The GDPR sets the rules about how personal data should be processed in the EU. It also provides rights to individuals regarding their personal data. Without privacy laws like the GDPR, people would lose control over the information that businesses and governments have collected about them.
The California Online Privacy Protection Act (CalOPPA)
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
The GDPR is different. Its requirements are more rigorous than any of the above laws, and anything you produced to comply with these will likely not be sufficient under the GDPR.
An important thing to bear in mind is that this is a public-facing document, and is not written just for your customers. It should be aimed at anyone whose personal data you might process - including potential customers and visitors to your website.
Let's take a look at what you'll need to include.
You'll notice above that MembersFirst refers to itself as a "data controller." For the purposes of the GDPR, your company is probably a "data controller," too - if it makes decisions about how and why personal data is processed.
Some companies give their definitions directly from Article 4 of the GDPR. This is the approach of AEG:
This isn't actually all that helpful for a reader. Arguably, defining a "data subject" as "an identifiable natural person [...] who can be identified, directly or indirectly, in particular by reference to an identifier" does little to clarify what the term actually means to a layperson.
Here's another example from Edgbaston Park Hotel. Its definitions are more accessible and easy to understand.
You can see the differences here between writing in legalese versus writing in a common voice that is far easier to understand.
Principles for Processing Personal Data
Article 5 of the GDPR contains six principles by which all personal data must be processed.
Lawfulness, fairness, and transparency: obey the law; only process personal data in a way that people would reasonably expect; always be open about your data protection practices.
Purpose limitation: you must normally only process personal data for the specific reason you collected it and nothing else.
Data minimization: don't process any more data than you need.
Accuracy: make sure that any personal data you hold is adequate and accurate.
Storage limitation: don't store personal data for longer than you need to.
Integrity and confidentiality: always process personal data securely.
The GDPR's definition of "personal data" is very broad. The chances are that your company processes a lot of it.
You can then further break down this information into more detailed categories. Here's how Synthorx does this:
Be as detailed and specific as possible when disclosing the types of personal data you collect and process. Try to disclose this information in a way that's as easy for your users to understand as possible.
How You Process Personal Data
Under the principles of "purpose limitation" and "data minimization," you must always have a good reason for processing any of the personal data in your possession.
This can also be a clause that describes "how" and "why" the data is used, so long as users are informed about what exactly you're doing with the data you collect.
The GDPR only allows you to process personal data on one of six legal (or "lawful") bases. You aren't allowed to process personal data unless you've established a good, legal justification for doing so.
The legal bases for processing a person's personal data are:
Consent: you have earned their permission in a GDPR-compliant way
Contract: you need to process their personal data to fulfill a contract
Legal obligation: you'd be breaking the law if you didn't process their personal data
Vital interests: their life (or someone else's life) depends on you processing their personal data
Public task: you need to process their personal data to carry out a task that's in the public interest
Legitimate interests: processing their personal data is in your interests, and you've carried out a Legitimate Interests Assessment
Some companies relate their legal bases to the types of personal data they process and their reasons for processing personal data. Here's how Pint of Science does this:
Where you're relying on "legitimate interests," you need to specify what your legitimate interests are.
Where you're using "consent" as a legal basis, you must include reference to your users' right to withdraw consent. Here's how Sharp does this:
If your legal basis is "contract," you need to let people know what will happen if they fail to provide you with the personal data you need to carry out a contract. Here's how Budget does this:
Make sure you know what your legal basis is (or are) and disclose this.
Retention of Personal Data
This won't always be a particular period (i.e. one week, two months, etc.). It may be determined by the length of time for which you need the data (e.g. until the person closes their account).
The clause explicitly states that "Google Analytics data is shared with Google" which lets Discover France users know that a third party (Google) is receiving some of their personal data.
International Transfers of Personal Data
There are only certain reasons that you can transfer personal data out of the EU. These include:
The non-EU country to which you're transferring personal data has been deemed to have "adequate" data protection by the European Commission;
"Adequate" countries include Canada and New Zealand. The United States is included, but only if the US company is part of the Privacy Shield framework.
You have a contract with the recipient that contains standard data protection clauses;
You're transferring personal data within a multinational company (or a group of companies working together) subject to binding corporate rules;
As a last resort, and with certain other conditions in place, you have the person's consent to transfer their data.
The GDPR grants individuals eight rights over their personal data. Subject to certain conditions, you're required to facilitate these rights when requested to do so.
These rights are:
The right to be informed
The right of access
The right to rectification
The right to erasure (known as "the right to be forgotten")
The right to restrict processing
The right to data portability
The to object
Rights in relation to automated decision-making
Not all the rights are likely to apply to your company, but you need to be familiar with them regardless.
Here are some ways you can make sure it gets noticed
On Your Website
On Your Mobile App
In Your Communications