In May 2018, one of the strictest and most comprehensive data protection laws in the world came into effect - the EU General Data Protection Regulation (GDPR). Complying with the GDPR has required a lot of businesses to closely review their procedures and practices.
One of the most important tasks for your business under the GDPR is to create a Privacy Policy (sometimes called a Privacy Notice). If you already have such a policy, you'll need to update it in order to make sure it meets the GDPR's new requirements.
A Data Protection Policy provides anyone who interacts with your business with a complete picture of:
Your Data Protection Policy needs to be written in clear and simple language, and easily accessible on your website.
Part of the reason that the GDPR is such a big deal is because it applies to so many businesses. It's not only EU companies that have to comply - it's any company (or individual, or charity) that wants to do business in the EU, wherever it's based.
The GDPR covers anyone providing goods or services to individuals in the EU, or monitoring the behavior of such individuals. It doesn't matter whether or not you're making a profit. Obviously this applies to businesses running ecommerce stores or social networks. But the law can also apply to anyone operating a:
Two very important terms in the GDPR are "processing" and "personal data." Processing personal data is something practically every organization does.
"Personal data" is defined in Article 4(1) of the GDPR as any piece of information that relates to an identifiable person. The most obvious example is a person's name. Their physical address or email address can also be personal data.
There are also more obscure types of information which the EU considers personal data. For example:
If it's technically possible to use this information to identify someone, you should assume that it's personal data under the law.
Then there's "processing," which refers to "any operation or set of operations" performed on personal data. Pretty much anything can qualify as processing under the GDPR, so long as it's at least partially automated or forms part of a filing system.
Your company may already have this type of policy in place. Several other laws require it, including California's CalOPPA, Canada's PIPEDA and the EU's previous privacy law - the Data Protection Directive.
But the GDPR introduces some new requirements. Anything you created to comply with any other law will most likely not be sufficient.
Here's what you need to provide in your GDPR Privacy Policy.
The GDPR requires you to publish the name and contact details of the data controller. "Data controller" is another key term in the GDPR. It refers to anyone who "determines the purposes and means" of processing personal data.
So, for example, an ecommerce store is a data controller. To allow you to make a purchase, the store must decide the means of processing your personal data, e.g. by asking you to enter your shipping address on its website. It must also decide on the purpose of processing your personal data - to send you your product.
Because your business in some way decides how and why personal data is processed, it qualifies as a data controller. Even deciding to do something as small as collecting IP addresses to run website analytics makes you a data controller.
Whether you're the data controller or someone else is, let people know by including data controller contact details in your Privacy Policy.
Here's how Peyton and Byrne does this:
It's not necessary to include the term "data controller" in this clause. Here's another example from Snap Surveys:
If you have a Data Protection Officer (DPO), you're also required to provide their contact details in your Privacy Policy.
Only certain organizations need to nominate a DPO. The DPO monitors data protection practices within the organization and acts as the main contact for data protection enquiries. Articles 37-39 of the GDPR provide more information about the DPO.
Here's how NHS England provides contact details for its DPO:
Think about all the different ways your company processes personal data. For example, when shopping at an ecommerce store, here are some of the ways that a customer's personal data could be processed:
And that's potentially just the first five minutes of the customer's relationship with the business.
Your GDPR Privacy Policy needs to disclose what types of personal data you collect from people directly (Article 13) and indirectly (from other sources) (Article 14). This doesn't only include your customers. You're probably collecting personal data from other people, too. Your Data Protection Policy is a public-facing document that anyone can access.
Here's an example from Electrolux:
Electrolux is really covering all bases here. It's difficult to imagine how a customer's air humidity or water hardness might constitute personal data. But when combined with other information, it does reveal something about a person.
This is a good example of a company that has clearly thought carefully about all the different types of data it collects and does a great job of disclosing it all.
You need to have a purpose for every piece of personal data you're collecting. If you don't need it - don't collect it.
This sounds like common sense, but for many years, some companies were collecting as much personal data as they could - through server logs, tracking cookies or unnecessary sign-up details (such as asking for someone's gender when they're signing up for your email newsletter)..
Your Privacy Policy needs to explain your purposes for processing the various types of personal data you collect.
Here's an excerpt of a clause that discloses this from Amazon Europe:
Under the GDPR, you need to have a legal basis for all the data processing you carry out. Article 6 of the GDPR lists the six legal bases. If none of these apply, processing someone's personal data is not allowed.
You'll need to think carefully about your legal basis for each means of data processing and explain this to your customers.
Here's an example from recruitment company Ian Williams:
If you're relying on legitimate interests, you also need to provide details of your Legitimate Interests Assessment.
If you're relying on contract or legal obligation, you need to let you customers know what might happen if they don't provide the necessary personal data.
Here's an example from Writeupp:
Note that this sort of restriction to services is not acceptable if you are relying on consent.
Personal data gets passed around a lot. It's important that your customers can keep track of what will happen to their personal data once you've collected it.
In a typical day your personal data might be shared online with third parties such as:
You only need to disclose the categories (types) of third parties with whom you share personal data in your Data Protection Policy.
Here's part of this section of Facebook's Data Policy:
Transferring data outside of the EU is allowed under the GDPR, but under certain conditions. There are a couple of bases you need to cover in your GDPR Privacy Policy.
You need to disclose:
Let's take a look at how M Squared approaches this:
There are three ways that the company ensures that international transfers of personal data are safe.
Your Data Protection Policy needs to disclose how long you'll be keeping the various types of personal data you hold - or at least the method you use to determine this.
One of the key principles of the GDPR is "storage limitation." You must only keep personal data for as long as you actually need it. This might be several years such as in the case of some banking information or meeting records, or it might be several days in the case of certain web server log data.
Whatever your storage period is for a particular type of personal data, you need to be able to justify it, and you need to disclose it.
Here's an example from Nestle:
In some cases it's not possible to give a storage period in days or years because the duration will vary according to the nature of the customer's relationship with the company. This is fine, so long as you explain this.
Bosch also provides details of the different periods for which cookies are stored:
One of the ways that the GDPR achieves its aim of bringing people greater control over their personal data is through the eight data rights it provides. These are set out in Article 3 of the GDPR.
Some of these rights require specific action to be taken by the data controller on request. For example, under the right of access, a customer could approach you for a copy of any of the personal data you hold on them. Or under the right to erasure, they can request that you delete certain personal data.
Your Data Protection Policy must let people know what their rights are, and how they can access or exert them.
Here's an example of some of the rights, as explained by Crunch:
You also need to let people know that they can make a complaint to a Data Protection Authority if they aren't happy with the way you have processed their personal data.
Here's an example from Resolver:
If your company makes certain important decisions automatically, you need to explain this to your customers. The rules around automated decision-making are explained in Article 22 and Recital 71 of the GDPR.
Here's how Chubb explains this:
The GDPR requires you to provide information about practically everything you do with people's personal data. This can be a daunting task, but you need to do it to comply with the law. It will also help to ensure that you're adhering to the best data protection practices possible.
Your Data Protection Policy needs to include: