Last updated on 22 December 2020 by Jaclyn Kilani (Legal writer at TermsFeed)
This wide-sweeping set of privacy regulations went into effect in May 2018 and its ramifications have been virtually global.
In the off-chance that you haven't heard about this impending harbinger of global privacy compliance, here are a few of the basic facts:
The answer is a resounding yes. As proven by the Privacy Shield that passed in 2016, the United States government is fully prepared to cooperate in the enforcement of privacy laws enacted by the EU.
Any business that collects even anonymous information from EU residents will be subject to GDPR compliance and, in the event of noncompliance, hefty fines.
Those fines may be as high as €20 million or 4% of yearly revenue for the most severe cases.
Unless you can be absolutely sure that no EU resident will ever wander onto your website or mobile application, it would be prudent to comply.
With a sweeping set of regulations distributed over multiple articles and documents, the GDPR requirements can be a bit confusing, to say the least. We'll take you through it, step by step.
Those are a few things to remember as you get started. Below you will find a detailed list of the minimum requirements that apply to the average business:
In order to ensure compliance, it may be necessary to perform an internal analysis on the personal information you currently hold. If ever a customer reports a problem with your privacy measures, you may be asked the following questions by the Information Commissioner's Office (ICO):
Under the GDPR, user rights are outlined explicitly. Your customers have the right to:
According to the above provisions, your website or mobile application must provide a clear, easily-accessible method for customers to view and make changes their personal information.
They also must be provided with a way to request their information in writing, free of charge.
IAPP provides multiple avenues for users to access and make changes to their information:
In order to collect or process the personal data of any individual, you must have a "legal basis" to do so. If you cannot prove a legal basis for obtaining or processing data, it will be deemed unlawful by the ICO.
The first and most common legal basis for collecting personal data is user consent. If you have the express consent of your users to collect and record their data and have the means to document and prove that consent, then all is well.
Here is a comprehensive consent form provided as an example by the ICO:
Sky Telecommunications employs a much simpler yet still sufficient method. Note the checkboxes at the bottom that require user consent:
As demonstrated by this list from the ICO website, you can see that the other legal bases for processing personal data are:
In other words, you must request active user consent before collecting even so much as an IP address.
Consent must be actively given, usually by means of a checkbox or clicked agreement. Websites are approaching this in a variety of ways. The most common is a floating dialogue box that lets visitors know why data is being collected via cookies, includes a link to the Privacy and/or Cookies Policy, and features a button or checkbox that confirms agreement.
Evidon is an excellent example with this pop-up cookie notice on the homepage that requires active consent via an "Accept" button or a link to easily change cookie settings:
In the case of a data breach, several actions must take place:
One important note regarding data breaches: If the breach occurred due to security negligence on the part of the business, then that business may be the subject of penalties and fines.
Whether your business has 2 employees or 550, you will be expected to educate them on the new privacy protocols under the GDPR.
Any individual that has access to the personal information of users must be made aware of the following:
One of the statutes of the GDPR states that: "You must implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies."
Although this does not apply to every business, it is a good idea to check if you need a Data Protection Officer (DPO). This is a position hired within your organization or on a consulting basis to monitor the handling of personal data and ensure compliance with the GDPR.
This requirement will apply to public authorities, data processing firms, health organizations, and the like. To find out more about who this applies to, go to the ICO website.
Here's how Thunderhead includes information about its DPO in its Data Protection and Security Policy:
While your DPO clause doesn't have to be so extensive and can simply include contact information, this clause does a really great job of going above and beyond requirements to really help users understand the DPO role and how it affects them.
The last two statutes required by the GDPR may or may not apply to your business. See below and click through to research further if you think one of these may apply to you:
The wealth of information and preparatory measures listed above may seem daunting. Here are a few examples of GDPR-compliant businesses and their Privacy Policies to use as guidance:
The Data Protection Network (DPN) is a shining example of compliance, as would be expected by the nature of their business. Here are few things to take note of:
Note that they mention the phrase "with your permission" several times. This is to reiterate the legal basis of user consent for collecting user information:
DPN meets marketing opt-out requirements by explaining clearly how to opt-out of unwanted communications, as well as how to access a copy of user personal information.
Although not as squeaky-clean as the DPN, Waitrose has made visible and methodical efforts to comply with GDPR regulations.
As soon as you access the site, Waitrose sends a cookie notification at the header of the page. The only thing missing here is an active consent button, but it does include a link to learn more about cookies:
Here, Waitrose lays out instances in which they may need to share user data with third-parties, along with their reasons for doing so. They then go on to a brief description of their cookie usage, along with a link to their Cookies Policy and instructions on how to change cookie preferences:
Aldo Shoes is another impeccable example of GDPR compliance. Navigation to their website reveals a prominent cookies notice with active consent at the header:
They go on to describe the types of information they collect and what it is used for:
Aldo describes how they share personal data with third-parties and why:
They provide clear opt-out instructions for marketing communications:
And finally, they give the user complete direction on how to access or make changes to their personal information:
If you'd like to investigate the GDPR further and how it applies to you, visit EUGDPR.org for a complete guide.