Utilising ‘Recognised Notifiable Purposes’ (RPNS) to Support Data Subjects.
- Joe Stock
- Feb 13
- 6 min read
As data protection laws in the UK have evolved, so too have the requirements around transparency. Controllers are required to provide a wide range of information to individuals, commonly done so through Privacy Notices. Yet this raises an important question: in attempting to meet these requirements, are we at risk of burying key information? And, if so, how can essential details about impactful processing activities be highlighted in a way that is genuinely more meaningful and helpful to data subjects?
How we got here.
Whilst the Data Protection Act 1984 enabled individuals to request whether personal data was held, first specific requirements around general proactive provision of information first appeared in the Data Protection Act 1998 (DPA98).
The first principle of the DPA98 required data be processed fairly and lawfully. Whilst no explicit reference to ‘transparently’, Schedule 1, Part 2, Paragraph 2, stated that processing could only be considered ‘fair’ where a subset of information was provided. This was:
‘(a)the identity of the data controller,
(b)if he has nominated a representative for the purposes of this Act, the identity of that representative,
(c)the purpose or purposes for which the data are intended to be processed, and
(d)any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.’
Whilst there were few exemptions to this, this paved the way for the creation of what came to be known as ‘Fair Processing Notices’ (FPNs). The information required by law to be on an FPN was limited, but they reinforced that transparency supported establishing fairness. It placed responsibility on controllers to determine what individuals needed to be informed about to achieve that fairness.
This law was supported by regulatory guidance, and the 2016 Information Commissioners Office (ICO ) Code of Practice on communicating privacy information to individuals gave some examples of other information that could be provided. Some of these became mandated in the next iteration of data protection law, the General Data Protection Regulation (GDPR), such as notification of right of access.
Setting Fair Expectations
This 2016 ICO Code of Practice noted ‘Therefore the main elements of fairness include.. using information in a way that people would reasonably expect. This may involve undertaking research to understand people’s expectations about how their data will be used;’.
This theme around expectation was also raised in the Article 29 Working Party (WP29) guidance on transparency under GDPR, adopted in November 2017, which made several mentions to data subject exemptions and ensuring there were no surprises.
2018 – the ‘Next Gen’ data protection law
GDPR evolved the concept that fair processing required transparency, to promoting transparency to be a requirement in its own right. The first principle became processing must be ‘fair, lawful and transparent’.
Further, it brought more explicit requirements for provision of information through Articles 12, 13 and 14 and supporting WP29 guidance on transparency.
This presented an interesting challenge - to provide a varying level of technical information to individuals ‘..in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child’.
This information has primarily been provided through documents commonly referred to as ‘Privacy Notices’. The level of success/effort put into ensuring this information is ‘concise transparent intelligible…’ etc. has varied significantly. There are some very good examples of layered privacy notices genuinely aimed at supporting individuals understand how their data is used, whilst there are also those at the other end of the spectrum, written in legalise which are inaccessible.
For the most part however, privacy notices have now been established to follow a common structure with the same feel, and distinguishing expected from unexpected processing can require digging through significant detail. When we sign up to a service or get employed by an organisation, there are certain expectations that we have about how our data will be used. It is this standard, expected processing that makes up the majority of privacy notices, but it could be argued this distracts from highlighting key information about unexpected processing away from the data subject.
This raises the question - is there a way we can take transparency obligations back to their roots, to provide an extra safeguard to support data subjects for data processing which they necessarily may not expect?
Establishing ‘Recognised Notifiable Purposes’
GDPR Article 6(1)(f) allows processing when it is in the legitimate interests of the controller or third party, as long as there are no overriding interests of the data subject. The Data (Use and Access) Act 2025, introduced some specific ‘Recognised Legitimate Interests’, where an assessment of overring interests was not required.
A similar approach could be taken to support fairness, transparency and expectations, with the creation of ‘Recognised Notifiable Purposes’ (RPNs).
RNPs would be statutory categories of processing that must be clearly flagged or identified within transparency information.
Examples could include:
- workplace surveillance;
- use of personal data to train AI;
- denial of service;
- processing considered ‘high risk’ in line with Article 35 Data Protection Impact Assessments considerations; or
- processing activities which Article 36 Prior Notification requirement.
This is not necessarily an entirely new concept. GDPR requires organisations to explicitly call out when automated decision-making occurs, and the WP29 guidance explicitly links this back to expectations: ‘…and the general principle that data subjects should not be taken by surprise by the processing of their personal data, equally apply to profiling generally (not just profiling which is captured by Article 22), as a type of processing’. I personally think this approach works well – it makes it clear, with no ambiguity, whether such processing occurs.
The introduction of RNPs could also put into statute controls noted in both the GPDR recitals and WP29 guidance. This recommends providing information to supports individual understand risks and consequences of processing including ‘unexpected processing’. (Recital 39 / Paragraph 10 of WP29 guidance).
Counter Arguments
There are a number of valid opposing arguments for such a proposal.
“Processing activities must already be listed, what does this add?”
The most obvious is that the current requirement is that each processing activity must already be detailed, so what extra would this add. This counter point to this would be that the law does not set out the detail required of the processing notification. How many privacy notices state processing is done ‘to provide the service’ or ‘improve the service’ – but what does this actually mean to data subjects? The inclusion of RPNs would not mean every detail of all processing needed to be included, but that these specific processing purposes were called out.
“Employee monitoring and other such practices already have guidelines.”
You could also argue that for specific processing purposes, such as employee monitoring, there are already regulatory guidelines that support direct notification to data subjects. Whilst this is true, this is fairly limited for broader purposes of processing, and RNPs would put this on a statutory footing.
“Less is more.”
The new EU Digital Omnibus (EUDO) has recently looked into at transparency requirements through a different lens. Whilst the RNP approach looks at adding requirements, the EUDO goes the other way and looks to increase the exemption to transparency when processing is ‘non-data-intensive, non-complex and where the controller collects a low amount of personal data’. This approach could be argued more 95/46/EC-like (the directive DPA98 was formed from), putting the onus on organisations to ensure data subjects have the required information for it to be ‘fair’. I think this approach has merits in certain circumstances, and a mix of RNPs and reduced noise for expected processing could be a joint approach to support data subjects across the board.
There would also be a need to establish what exactly the RPNs are, taking views of data subjects, data protection professionals and wider research.
Conclusion
