Are your business privacy practices and Privacy Policy compliant with the European Union’s new General Data Protection Regulation (GDPR)?
This wide-sweeping set of privacy regulations went into effect in May 2018 and its ramifications have been virtually global.
- 1. GDPR Basics
- 2. Can They Really Enforce the GDPR in the USA?
- 3. How to Comply
- 3.1. 1. Internal Privacy Analysis
- 3.2. 2. User Rights and Access
- 3.3. 3. Legal Basis for Processing Data
- 3.4. 4. User Consent
- 3.5. 5. Transparency and Accountability
- 3.6. 6. Staff and Data Management
- 3.6.1. Data Protection Officers
- 3.7. 7. Final Checks
- 4. Working Examples
GDPR Basics
In the off-chance that you haven't heard about this impending harbinger of global privacy compliance, here are a few of the basic facts:
- The GDPR is a set of regulations that addresses the protection and management of consumer personal information. This includes both identifying data like names and addresses as well as anonymous data like computer IP addresses.
- In the broadest sense, the GDPR requires that companies commit to vigorous protection protocols for user data and promote a transparent and accessible atmosphere for the consumer.
- The GDPR applies to any business that collects personal information from an EU resident, even if it's only an IP address.
Can They Really Enforce the GDPR in the USA?
The answer is a resounding yes. As proven by the Privacy Shield that passed in 2016, the United States government is fully prepared to cooperate in the enforcement of privacy laws enacted by the EU.
Any business that collects even anonymous information from EU residents will be subject to GDPR compliance and, in the event of noncompliance, hefty fines.
Those fines may be as high as €20 million or 4% of yearly revenue for the most severe cases.
Unless you can be absolutely sure that no EU resident will ever wander onto your website or mobile application, it would be prudent to comply.
How to Comply
With a sweeping set of regulations distributed over multiple articles and documents, the GDPR requirements can be a bit confusing, to say the least. We'll take you through it, step by step.
First off, here are a few points to remember regarding your Privacy Policy:
- Your Privacy Policy must be prominently displayed and easy to access.
- Keep it updated and always inform users when you make Privacy Policy changes.
- The GDPR requires that the language used in your Privacy Policy be "concise, easy to understand and clear."
- Clearly state who you are, the legal name of your business, and if it is owned or controlled by another company, this will need to be stated as well.
- Inform users of the physical location of your business.
Those are a few things to remember as you get started. Below you will find a detailed list of the minimum requirements that apply to the average business:
1. Internal Privacy Analysis
In order to ensure compliance, it may be necessary to perform an internal analysis on the personal information you currently hold. If ever a customer reports a problem with your privacy measures, you may be asked the following questions by the Information Commissioner's Office (ICO):
- What kind of data do you collect from customers, in minute detail?
- Do you have good reason to collect this data? Why do you need it?
- How was the data obtained, exactly? Did users consent to the collection of their information?
- How long will you retain it?
- How secure is the data in your possession?
- Do you ever share the personal information of users with third parties? Do you have good reason to do so?
Do you have the answers to these questions? If so, are all of these topics addressed in your Privacy Policy? If you are not able to answer the above questions with confidence and include all of the above information in your Privacy Policy, then an internal privacy analysis will be in order, followed by an update to your Privacy Policy.
Aldo does an excellent job of summarizing all of these points concisely in its Privacy Policy:
2. User Rights and Access
Under the GDPR, user rights are outlined explicitly. Your customers have the right to:
- Access, view, and edit their own information in a timely manner.
- Be erased from your records upon request, unless you have a legal reason to hold their information.
- Object to direct marketing messages and ads.
According to the above provisions, your website or mobile application must provide a clear, easily-accessible method for customers to view and make changes their personal information.
They also must be provided with a way to request their information in writing, free of charge.
IAPP provides multiple avenues for users to access and make changes to their information:
Once your system has the correct functionality in place, your Privacy Policy would need to be updated in similar fashion, with sections outlining the following:
- Description of a user's rights regarding their own personal information
- Instructions and links that give users access to their information and an easy method with which to change it
- How long your company will retain the data of an individual after it has been deleted, and why you need to retain it
- Clear instructions on how to opt-out of marketing messages and/or targeted advertising from your business.
Box, Inc. includes all of the above points in their Privacy Policy 'Choices' section:
3. Legal Basis for Processing Data
In order to collect or process the personal data of any individual, you must have a "legal basis" to do so. If you cannot prove a legal basis for obtaining or processing data, it will be deemed unlawful by the ICO.
The first and most common legal basis for collecting personal data is user consent. If you have the express consent of your users to collect and record their data and have the means to document and prove that consent, then all is well.
Here is a comprehensive consent form provided as an example by the ICO:
Sky Telecommunications employs a much simpler yet still sufficient method. Note the checkboxes at the bottom that require user consent:
As demonstrated by this list from the ICO website, you can see that the other legal bases for processing personal data are:
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
One or more of the legal bases listed above must be documented in order to legally collect or record the personal information of consumers. Your legal basis for collecting information should also be mentioned within your Privacy Policy.
Spotify mentions express consent in this paragraph of its Privacy Policy:
4. User Consent
This may be one of the most significant changes to the way you approach data collection. According to the GDPR, user consent of personal data collection must be "freely given, specific, informed, and unambiguous." This includes the collection of anonymous data through the use of cookies.
