The main focus of the General Data Protection Regulation (GDPR) is the protection of personal data and digital privacy.
What’s the GDPR
The GDPR is a new legalframework from the EU that takes effect on May 25, 2018. It’s an updated version of the Data Protection Directive.
This law is designed to accomplish two main things:
- Unify the current data protection privacy laws throughout the EU, and
- Enhance the rights of citizens of the EU to protect their personal information
Who the GDPR Applies to
Regardless of where in the world your business is located, the GDPR applies to any business that does one or both of the following:
- Makes its products or services available to people located in the EU
- Gathers personal information from people located in the EU
This means that a business located in Canada that only collects phone numbers for text message marketing to people in the EU will be required to comply with the GDPR.
What the GDPR Requires
While the Data Protection Directive only applied to data controllers, the GDPR now applies to data processors as well.
Each role has specific requirements that you’ll also need to be aware of.
For example, data controllers must now conduct Data Privacy Impact Assessments (DPIAs) and add more thorough methods of obtaining consent for collecting data.
Data processors will have to start keeping written records, increasing security measures to protect data and notify data controllers of any breaches that occur with the data.
In some instances you may be required to appoint a Data Protection Officer (DPO) to oversee your data security strategy and GDPR compliance.
The GDPR requires that users are provided with thorough information about how their personal data is processed.
According to Article 12 of the GDPR, you need to let people know about how you process personal data in the following ways:
- Easily accessible
- In clear and plain language
- Free of charge
How to Comply with GDPR
Remember that under the GDPR, you need to communicate your data collection and processing procedures in a way that’s concise, transparent, intelligible and in clear and plain language.
- What personal information you collect
- How and why you collect it
- How you use it
- How you secure it
- Any third parties with access to it
- How users can control any aspects of this
Privacy Policies tend to be long, dense legal agreements with a lot of detailed information. Your users might feel intimidated by page after page of technical information, which is what the GDPR is working to avoid.
Note that each point doesn’t have to be a separate clause. As long as the information is somewhere in your Policy, it will work.
1. Who your Data Controller is
The data controller will likely be your business, unless your business operates as a data processor for other companies.
2. Contact information for the Data Controller
If you have a Data Protection Officer, add in specific contact information for your users to contact this person directly with issues related to privacy.
3. Your purposes for collecting the data
Your users need to know why you’re collecting and using their personal data. Be as specific as possible here when disclosing your practices.
4. Inform users of the 8 rights they have have under the GDPR
Most of these rights involve things like the right to access data, request changes, deletions and corrections.
For example, if you collect email addresses, give users a chance to see what one/s you have on file, give them a way to delete their email address and allow them to update or change it.
5. Whether you use data to make automated decisions
If you use personal data to make automated decisions – such as for credit scoring, loan screening, profiling users or making employment decisions – you need to disclose this to users.
You can let users know that you don’t do this if you want, but it’s not required.
6. Whether you transfer data internationally
If your business transfers personal data to a different country or international organization, you need to let users know this.
Include one of the following as well:
- Whether your transfer falls under a legal framework or decision, such as the EU-US Privacy Shield seen in the example below, or
7. What’s your legal basis for processing data
Under the GDPR, you need to have a lawful basis for processing any personal data. There are six available lawful bases, and each piece of data you process needs to fall under one of the six categories.
The most common two would be:
- The subject has given consent to have data processed for the specific purpose/s
- Processing is necessary for pursuing a legitimate interest
This requirement will likely be met through a combination of your clauses that cover what personal data you’re collecting and how you’re using the data.
You should always get consent for the data you wish to collect. Not only will that meet the requirement of a legal basis to collect, but it’s also a general requirement under the GDPR.
Before you collect basic personal information (email addresses, names, financial information, etc.), you’ll need to get clear, unambiguous affirmative consent.
Before collecting sensitive personal information (sexual orientation, health data, political/religious views, etc.), you’ll need to get explicit consent.
There’s something else you can do satisfy the enhanced requirements under the GDPR: Provide Privacy Notices.
Have Privacy Notices
A Privacy Notice is a simple yet informative notice that lets a user know why you’re collecting data. These notices can be added to places on your website or mobile app where you’re requesting to collect user data, such as at a field where a user can enter an email address.
For example, uSwitch asks users for an email address and a phone number – both of which are considered to be protected personal information under the GDPR.
Next to the fields where this information is requested, there are small question mark icons that users can click for more information via a Privacy Notice.
When a user clicks on the question mark, he’s presented with a short notice that lets users know – in clear, basic language – why that piece of information is being requested. Here, it’s so that uSwitch can email a copy of comparison results to the user.
This type of notice is referred to as a just-in-time notice.
It’s easy to see how a short Privacy Notice at the point of data collection can help users be informed of your data collection practices in a concise, clear and easy-to-understand way.
Examples of GDPR-Compliant Privacy Policies
Here are a couple of examples of Privacy Policies that would meet GDPR requirements by being user-friendly and informative.
It continues on with a clause that covers how the information is used.
However, you can start to see more transparency than most Privacy Policies when you get to the section about how Mouseflow shares information.
This section is broken down into two types of information that will be shared:
- Personally identifiable information, and
- Non-personally identifiable information
This is important because the GDPR and other privacy laws only apply to personally identifiable information.
- How information is stored and processed
- How information is protected
Mouseflow points out specifically for EU clients that it complies with the EU Data Protection Directive requirements.
Pipedrive is very specific with disclosing how it uses information it collects. This helps satisfy the lawful basis and legitimate interest requirement of the GDPR.
You can see that it includes operations, improvements and communications – all of which are legitimate business purposes.
Pipedrive includes a section about user choices when it comes to user data. This section covers accessing data, correcting it, deleting it, objecting to it being collected, declining to provide it and other rights users have under the GDPR.
- Use clickwrap checkboxes to get clear, undoubted consent before collecting any personal data
- Add Privacy Notices in places where you’re asking for consent to collect data to help explain why you’re asking for the data and consent