1. What Is the GDPR?
The GDPR is a data privacy law in effect since May 25, 2018. Passed by the EU, but affecting companies around the world, the GDPR gives users more rights over the personal information they share with businesses, and penalizes companies that are negligent with this data.
The GDPR aims to protect the data rights of users in the European Economic Area (EEA). The EEA is comprised of the EU, Iceland, Liechtenstein, and Norway. Additionally, the GDPR applies to users in Switzerland.
Fines for noncompliance are up to $23 million, or 4% of your annual global turnover, depending on the severity of your compliance infraction.
2. Do I Need to Comply with the GDPR?
As the GDPR applies to businesses around the world, you may be subject to this strict privacy law. Whether or not you need to comply with the GDPR will depend on your answers to two questions:
1. Do I collect personal information from users?
2. Do I have, or plan to have, users in the EEA?
If you currently have users in the EU, Iceland, Liechtenstein, Norway, or Switzerland, and you collect personal information, you must comply with the GDPR.
Keep in mind that if you currently answer no to either of the two questions above, but plan to collect personal information from EEA users in the future, you need to prepare to comply with the GDPR as soon as possible.
Three articles within the GDPR address the privacy notice requirement:
- Article 12 — Information about data collection, storage, and transfer must be presented to users in writing.
- Article 13 — If you collect users’ data, you need to provide them with certain information, such as your contact details and data-processing purposes.
- Article 14 — When data is not directly collected from the user, you need to provide details about relevant partners, affiliates, or third parties.
Your privacy notice should be understandable to the average reader, and should give them clear insight into how you handle their data and what rights they have regarding their personal information.
According to Article 12 of the GDPR, information about data processing must be presented:
…in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
To appreciate the importance of transparency, look at the recent Google GDPR fine. The tech giant was penalized for spreading important information across many of its policies, and misleading users.
Your GDPR policy should be written to help users make informed choices about sharing their personal data.
Your GDPR privacy notice must contain the following sections:
Appropriate contact details
- Data controllers: Data controllers determine how and why personal data is collected. If you collect personal data through your website such as login information or payment details, you are the data controller.
- Data processors: Data processors process user data on behalf of the data controller. For example, if you collect payment details through a checkout page on your website, you may be the data controller, but a third-party payment processing service (like Stripe or PayPal) may be the data processor.
- EU representatives (if applicable): If you process large amounts of data or highly-sensitive personal information, you may be required to appoint an EU representative (also known as an EU data representative) to represent your interests in the EEA.
- Data protection officers (if applicable): You need a data protection officer (DPO) if you are a public body, or your business processes large amounts of data as a core function. DPO’s act as a security executive, and oversee the GDPR compliance of your company.
The basis on which data is being processed
Article 6 of the GDPR establishes the following six legal bases on which data can be lawfully processed:
- With consent of the data subject
- For GDPR legitimate interest
- For the performance of a contract
- To comply with a legal obligation
- To protect the vital interests of the data subject
- In public interest
Our free template includes the section above, which introduces a data policy based on a variety of business purposes.
Automated decision-making and/or auto-profiling
Article 22 of the GDPR explains that individuals have the right not to be subject to a decision made solely by automated processing (without any human involvement). This is a unique requirement of the GDPR, as specifying such decision-making activity was not previously mandated by any privacy law.
To whom data may be transferred
The GDPR requires companies to say who is involved in data processing. You need to list all categories of third-parties, partners, and affiliates with whom data may be shared.
As seen above, if such data sharing could occur as part of a merger or acquisition, you need to state this too.
To which countries data may be transferred
If cookies and other tracking technologies are used
Under the GDPR, information collected via cookies and other tracking technologies (such as pixel tags) is considered personal data.
Therefore, cookies should be listed as a data-collection method, and treated with the same considerations as other methods.
How long data may be stored
The GDPR requires you to state how long data will be stored, and advises you to include the reasoning behind these time periods.
What rights users have under the GDPR
GDPR Articles 12–22 establish the eight fundamental rights of data subjects:
- The right to be informed
- The right to access
- The right to rectification (correction)
- The right to erasure (to be forgotten)
- The right to restriction of processing
- The right to data portability
- The right to object
- The right to not be subject to automated decision making
How users can act on those rights
The list of data subject rights needs to include directions on how users can act upon those rights. GDPR privacy policies should give directions, information, and appropriate links to assist users who wish to act upon any of the rights listed above.
These are all good examples of GDPR privacy policies, but remember that they aren’t templates for GDPR compliance. Copying another company’s clauses without modification will confuse users, and lead to legal trouble.
Contact information for Etsy’s data protection officer is displayed prominently, as are details for its data protection authority.
If users are skeptical about Etsy’s data collection practices — or if they have a complaints — they know exactly who to reach.
You should now have a good idea of what a privacy statement is, and all the key clauses and characteristics it must include to be compliant under the GDPR.
- Small businesses
- Websites (including WordPress)
- Ecommerce platforms (e.g., Shopify, Woocommerce)