In other words, you must request active user consent before collecting even so much as an IP address.
Passive methods of user consent known as browsewrap -- for example, terminology like "by continuing to use our site you automatically agree to our use of cookies" -- will no longer be considered valid consent.
This paragraph in Roald Dahl's Cookie Policy, for example, is not considered active consent:
Consent must be actively given, usually by means of a checkbox or clicked agreement. Websites are approaching this in a variety of ways. The most common is a floating dialogue box that lets visitors know why data is being collected via cookies, includes a link to the Privacy and/or Cookies Policy, and features a button or checkbox that confirms agreement.
Evidon is an excellent example with this pop-up cookie notice on the homepage that requires active consent via an "Accept" button or a link to easily change cookie settings:
5. Transparency and Accountability
Updates to the way you handle or collect personal data as well as changes to your Privacy Policy must be communicated to your customers in a timely manner.
Box, Inc. informs users of their protocol for announcing changes to the Privacy Policy:
In the case of a data breach, several actions must take place:
- The data breach must be detected and reported to the appropriate authorities within 72 hours.
- If the security of user data is put at risk, then the affected or potentially affected users must be informed within 72 hours as well.
One important note regarding data breaches: If the breach occurred due to security negligence on the part of the business, then that business may be the subject of penalties and fines.
6. Staff and Data Management
Whether your business has 2 employees or 550, you will be expected to educate them on the new privacy protocols under the GDPR.
Any individual that has access to the personal information of users must be made aware of the following:
- What are the current applicable laws for the handling of personal information
- What are the privacy practices under the current Privacy Policy of your business
- How to process, record, and maintain security for personal data
One of the statutes of the GDPR states that: "You must implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies."
Data Protection Officers
Although this does not apply to every business, it is a good idea to check if you need a Data Protection Officer (DPO). This is a position hired within your organization or on a consulting basis to monitor the handling of personal data and ensure compliance with the GDPR.
This requirement will apply to public authorities, data processing firms, health organizations, and the like. To find out more about who this applies to, go to the ICO website.
Here's how Thunderhead includes information about its DPO in its Data Protection and Security Policy:
While your DPO clause doesn't have to be so extensive and can simply include contact information, this clause does a really great job of going above and beyond requirements to really help users understand the DPO role and how it affects them.
7. Final Checks
The last two statutes required by the GDPR may or may not apply to your business. See below and click through to research further if you think one of these may apply to you:
- Privacy by Design - Privacy by Design should be an approach your business takes from the outset, but especially when spearheading new projects or initiatives. If a project or initiative may put consumer data at risk, a Data Protection Impact Assessment (DPIA) may be required before beginning the new project. Read more about that here.
- Cross-border processing - If your organization does business in more than one EU member state, you will be required to identify your data protection supervisory authority and document it within your Privacy Policy. Read more about that here.
Working Examples
The wealth of information and preparatory measures listed above may seem daunting. Here are a few examples of GDPR-compliant businesses and their Privacy Policies to use as guidance:
The Data Protection Network (DPN) is a shining example of compliance, as would be expected by the nature of their business. Here are few things to take note of:
Upon navigating to the DPN homepage, you will see an unobtrusive notice regarding cookies at the footer of the page. This notice will remain on your screen until you click "I understand," actively consenting to their use of cookies:
The DPN Privacy Policy starts off by clearly stating the company name, trading name, and physical location. This is followed by an explanation of why DPN collects personal information and what they use it for.
Note that they mention the phrase "with your permission" several times. This is to reiterate the legal basis of user consent for collecting user information:
DPN meets marketing opt-out requirements by explaining clearly how to opt-out of unwanted communications, as well as how to access a copy of user personal information.
Finally, DPN thoroughly describes the information they collect with cookies and why they collect this information. Various ways to delete or prevent cookies are also described in the Privacy Policy:
Although not as squeaky-clean as the DPN, Waitrose has made visible and methodical efforts to comply with GDPR regulations.
As soon as you access the site, Waitrose sends a cookie notification at the header of the page. The only thing missing here is an active consent button, but it does include a link to learn more about cookies:
The Waitrose Privacy Policy includes a detailed list of what information they collect and why they collect it. Here you can also see the names of those businesses within the family of companies, their physical location, and instructions on how to access a copy of personal information held by Waitrose:
Here, Waitrose lays out instances in which they may need to share user data with third-parties, along with their reasons for doing so. They then go on to a brief description of their cookie usage, along with a link to their Cookies Policy and instructions on how to change cookie preferences:
Aldo Shoes is another impeccable example of GDPR compliance. Navigation to their website reveals a prominent cookies notice with active consent at the header:
The Aldo Privacy Policy starts off with full company identification and physical location:
They go on to describe the types of information they collect and what it is used for:
Aldo describes how they share personal data with third-parties and why:
They provide clear opt-out instructions for marketing communications:
Here, Aldo also lays out their use of cookies and how users may opt-out of cookies:
And finally, they give the user complete direction on how to access or make changes to their personal information:
If you'd like to investigate the GDPR further and how it applies to you, visit EUGDPR.org for a complete guide.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.