When working toward compliance with the GDPR, one of your first tasks will probably be to update your Privacy Policy document to meet the new standards.
If you currently have a Privacy Policy that is compliant with Data Protection Directive 95/46/EC, you will need to make a few changes to become compliant with the GDPR.
Here's a rundown of some of the changes you'll need to make to your existing Privacy Policy:
The General Data Protection Regulation
The purpose of the GDPR is much the same as previous regulations: to protect the privacy and personal information of residents of the EU.
The GDPR builds upon old laws to create a more clear and complete set of rules that you must follow when collecting and using personal data from residents of the EU. The goal is for the GDPR to cover the entire region to make compliance easier than dealing with separate laws in multiple different countries.
Remember, even if your company is not located within the EU, you must comply with the GDPR if you have users who reside within the EU. The GDPR makes it very clear that any entity which collects or processes the personal data of residents of the EU must abide by its regulations.
In addition to new, stricter privacy laws, the penalties for failing to follow the GDPR guidelines have been increased. €20 million or 4% of global annual turnover is the new maximum penalty possible under the GDPR. While this maximum is only for extreme cases, it goes to show that negligence to Europe's privacy laws is no joke.
Be sure you are compliant with the GDPR by May 25th, 2018.
More specific Privacy Policies
While the structure of your Privacy Policy can remain much the same, some areas will require more specification than under previous laws.
Fortunately, most of these new requirements will not require new clauses but instead simply an additional sentence or two within a relevant clause.
For example, in your clause about how you use the personal data that you collect, simply add a sentence that states if you do or don't use personal information to make automated decisions. If you do, disclose how.
It is likely that your Privacy Policy already addresses some of these questions, but you should use this checklist to make sure your document adequately answers all of them in order to be compliant with the more specific requirements of Privacy Policies under the GDPR.
An easy to read Privacy Policy
In addition to more specific details being required within your Privacy Policy, the GDPR is adamant about your Privacy Policy being written in natural language that is easy to understand. This rule is intended to keep companies from using excessive legalese in order to confuse users and hide their true intentions.
A Privacy Policy that is difficult to read is useless to internet users and can be unfairly used to hide information about data collection or usage. As such, you should review your Privacy Policy and make sure it is easy to understand. You may even want to have others read through your Privacy Policy and give feedback as to whether they think it's easy to read and understand.
If your Privacy Policy is difficult to read or understand, you should rewrite it in a more conversational, natural manner. Minimize legalese wherever possible and write your Privacy Policy for your average user, not lawyers or the government. After all, your Privacy Policy is a document intended for your users!
Let's compare the below examples to see the difference between a Privacy Policy written in plain english and one written in cumbersome legalese.
This first example is from Google. It uses conversational English versus legal-speak, which makes it much easier to digest and understand the information being disclosed.
Now, here's an example from Lyft that clearly uses more legalese. All of the parentheses and quoted definitional words may make this seem complicated to an average reader, and this is only the beginning of the Policy!!
As you can see, the example from Google is much easier to read.
Third-party disclosure
The GDPR requires more detailed disclosure about exactly how users' personal data is handled, including any third-parties that you share data with.
This includes any third-party services you use such as advertising, analytics, and payment processors. Simply put, if they collect or have access to any data from your users, you need to clearly state this within your Privacy Policy.
While your current Privacy Policy likely already discloses whether or not you share data with third-parties, you should review it to ensure it also clearly and specifically identifies who these third-parties are.
A statement in your Privacy Policy that declares your website uses third-party services that process the data of your users is useless if it doesn't specify who those third-parties are. Your users have the right to know about any and all parties that process their personal data and it is your responsibility to provide that information within your Privacy Policy.
Here's how Vice Magazine discloses that it uses DoubleClick, a third party advertising provider.
Data Protection Officer (DPO)
While a Data Protection Officer is not a necessity for every company, you should check to see if your organization meets the requirements for needing one.
In addition to having a qualified DPO to assist you internally, best practice is to disclose that you have an appointed Data Protection Officer in your Privacy Policy and include a means of contacting him or her in the event that your users have any questions, concerns, or suspect a data breach.
Here's how IAPP does it:
Your Data Protection Officer should be chosen by the same standards as any position, such as professional qualities and knowledge of the field of data protection. It is also important that your Data Protection Officer has a thorough understanding of your company so that she can effectively monitor how data is processed at every level.
Here it is right from the GDPR itself:
The concept of a Data Protection Officer is not to make things more complicated, but instead to have a knowledgeable expert who can answer questions and be on the lookout for policy breaches that could be harmful to your company.
The primary role of a Data Protection Officer is to ensure that data privacy laws are being followed. This includes reviewing your Privacy Policy to check that it is adequate, monitoring that the Privacy Policy is being followed in day-to-day activities, and being a consultant for coworkers and the company as a whole in regards to privacy laws.
You should read the full details about Data Privacy Officers in the GDPR and appoint a qualified candidate before May 25, 2018 if your company’s operations require it.
Special categories of personal data
Under most circumstances, the types of sensitive data listed below should never be processed:
- Race or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union memberships
- Genetic or biometric data
- Health or mortality
- Sex life or sexual orientation
Best practice is to state in your Privacy Policy that you do not collect or process any of this data unless you are required to be law such as in the event of a court case.
If you do collect or process any of these types of sensitive data, make sure to explicitly disclose this in your Privacy Policy along with the reasons why and the special permissions you have to do so.
Here you can see that the iie Privacy Policy has a separate section for sensitive personal data:
Here’s an example of a clause that discloses and covers sensitive personal data from the Gotogate Privacy Policy:
Simply stating that you collect personal data is no longer adequate. Let your users know exactly what data you collect and process, especially if it includes one of these categories.
User Access Request
Users have well-defined rights under the GDPR when it comes to having access to their personal data. By submitting a user access request, also known as a Subject Access Request (or SAR), your company must provide the following information free of charge:
- What personal information pertaining to the user is being processed
- Why this information is being processed
- Who has access to this personal information about the user
- How this personal information is being used in automated decisions
- What processes are using this information
A user access request should be completed within 30 days and include a copy of the personal information.
You should let your users know about their rights somewhere in your Privacy Policy, including contact information that they can use to submit a request to you and instructions on how to do so.
Here's how GameStop does it:
Consequences for Non-Compliance
Not only have the maximum penalties for breaking privacy laws increased under the GDPR, but the GDPR has also made it easier for data protection authorities to investigate and penalize non-compliance under the new regulations.
Factors such as how many people were affected and for how long, negligence versus intentional practices, and the degree of cooperation with regulators can all affect the severity of the fines for failing to follow the GDPR requirements.
The total fines can be as high as €20 million or 4% of annual global turnover in the previous year, whichever is greater. Fines of this magnitude could have a major impact on your company, so it is more important than ever to ensure that your Privacy Policy is adequate and accurate.
Should I rewrite my Privacy Policy?
The GDPR does not call for a complete rewrite of your Privacy Policy. Instead, the structure should remain much the same:
- What personal information do you collect?
- How and why do you collect this information?
- How do you use this information?
- How do you keep this information safe?
- How long is this information kept?
- Is this information shared or sold? If so, with whom?
- Do any third-parties collect personal information or have access to the information you have collected?
- Do you use cookies?
- How can your users control any of these aspects?
Many current Privacy Policies can simply be adjusted and updated to be made more specific to account for the changes required by the GDPR. At the same time, this may present a good opportunity to completely rewrite your Privacy Policy if it is outdated or you see areas for improvement.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.