The EU General Data Protection Regulation (GDPR) came into force in May of 2018. One of the reasons that the EU introduced the law is to give people more control over their personal data.
To prepare for the GDPR, companies have had to think carefully about their data protection and privacy practices.
- 1. What's Covered by the GDPR?
- 2. Does the GDPR Apply Outside of the EU?
- 3. How to Comply with the GDPR
- 4.1. Your Company's Contact Details
- 4.2. Your Purposes and Legal Basis for Processing
- 4.3. Whether You'll Be Sharing Your Users' Personal Data
- 4.4. Whether You'll Be Transferring Personal Data To a Third Country
- 4.5. How Long You'll Store Your Users' Personal Data
- 4.6. Your Users' Rights
- 5. GDPR-Compliant Consent
- 5.1. Freely Given and Affirmative
- 5.2. Granular
- 5.3. Easily Withdrawn
- 6. Summary of GDPR Compliance for Privacy Policies
What's Covered by the GDPR?
The GDPR covers the "processing" of "personal data." Article 4 (1) of the GDPR defines personal data as information that can be used "directly or indirectly" to identify a person. This is a very broad definition. Aside from the obvious things like a person's name, it can also include a person's:
- Email address
- Cookie data
- IP address (even where it's a dynamic IP address)
"Processing" is a broad term. The GDPR covers any sort of automated data processing activity or filing (electronic or otherwise). This might include:
- Asking your customers to fill out a contact form on your website
- Storing a list of phone numbers
- Sending direct marketing emails
According to Article 3 of the GDPR, the regulation applies to any person or organization that:
- Offers goods and services in the EU (whether they're charged for, or provided for free);
- Monitors the behavior of people in the EU.
So, your company might not be "offering goods and services" in the EU. But you will still fall under the GDPR if you:
- Target EU residents with advertising cookies, or
- Store your EU users' IP addresses in your log files
Does the GDPR Apply Outside of the EU?
The GDPR covers all processing of the personal data of people in the EU - whether the actual act of processing is performed in the EU or not. Not only EU companies have to comply. Companies based anywhere else in the world - for example the United States, Canada, Russia - must comply, too.
While some laws, like the upcoming California Consumer Privacy Act, only apply to certain types of companies, the GDPR could apply to anyone that falls within its scope - including individuals, charities, public bodies and businesses.
Note that there are some exemptions, but most businesses will have to comply.
How to Comply with the GDPR
If the GDPR applies to you, you'll want to know how you can avoid infringing it, and then do so. EU data protection authorities can impose fines and other penalties on companies that breach the GDPR. It's not entirely clear how this will be enforced against non-EU businesses. But even the threat of a sanction will create a huge headache for your company.
The good news is that compliance is not all that difficult.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Written in clear and simple language that your users can easily understand,
- Comprehensive, so that it covers all aspects of your personal data processing activities, and
- Easily accessible, particularly at the point that you're collecting your users' personal data or soon after if you've received it from elsewhere.
- The California Online Privacy Protection Act (CalOPPA);
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA);
- The EU's Data Protection Directive (the GDPR's predecessor).
Your Company's Contact Details
Article 13 (1)(a) of the GDPR requires that you provide your users with:
"the identity and the contact details of the controller and, where applicable, of the controller's representative"
"The controller" refers to a "data controller" - someone who decides how and why personal data is processed.
Here's how Kellogg's provides this information:
Article 13 (1)(b) of the GDPR also requires you to provide:
"the contact details of the data protection officer, where applicable"
Some organizations of a certain size, or those that routinely process sensitive personal data, need to have a Data Protection Officer (DPO).
Here's some information from the European Commission about appointing a DPO:
Here's how the UK's Bar Council provides information about contacting its DPO:
Your Purposes and Legal Basis for Processing
Article 13 (1)(c) of the GDPR requires that you provide information about:
"the purposes of the processing for which the personal data are intended as well as the legal basis for the processing"
You can't process personal data unless you have a specific purpose for doing so. And for every type of data processing you do, you need to make sure you have a legal basis for doing it.
Think of it this way: your personal data belongs to you. Businesses aren't allowed to collect it or use it in any way - unless they have a lawful basis for doing so.
The GDPR sets out six legal bases at Article 6.
You can only process a person's personal data if at least one of the following apply:
- You have their consent to do it
- You need to process their personal data in order to fulfill or enter into a contract with them
- You're legally required to process their personal data
- Failing to process their personal data would put their life or someone else's life at risk
- You're carrying out a task in the public interest or with legal authority
- You have a legitimate interest in processing their personal data
Here's how DACS does this:
If you think that processing personal data is in your legitimate interests (point "f", above), you're required to undertake a Legitimate Interests Assessment. The UK's data protection authority, the Information Commissioner's Office (ICO), provides some guidance on this.
Article 13 (1)(d) of the GDPR requires that if you're relying on legitimate interests for an act of data processing, you must provide information about what your legitimate interests are.
Whether You'll Be Sharing Your Users' Personal Data
Article 13 (1)(e) requires you to provide information about:
"the recipients or categories of recipients of the personal data, if any"
Note that you aren't required to necessarily provide the specific names of the companies with whom you share personal data - just the types of organization you might be sharing data with.
You might be sharing personal data in more ways than you realize. For example, if you use:
- A third-party database like Microsoft's SQL Server
- Shopping cart software like Shopify
- An automated email service like MailChimp
Here's how Wayks explains this to its customers:
Whether You'll Be Transferring Personal Data To a Third Country
Article 13 (1)(f) of the GDPR requires that you provide information about:
"the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission"
A "third country" means a country outside of the EU. If you're hosting your website in the US, for example, and you're processing the personal data of people in the EU via that website, you're technically transferring data outside of the EU.
The European Commission has a list of countries that it has decided have "adequate" data protection standards. If you're transferring data to a third country, you need to state whether this country is on the list.
The Privacy Shield framework used to help with this transfer, but has since been invalidated. It is being replaced with the EU-U.S. Data Privacy Framework, which is not fully finalized yet.
There are other GDPR-compliant ways to transfer data to third countries, set out in Article 46. One example is using "binding corporate rules."
How Long You'll Store Your Users' Personal Data
Article 13 (2)(a) of the GDPR requires that you inform your users:
"the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period"
Under the GDPR, it's important that you don't store personal data for longer than you need it.
Your Users' Rights
Here's how Unison does this:
You also need to explain how your users can make a complaint to their data protection authority.
In addition to the stricter requirements around Privacy Policies, the GDPR also contains a new definition of consent. This means users are able to make more informed choices about whether to give you permission to process their personal data.
However, it also requires a little extra work on your part.
You don't need consent for all aspects of personal data processing. There are five other legal bases which might be more appropriate in certain contexts.
However, for some activities, it's usually best to seek consent. Examples include:
- Sending direct marketing emails to new customers
- Using targeted advertising cookies
- Storing sensitive personal data
Freely Given and Affirmative
Your users must have a genuine, free choice to either consent or not consent. If you're seeking their consent for something, you must offer both options. It should be just as easy to refuse consent as it is to grant it.
Your users must positively affirm that they consent to you processing their personal data. It's no longer acceptable to assume consent from a person's silence. In other words, consent must be opt-in, not opt-out.
Don't present your users with pre-ticked boxes, or use statements like "by continuing to use our website, you consent to..."
Here's a great example from the European Central Bank's cookie consent banner:
Under the GDPR, you are supposed to offer your users "granular" consent, i.e. the ability to opt into some types of processing but not others.
The concept here is that even if you've obtained a user's consent for one type of processing, this doesn't mean you've obtained consent for all types of processing.
Here's how The Independent does this. When a user clicks "Show Purposes" on the cookie consent banner, they're taken to this form where each purpose for using information is listed along with additional information and a radio button to turn each purpose on or off:
As well as being able to refuse consent, your users must be allowed to withdraw consent once they've agreed to it. Article 7(3) of the GDPR says: "it shall be as easy to withdraw as to give consent."
Article13 (2)(c) requires that you make your users aware of "the existence of the right to withdraw consent at any time."
Summary of GDPR Compliance for Privacy Policies
- You have a chance to review your data protection practices, so you're less likely to suffer a data breach or be subject to a complaint.
- If either of these things do happen, you can show data protection authorities that you've done the right thing.
- Your customers will feel that their personal data is safe and their rights are respected.
- Most importantly, if you want to operate in the EU it's legally required.
- How your users can contact you
- Your purposes and legal basis for processing their personal data
- Any intended third-party recipients of their personal data
- Any intended transfers outside the EU
- How long you intend to store their personal data
- How users can exercise their rights under the GDPR