The purpose of the GDPR is much the same as previous regulations: to protect the privacy and personal information of residents of the EU.
The GDPR builds upon old laws to create a more clear and complete set of rules that you must follow when collecting and using personal data from residents of the EU. The goal is for the GDPR to cover the entire region to make compliance easier than dealing with separate laws in multiple different countries.
Remember, even if your company is not located within the EU, you must comply with the GDPR if you have users who reside within the EU. The GDPR makes it very clear that any entity which collects or processes the personal data of residents of the EU must abide by its regulations.
In addition to new, stricter privacy laws, the penalties for failing to follow the GDPR guidelines have been increased.€20 million or 4% of global annual turnover is the new maximum penalty possible under the GDPR. While this maximum is only for extreme cases, it goes to show that negligence to Europe's privacy laws is no joke.
Be sure you are compliant with the GDPR by May 25th, 2018.
More specific Privacy Policies
Fortunately, most of these new requirements will not require new clauses but instead simply an additional sentence or two within a relevant clause.
For example, in your clause about how you use the personal data that you collect, simply add a sentence that states if you do or don't use personal information to make automated decisions. If you do, disclose how.
This first example is from Google. It uses conversational English versus legal-speak, which makes it much easier to digest and understand the information being disclosed.
Now, here's an example from Lyft that clearly uses more legalese. All of the parentheses and quoted definitional words may make this seem complicated to an average reader, and this is only the beginning of the Policy!!
As you can see, the example from Google is much easier to read.
The GDPR requires more detailed disclosure about exactly how users' personal data is handled, including any third-parties that you share data with.
Here's how Vice Magazine discloses that it uses DoubleClick, a third party advertising provider.
Data Protection Officer (DPO)
While a Data Protection Officer is not a necessity for every company, you should check to see if your organization meets the requirements for needing one.
Here's how IAPP does it:
Your Data Protection Officer should be chosen by the same standards as any position, such as professional qualities and knowledge of the field of data protection. It is also important that your Data Protection Officer has a thorough understanding of your company so that she can effectively monitor how data is processed at every level.
The concept of a Data Protection Officer is not to make things more complicated, but instead to have a knowledgeable expert who can answer questions and be on the lookout for policy breaches that could be harmful to your company.
You should read the full details about Data Privacy Officers in the GDPR and appoint a qualified candidate before May 25, 2018 if your company's operations require it.
Simply stating that you collect personal data is no longer adequate. Let your users know exactly what data you collect and process, especially if it includes one of these categories.
User Access Request
Users have well-defined rights under the GDPR when it comes to having access to their personal data. By submitting a user access request, also known as a Subject Access Request (or SAR), your company must provide the following information free of charge:
What personal information pertaining to the user is being processed
Why this information is being processed
Who has access to this personal information about the user
How this personal information is being used in automated decisions
What processes are using this information
A user access request should be completed within 30 days and include a copy of the personal information.
Not only have the maximum penalties for breaking privacy laws increased under the GDPR, but the GDPR has also made it easier for data protection authorities to investigate and penalize non-compliance under the new regulations.
Factors such as how many people were affected and for how long, negligence versus intentional practices, and the degree of cooperation with regulators can all affect the severity of the fines for failing to follow the GDPR requirements.
What personal information do you collect?
How and why do you collect this information?
How do you use this information?
How do you keep this information safe?
How long is this information kept?
Is this information shared or sold? If so, with whom?
Do any third-parties collect personal information or have access to the information you have collected?
How can your users control any of these aspects?