Standardize data protection across all member countries
Create greater transparency for EU citizens to understand how their data is used
Allow users to easily opt out of data collection and file complaints when necessary
Develop strong protective measures for EU citizens regardless of where a business is located
Privacy policies are far from a new concept. They have been a part of business practices for decades, but the GDPR has specific requirements that have altered or expanded upon the policies that many organizations previously had in place.
Written in clear and plain language that is easy for all users to understand
Concise and intelligible, leaving out unessential or distracting information
Transparent so that users know exactly how their data is being used and collected
Cost-free so that there are no impediments to access
Easily accessible so that users do not have to search in order to read it
Even if you don’t realize that your business’s website collects data, it is your responsibility to comply, and you will be penalized if you fail to do so. Ignorance does not equate to a lack of accountability.
Never assume that your website does not collect customer information, and keep in mind that almost all websites collect at least some data through cookies. In general, your website collects data if it:
Is hosted by an outside company
Includes social media buttons
Utilizes analytics tools
If any of these attributes apply to your website, it is likely that you are collecting and processing customer data.
In addition to analyzing your website’s data collection, you will also need to consider your customer base.
There is sometimes a misconception that only businesses with headquarters within the EU need to comply with the GDPR. In reality, it is not the location of the business but rather the location of the customers that matters.
Businesses face severe penalties for failing to comply with the GDPR.
The maximum fine for a violation is 4% of a company’s annual global revenues or $22.8 million, whichever is greater. Initially, companies were fined at a relatively slow pace, but regulators have become more strict as time has passed. In fact, the year 2021 saw $1.2 billion in GDPR fines.
First, your policy must identify who is processing the customer’s data.
However, simply stating your name or the name of your business is not enough. You must also give a physical address or phone number and identify the data protection officer responsible for ensuring that all data is securely processed and stored.
Your policy needs to include a legal justification for why your business is collecting data from consumers.
Consent: The user has provided clear consent for data collection.
Contract: The collection of data is a necessary component of a contract between your business and the user.
Legal obligation: Your business is legally obligated to collect user data.
Vital interests: Data collection is necessary to protect human life.
Public task: Your business must collect data so that you can perform a task in the public interest.
Legitimate interests: Data is necessary for your business’s legitimate interests.
You should use the official terminology laid out by the GDPR so that there is no mistaking your intention.
In addition to the legal basis for processing data, your business must also articulate its purpose for collecting this specific information.
For example, you might use the data you collect to customize the user experience on your website. Or, you might use the data to verify a user’s identity, send messages or updates, or improve the website’s design.
The explanation of why your business needs data from consumers should be specific and detailed. Saying that you use data for personalization is much too broad. Instead, your policy should identify what is involved in this personalization.
At times, it’s prudent to include multiple purposes for different kinds of data. After all, you may collect home addresses for a different reason than the one for which you collect email addresses.
Data Collection, Use, and Transfer
Make clear whether you transfer the data internationally.
Indicate whether you will send the data to any third parties, no matter where they are located.
Disclose any automated decision-making, such as credit scoring, that involves customers’ data.
Remember that addressing one of these points does not mean that you have achieved full compliance. In other words, if you reveal that you transfer information to third parties but do not divulge that those third parties are international, you have failed to comply with the GDPR.
Consumers deserve to know not only that you are collecting their data but also exactly what information is being used. The GDPR’s definition of personal data is quite broad, so you may be processing more types than you realize.
Personal data essentially boils down to any information that clearly references a specific person. Depending on the context and the amount of data processed, this might include a user’s:
Date of birth
Social Security number
Physical or email address
Personal description, such as eye color and weight
Workplace and education details
Much of this information on its own would not be enough to identify a particular individual. For instance, knowing a person’s religious beliefs does little to narrow down a pool of possible individuals. However, if you collect several types of data at once, such as the person’s religion, physical address, and date of birth, this may be enough for definitive identification.
Ultimately, it is your business’s responsibility to protect all personal data.
Data Storage and Security
The GDPR does not provide a specific limit on the amount of time for which your business can store a user’s data. However, that doesn’t mean you can keep your users’ data indefinitely.
The regulation states that businesses should store data for the shortest amount of time possible. Businesses may translate this as a set time span, such as three months or a year, or they may choose to keep the information as long as is necessary for tasks to be completed.
In addition to explaining how long you will be storing personal data, it is also wise to identify the security measures that you have taken to protect it. This reassures your customers that you have their best interests at heart and prioritize their privacy.
The right to be informed of how their data is collected and processed
The right of access to any of their data that has been collected
The right of rectification to any inaccurate or incomplete data
The right to erasure of any and all data
The right to restrict processing to only certain types
The right to data portability so that data can be retained and reused for other purposes
The right to object to the use of their data for specific processing activities
Rights in relation to automation so that decisions are not made about the user based exclusively on automated processing
You might provide a business phone number or a web form that can be used to make a specific data request.
Inside Current Legal Policies
Informational Menus or Sections
Website footers are the most common location for privacy policies, and they’re often the first place a customer looks when seeking such policies.
Banners and Pop-Ups
Good Examples of GDPR-compliant Privacy Policies
Meta’s policy is especially effective because the information is clearly organized, with a table of contents on the left for quick access. It also offers the information in multiple formats, with much of the policy described in short videos as well as text.
Many sections of the policy include direct links to the corresponding pages within Meta’s products, particularly Facebook.
For example, the section of the policy devoted to how information is shared offers a link to the specific locations on Facebook and Instagram where users can change the information that they have shared with third-party apps and websites.
Finally, Meta’s policy complies with the GDPR by including all of the necessary sections, creating a transparent experience for users.
The policy also includes direct links so that users can exercise their rights to have information changed, deleted, or corrected, which is a critical component of the GDPR.
Target’s policy is also an excellent example of a policy with distinctions under each section. For example, there are separate subheaders for each method of data collection, such as social media widgets, mobile location information, and cameras.
To clearly align with GDPR requirements, Stripe specifically labels sections for legal bases, rights, security and retention, and international data transfers.
Both template formats can be easily added to the HTML of your site.
Thank you for choosing to be part of our community at [business name] (“company”, “we”, “us”, or “our”). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about our policy, or our practices with regards to your personal information, please contact us at [contact email].
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author
Answer a few simple questions to have your fully compliant policy generated in MINUTES!