Right to Be Informed Explained: What Organizations Must Tell You About Your Data
Share
This article is part of our Data Subject Rights series, explaining individual rights under the NDPA, GDPR, and global data protection laws.
Why the Right to Be Informed Matters
Every time you sign up for an app, open a bank account, shop online, or even visit a website, your personal data is being collected. Names, phone numbers, email addresses, IP addresses, location data, and even behavioral patterns are processed daily—often without users fully understanding what is happening behind the scenes.
The Right to Be Informed exists to fix this imbalance.
It is the foundation of data protection laws worldwide, including the Nigeria Data Protection Act (NDPA) and the EU General Data Protection Regulation (GDPR). Without this right, individuals cannot meaningfully exercise other rights such as access, rectification, or erasure.
In simple terms, the Right to Be Informed answers one critical question:
“What exactly is being done with my personal data?”
What Is the Right to Be Informed?
The Right to Be Informed requires organizations to clearly, transparently, and proactively tell individuals how their personal data is collected, used, stored, shared, and protected.
This information must be provided:
- Before or at the point of data collection, or
- Within a reasonable time, if the data was obtained from another source.
Hidden disclosures, vague wording, or legal jargon buried deep in privacy policies do not meet this standard.
Laws That Guarantee the Right to Be Informed
The Right to Be Informed is not optional—it is legally enforceable.
Under GDPR
Articles 13 and 14 of the GDPR mandate that data controllers provide specific information to data subjects in a clear and accessible manner.
Under Nigeria’s NDPA
The NDPA similarly requires data controllers to inform individuals about:
- The purpose of processing
- The legal basis
- Their rights as data subjects
- How to lodge complaints with a supervisory authority
This alignment shows Nigeria’s commitment to global data protection standards.
What Information Must Organizations Tell You?
Organizations must disclose key details about their data practices. The table below summarizes the minimum required disclosures under GDPR and NDPA.
Mandatory Information Organizations Must Provide
| Information Category | What It Means for You |
|---|---|
| Identity of Controller | Who is collecting your data |
| Purpose of Processing | Why your data is needed |
| Legal Basis | Whether processing is based on consent, contract, legal duty, etc. |
| Types of Data | What specific data is being collected |
| Data Sharing | Who else will receive your data |
| Data Retention | How long your data will be kept |
| Your Rights | Access, rectification, erasure, objection, etc. |
| Automated Decisions | Whether algorithms or profiling affect you |
| Complaint Rights | How to contact a Data Protection Authority |
If any of these elements are missing or unclear, the organization may already be in violation of the law.
Real-World Example: Cookie Banners Done Wrong
Many websites claim compliance by displaying cookie banners that say:
“By continuing to use this site, you accept cookies.”
This approach is legally insufficient.
Why?
- It does not explain what data is collected
- It does not name third parties
- It does not explain purposes
- It does not give meaningful choice
European regulators have repeatedly fined companies for vague or misleading cookie disclosures, reinforcing that transparency is not optional.
When Must You Be Informed?
Timing matters as much as content.
You Must Be Informed:
- At data collection, when you submit a form, sign up, or install an app
- Within a reasonable time, if your data was obtained indirectly
- Before any new purpose, if your data will be reused differently
Silence or delayed disclosure breaks trust and violates the law.
Why Transparency Builds Trust (and Avoids Fines)
According to regulatory enforcement trends, a significant percentage of data protection penalties globally stem from lack of transparency, not hacking incidents.
Organizations that fail to properly inform users face:
- Regulatory fines
- Reputational damage
- Loss of customer trust
- Increased complaints and investigations
On the other hand, clear and honest disclosures:
- Reduce legal risk
- Improve user confidence
- Increase consent acceptance rates
- Strengthen brand credibility
Transparency is both a legal duty and a competitive advantage.
Case Study: Social Media Platforms and Transparency Failures
Several global social media platforms have faced regulatory scrutiny for:
- Vague privacy notices
- Complex language unreadable to average users
- Failing to explain targeted advertising practices
Regulators concluded that if users cannot realistically understand how their data is used, the Right to Be Informed has been violated—regardless of whether a privacy policy exists.
This shows that clarity, not just disclosure, is the real legal standard.
Common Ways Organizations Violate the Right to Be Informed
Many violations happen unintentionally but still attract penalties.
Common mistakes include:
- Copy-paste privacy policies
- Overly legalistic language
- Missing contact details
- Failure to update notices when practices change
- Hiding disclosures behind multiple clicks
Compliance requires ongoing attention, not a one-time policy upload.
How Individuals Can Enforce This Right
If you believe an organization has not properly informed you, you can:
- Request clarification directly from the organization
- Ask for their privacy notice or data processing details
- Escalate the issue to a Data Protection Authority
- Exercise related rights such as access or objection
The Right to Be Informed empowers individuals to ask better questions—and demand better answers.
Best Practices for Organizations
To meet both legal and ethical standards, organizations should:
- Use plain, simple language
- Present notices in layers (summary + full policy)
- Update disclosures regularly
- Make notices easily accessible
- Train staff on transparency obligations
Privacy by design starts with honest communication.
Frequently Asked Questions (FAQs)
Is a privacy policy enough to satisfy the Right to Be Informed?
Not always. The information must be clear, accessible, and understandable—not just available.
Can organizations change how they use my data without telling me?
No. Any new purpose requires fresh disclosure and, in some cases, new consent.
Does this right apply to employees?
Yes. Employees are also data subjects and must be informed about how their data is processed.
What if I never consented?
Even when consent is not the legal basis, organizations must still inform you.
Final Thoughts
The Right to Be Informed is the gateway to all other data subject rights. Without transparency, consent is meaningless, trust collapses, and accountability disappears.
In an era where personal data fuels digital economies, being informed is no longer optional—it is a fundamental right protected by law.
Understanding this right empowers individuals and forces organizations to act responsibly, ethically, and lawfully.
Citations
- EU General Data Protection Regulation (GDPR), Articles 13 & 14
- Nigeria Data Protection Act (NDPA), Transparency and Fair Processing Provisions
Leave a Reply