Do you collect any personal information from your website visitors? If so, then the EU General Data Protection Regulation (GDPR) applies to you.
GDPR is a new law that will go into effect on May 25th, 2018, and it will have significant ramifications for businesses in the European Union.
This blog post will introduce GDPR and how it affects privacy policies.
It also includes a template privacy policy that all businesses can use, no matter where they are located.
Privacy Policy for GDPR and EU Compliance
The EU General Data Protection Regulation (GDPR) is a new law that will go into effect on May 25th, 2018. GDPR has significant ramifications for businesses in the European Union, and this blog post provides an introduction to how it affects privacy policies.
What does GDPR do? Under GDPR, data subjects must give explicit consent before any personal information is collected about them or their behavior online.
For example, if you want to collect someone’s name and email address when they sign up for your newsletter, you need to ask them directly what these things are called to consent to have their data collected explicitly.
Why is GDPR important? The EU has strict data protection laws, and its biggest companies are currently being fined millions of pounds for not complying with them.
Under the old rules, which GDPR has now replaced, businesses were only required to follow these regulations if they operated inside of an EU country or had European customers – but as soon as one person in your organization was based in Europe, then that meant all employees became subject to the law even if it wasn’t their job to deal with privacy issues here at home.
One example where this caused a problem is when Megaupload founder Kim Dotcom’s extradition from New Zealand was delayed because his lawyers argued he should be protected under NZ legislation since he lived in that country before the law changed.
The GDPR is designed to make it easier for companies to understand what they need to do to comply with the regulations and includes harsher penalties if you get something wrong – meaning that even minor lapses are more likely than before.
If a company suffers data breach or loss of personal data, then under the previous rules (which still apply), it would have been subject to fines up to £500k or two percent of your global turnover, whichever was more significant. Still, now firms face fines as high as four percent of their annual revenue.
Under EU legislation, which only applies within its member states, damages awarded can be much higher too, and there’s no limit on how many years back offenders could go when trying to collect compensation from those responsible.
The GDPR sets out stricter rules for collecting, storing, and using personal data. The first thing to mention is the need for a clear privacy policy outlining what will happen with any collected data on how it’s stored, who can see it, and so on.
That means even if you don’t have much of an online presence now, you’ll still need one to comply with these new regulations, which are already making waves across Europe as many firms try their best to prepare themselves.
There is also more information about security measures within the document, such as ensuring staff training and appropriate technical systems are in place or risk being fined up to four percent of your annual revenue from any breach or loss suffered through carelessness or ignorance.
Looking at the importance of preparing a Privacy Policy, here are some points to consider. This is not an exhaustive list, but it should give you a good idea of the scope of your privacy policy.:
- The policy’s legal basis should explain why you’re collecting personal data, what it will be used for and how long it will be stored.
- You need to notify people that their data has been captured, who they can contact with queries related to the processing of their data (privacy officer), and where they have rights under GDPR. This must happen before taking any other action on someone’s behalf.
- Explain which categories of individuals’ data are processed, including details.
- Tell people how you obtain personal data, including the purposes of the processing.
- Explain whether an individual has a right to access their information and who they need to contact if they want this.
- Include what safeguards are in place to protect individuals’ privacy, explaining when your company will use third parties or subcontractors. Be transparent about where sensitive data is processed outside the EEA and how safe it would be under GDPR rules if transferred abroad.
- Include details of any international transfers and/or other applicable law requirements that may apply to customers’ data (e.g., tax) – also include which country’s laws are applied? If there was a risk from cybercrime or terrorism, then explain why some countries may not be safe.
- Include any other information customers might find helpful, such as the ability to opt-out of data collection and sharing or how you will use customer’s data for marketing purposes
- Include the procedure for individuals to exercise their rights under GDPR, including how you will contact them and what changes they may make with regards to marketing
- Describe any other applicable law requirements that apply within your business. For example, if you are processing data from employees, which is governed by employment legislation, this should be included in your privacy policy.
In your organization, make sure there are clear policies for all staff:
- Ensure all employees are aware of GDPR requirements and procedures, including data protection, security, and privacy policies
- Ensure that all systems are compliant with GDPR requirements
- Maintain a record of the steps taken to comply with data protection obligations under GDPR for no less than six years after your last contact or transaction with an individual
- Provide a mechanism for people to report issues with their data
- Ensure that your employees have been trained in the new rules and policies on GDPR
This document should cover not only EU requirements but also any US law. It needs to be written as an easy read, so it is clear what steps are required of me when I don’t know anything about this topic.