible to almost no one. Most people (including me) cannot remember the last time they have fully read and understood a privacy policy, but we click “accept” all the time. Privacy policies have in fact made us a nation of liars!

However, under the new EU GDPR obligations, privacy policies must be clear, concise and understandable. Privacy notices should clearly and effectively communicate complex and important information to people with basic education, which can help promote consumer understanding and save a company time and money.

What does Choice mean according to the GDPR?

Opt-in is the idea that information sharing will not occur unless consumers affirmatively allow it or request it. Opt-out is when businesses give consumers an opportunity to refuse sharing of information about themselves – with the presumption that they will choose to share their information. The consumer must take action to change that selection. Thus, in the Opt-out scenario, the default is that you have agreed to share all of your information. If you don’t want to do so, you must proactively inform the business.

This is an incredibly important requirement for participating organizations to understand. This will very directly impact how they collect information, record the purpose for which that information was collected, and then store, use, and share that information. For example, if a company collects customer data to provide technical support, they must clearly state that reason for collection. The data subject must proactively opt in to allow his or her data to be collected for that purpose.

What can GDPR participants do with this data?

Once the company receives that data, it can only use the data for that limited purpose. The only exception is if they obtained specific and explicit permission from the customer to use their information for other purposes. As they store the data in their systems, it needs to be clearly marked (for example with a metatag) so that it is not inadvertently combined with other data where it might be used for a different purpose.

This is particularly important to note for organizations that regularly share customer data with external parties – particularly sharing is not related to the original data collection purpose. It may also have implications for companies that hold data collected over a period of time and are later subject to a merger or acquisition.

Also, the Opt-in requirement means that many organizations will need to create layered consent mechanisms demonstrating that an individual has chosen to have data shared with third parties, or to use the data for a separate purpose. As many organizations collect data (and obtain consent) through their websites or through an internet portal, this will require a major revamp of current consent mechanisms and Opt-in/Opt-out practices. This will of course be true for in-person or non-web based consent forms as well.

What can you do to prepare for GDPR obligations?

Examine your existing privacy policy. The GDPR requires that you not only create policies that meet its mandate, but that you operationalize those policies and be able to prove that you’ve done so. Write a clear privacy policy that consumers will actually be able to read and understand.

Give consumers a choice about whether or not to provide data. You need to clearly indicate what personal information you are requesting and/or collecting from consumers, give them a choice about whether or not to provide it and then clearly mark the data you have collected with that purpose specifically, this means that you cannot leave your policies to chance or luck.

Sign up for our GDPR Response Guide to learn how you can take a risk-based approach to GDPR compliance.


Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities. Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School. LinkedIn: Twitter:

View all posts by Dana S.

Subscribe to our blog