Whether you collect personal data directly or via a plugin or SDK, offer goods or services to EU residents, or monitor EU residents' behavior, there are several steps you need to take to comply with the GDPR, including selecting a legal basis for processing data, maintaining a Privacy Policy, and keeping personal data secure.
The GDPR requires applicable entities to only process data to fulfill a legitimate purpose.
To process personal data belonging to EU residents, you must meet one of the following conditions:
Many businesses choose to get consent before processing personal data. Consent must be given freely. You can get consent from users by having them tick a checkbox on your website or app next to a statement that they agree to have their data processed.
You can only process EU residents' personal data for the purposes for which they gave consent and must provide a way for them to withdraw their consent.
Morgenstern Books' account sign-up page includes a checkbox next to a statement that users must consent to its Terms and Conditions agreement and Privacy Policy (which details how it processes users' information) in order to create an account:
A data protection impact assessment will help you determine and analyze the following information:
Your Privacy Policy should be clearly written, easily accessible, and regularly updated, and should be presented to users at the time of data collection. You can use information from your data impact protection assessment to create a Privacy Policy.
A GDPR-compliant Privacy Policy should contain the following clauses:
Even if you are absolutely certain that your website or app doesn't collect personal data directly or through third parties, it's still a good idea to have a Privacy Policy. Maintaining a Privacy Policy on your website or app can show authorities that you are compliant with the GDPR and can help build trust with your audience.
Your Privacy Policy can contain similar clauses as those required by the GDPR that state that you do not collect or process personal data.
For instance, DVloper's Privacy Policy states that it does not collect personal information, and lists the types of non-personal information it uses:
In another example, InfoDesk's Privacy Policy explains that it does not share personal data, and informs users that it may share other types of information with service providers or in the event of a business transfer:
Puma's Privacy Policy lets users know that it does not knowingly collect children's personal information:
You should implement technological, administrative, and physical security measures to protect the data you collect and process.
If a data breach occurs that could put the individuals the data belongs to at risk, you must quickly notify them about the data breach.
Some organizations are required to appoint a DPO. Even if you aren't required to have a DPO, you should put someone in charge of handling privacy and data protection issues.
You should provide users with a way to exercise their privacy rights.
EU residents have the following rights under the GDPR:
There are a few additional steps you can take to make sure your website or app is fully compliant with the GDPR and any other applicable requirements.
Some plugins like the Google Analytics plugin MonsterInsights can help you comply with the GDPR through add-ons that enable users to customize their privacy features:
Be aware that add-ons can not ensure compliance with the GDPR. It's important to follow the steps mentioned above for full compliance.
You can write your own Privacy Policy, but using a legal agreement generator can help you create a customized document that caters to your business's unique needs and is designed to comply with applicable privacy laws.
The GDPR applies to organizations that collect personal information from EU residents and entities located outside of the EU that offer goods or services to EU residents or monitor EU residents' behavior.
The GDPR may apply to you even if you don't directly collect users' personal information. If you use plugins or SDKs that collect user data from EU residents, you will need to take steps to ensure GDPR compliance.
You should take the following steps to comply with the GDPR:
A GDPR-compliant Privacy Policy should be clearly written and easily accessible and should contain the following clauses:
In addition to adhering to the GDPR's rules, following these tips can help ensure compliance: