Last updated on 22 December 2020 by Jaclyn Kilani (Legal writer at TermsFeed)
Are your business privacy practices and Privacy Policy compliant with the European Union's new General Data Protection Regulation (GDPR)?
This wide-sweeping set of privacy regulations went into effect in May 2018 and its ramifications have been virtually global.
In the off-chance that you haven't heard about this impending harbinger of global privacy compliance, here are a few of the basic facts:
The answer is a resounding yes. As proven by the Privacy Shield that passed in 2016, the United States government is fully prepared to cooperate in the enforcement of privacy laws enacted by the EU.
Any business that collects even anonymous information from EU residents will be subject to GDPR compliance and, in the event of noncompliance, hefty fines.
Those fines may be as high as €20 million or 4% of yearly revenue for the most severe cases.
Unless you can be absolutely sure that no EU resident will ever wander onto your website or mobile application, it would be prudent to comply.
With a sweeping set of regulations distributed over multiple articles and documents, the GDPR requirements can be a bit confusing, to say the least. We'll take you through it, step by step.
First off, here are a few points to remember regarding your Privacy Policy:
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
Those are a few things to remember as you get started. Below you will find a detailed list of the minimum requirements that apply to the average business:
In order to ensure compliance, it may be necessary to perform an internal analysis on the personal information you currently hold. If ever a customer reports a problem with your privacy measures, you may be asked the following questions by the Information Commissioner's Office (ICO):
Do you have the answers to these questions? If so, are all of these topics addressed in your Privacy Policy? If you are not able to answer the above questions with confidence and include all of the above information in your Privacy Policy, then an internal privacy analysis will be in order, followed by an update to your Privacy Policy.
Aldo does an excellent job of summarizing all of these points concisely in its Privacy Policy:
Under the GDPR, user rights are outlined explicitly. Your customers have the right to:
According to the above provisions, your website or mobile application must provide a clear, easily-accessible method for customers to view and make changes their personal information.
They also must be provided with a way to request their information in writing, free of charge.
IAPP provides multiple avenues for users to access and make changes to their information:
Once your system has the correct functionality in place, your Privacy Policy would need to be updated in similar fashion, with sections outlining the following:
Box, Inc. includes all of the above points in their Privacy Policy 'Choices' section:
In order to collect or process the personal data of any individual, you must have a "legal basis" to do so. If you cannot prove a legal basis for obtaining or processing data, it will be deemed unlawful by the ICO.
The first and most common legal basis for collecting personal data is user consent. If you have the express consent of your users to collect and record their data and have the means to document and prove that consent, then all is well.
Here is a comprehensive consent form provided as an example by the ICO:
Sky Telecommunications employs a much simpler yet still sufficient method. Note the checkboxes at the bottom that require user consent:
As demonstrated by this list from the ICO website, you can see that the other legal bases for processing personal data are:
One or more of the legal bases listed above must be documented in order to legally collect or record the personal information of consumers. Your legal basis for collecting information should also be mentioned within your Privacy Policy.
Spotify mentions express consent in this paragraph of its Privacy Policy:
This may be one of the most significant changes to the way you approach data collection. According to the GDPR, user consent of personal data collection must be "freely given, specific, informed, and unambiguous." This includes the collection of anonymous data through the use of cookies.
In other words, you must request active user consent before collecting even so much as an IP address.
Passive methods of user consent known as browsewrap - for example, terminology like "by continuing to use our site you automatically agree to our use of cookies" - will no longer be considered valid consent.
This paragraph in Roald Dahl's Cookie Policy, for example, is not considered active consent:
Consent must be actively given, usually by means of a checkbox or clicked agreement. Websites are approaching this in a variety of ways. The most common is a floating dialogue box that lets visitors know why data is being collected via cookies, includes a link to the Privacy and/or Cookies Policy, and features a button or checkbox that confirms agreement.
Evidon is an excellent example with this pop-up cookie notice on the homepage that requires active consent via an "Accept" button or a link to easily change cookie settings:
Updates to the way you handle or collect personal data as well as changes to your Privacy Policy must be communicated to your customers in a timely manner.
Box, Inc. informs users of their protocol for announcing changes to the Privacy Policy:
In the case of a data breach, several actions must take place:
One important note regarding data breaches: If the breach occurred due to security negligence on the part of the business, then that business may be the subject of penalties and fines.
Whether your business has 2 employees or 550, you will be expected to educate them on the new privacy protocols under the GDPR.
Any individual that has access to the personal information of users must be made aware of the following:
One of the statutes of the GDPR states that: "You must implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies."
Although this does not apply to every business, it is a good idea to check if you need a Data Protection Officer (DPO). This is a position hired within your organization or on a consulting basis to monitor the handling of personal data and ensure compliance with the GDPR.
This requirement will apply to public authorities, data processing firms, health organizations, and the like. To find out more about who this applies to, go to the ICO website.
Here's how Thunderhead includes information about its DPO in its Data Protection and Security Policy:
While your DPO clause doesn't have to be so extensive and can simply include contact information, this clause does a really great job of going above and beyond requirements to really help users understand the DPO role and how it affects them.
The last two statutes required by the GDPR may or may not apply to your business. See below and click through to research further if you think one of these may apply to you:
The wealth of information and preparatory measures listed above may seem daunting. Here are a few examples of GDPR-compliant businesses and their Privacy Policies to use as guidance:
The Data Protection Network (DPN) is a shining example of compliance, as would be expected by the nature of their business. Here are few things to take note of:
Upon navigating to the DPN homepage, you will see an unobtrusive notice regarding cookies at the footer of the page. This notice will remain on your screen until you click "I understand," actively consenting to their use of cookies:
The DPN Privacy Policy starts off by clearly stating the company name, trading name, and physical location. This is followed by an explanation of why DPN collects personal information and what they use it for.
Note that they mention the phrase "with your permission" several times. This is to reiterate the legal basis of user consent for collecting user information:
DPN meets marketing opt-out requirements by explaining clearly how to opt-out of unwanted communications, as well as how to access a copy of user personal information.
Finally, DPN thoroughly describes the information they collect with cookies and why they collect this information. Various ways to delete or prevent cookies are also described in the Privacy Policy:
Although not as squeaky-clean as the DPN, Waitrose has made visible and methodical efforts to comply with GDPR regulations.
As soon as you access the site, Waitrose sends a cookie notification at the header of the page. The only thing missing here is an active consent button, but it does include a link to learn more about cookies:
The Waitrose Privacy Policy includes a detailed list of what information they collect and why they collect it. Here you can also see the names of those businesses within the family of companies, their physical location, and instructions on how to access a copy of personal information held by Waitrose:
Here, Waitrose lays out instances in which they may need to share user data with third-parties, along with their reasons for doing so. They then go on to a brief description of their cookie usage, along with a link to their Cookies Policy and instructions on how to change cookie preferences:
Aldo Shoes is another impeccable example of GDPR compliance. Navigation to their website reveals a prominent cookies notice with active consent at the header:
The Aldo Privacy Policy starts off with full company identification and physical location:
They go on to describe the types of information they collect and what it is used for:
Aldo describes how they share personal data with third-parties and why:
They provide clear opt-out instructions for marketing communications:
Here, Aldo also lays out their use of cookies and how users may opt-out of cookies:
And finally, they give the user complete direction on how to access or make changes to their personal information:
If you'd like to investigate the GDPR further and how it applies to you, visit EUGDPR.org for a complete guide.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
22 December 2020