How to Comply With GDPR

Whether you collect personal data directly or via a plugin or SDK, offer goods or services to EU residents, or monitor EU residents' behavior, there are several steps you need to take to comply with the GDPR, including selecting a legal basis for processing data, maintaining a Privacy Policy, and keeping personal data secure.

Choose a Legal Basis for Processing Data

The GDPR requires applicable entities to only process data to fulfill a legitimate purpose.

To process personal data belonging to EU residents, you must meet one of the following conditions:

  • You have an individual's consent to process their data
  • You need to fulfill a contractual obligation with the individual
  • You need to fulfill a legal obligation
  • You need the data to protect the individual's vital interests
  • You need to process the data for the public interest
  • You need to process the data for your business's legitimate interests, provided the processing doesn't impact an individual's rights or freedoms. You must conduct a privacy impact assessment if you are processing personal data for your business's legitimate interests.

Many businesses choose to get consent before processing personal data. Consent must be given freely. You can get consent from users by having them tick a checkbox on your website or app next to a statement that they agree to have their data processed.

You can only process EU residents' personal data for the purposes for which they gave consent and must provide a way for them to withdraw their consent.

Morgenstern Books' account sign-up page includes a checkbox next to a statement that users must consent to its Terms and Conditions agreement and Privacy Policy (which details how it processes users' information) in order to create an account:

Morgenstern Books sign-up form with Agree checkbox highlighted

Conduct a Data Protection Impact Assessment

A data protection impact assessment will help you determine and analyze the following information:

  • Why you process data
  • The types of data you process
  • Who has access to the data within your organization
  • The location and categories of third parties that have access to the data
  • How you keep the data safe
  • When you will erase the data

Maintain a Privacy Policy

Your Privacy Policy should be clearly written, easily accessible, and regularly updated, and should be presented to users at the time of data collection. You can use information from your data impact protection assessment to create a Privacy Policy.

A GDPR-compliant Privacy Policy should contain the following clauses:

  • How and why you collect or process personal data. This clause explains how you collect personal data and what you do with it.
  • Who you share personal data with. This clause lists the types of third parties you share data with.
  • How you keep data safe. You should explain the steps you take to keep the data you collect secure.
  • How you handle data belonging to children. This section of your Privacy Policy explains how you treat personal data that belongs to children.
  • How users can exercise their rights. You should let users know how they can exercise their rights, including how they can withdraw their consent or opt out of certain data processing activities.
  • Your contact information. You should let users know how they can contact you with privacy-related questions or concerns.
  • Your retention policies. This part of your Privacy Policy should explain how long you retain personal data.

Even if you are absolutely certain that your website or app doesn't collect personal data directly or through third parties, it's still a good idea to have a Privacy Policy. Maintaining a Privacy Policy on your website or app can show authorities that you are compliant with the GDPR and can help build trust with your audience.

Your Privacy Policy can contain similar clauses as those required by the GDPR that state that you do not collect or process personal data.

For instance, DVloper's Privacy Policy states that it does not collect personal information, and lists the types of non-personal information it uses:

DVloper Privacy Policy: User Collected Information clause

In another example, InfoDesk's Privacy Policy explains that it does not share personal data, and informs users that it may share other types of information with service providers or in the event of a business transfer:

InfoDesk Privacy Policy: Sharing Your Information Clause

Puma's Privacy Policy lets users know that it does not knowingly collect children's personal information:

Puma Privacy Policy: Childrens privacy clause

Keep Data Secure

You should implement technological, administrative, and physical security measures to protect the data you collect and process.

If a data breach occurs that could put the individuals the data belongs to at risk, you must quickly notify them about the data breach.

Appoint a Privacy Officer

Some organizations are required to appoint a DPO. Even if you aren't required to have a DPO, you should put someone in charge of handling privacy and data protection issues.

Honor Privacy Rights

You should provide users with a way to exercise their privacy rights.

EU residents have the following rights under the GDPR:

  • The right to be informed about how their data is used
  • The right to access their data
  • The right to rectify their data
  • The right to delete their data
  • The right to restrict data processing
  • The right to data portability
  • The right to object to the processing of their data

Compliance Tips

There are a few additional steps you can take to make sure your website or app is fully compliant with the GDPR and any other applicable requirements.

Use Compliant Plugins

Some plugins like the Google Analytics plugin MonsterInsights can help you comply with the GDPR through add-ons that enable users to customize their privacy features:

MonsterInsights website screenshot

Be aware that add-ons can not ensure compliance with the GDPR. It's important to follow the steps mentioned above for full compliance.

Use a Legal Agreement Generator

You can write your own Privacy Policy, but using a legal agreement generator can help you create a customized document that caters to your business's unique needs and is designed to comply with applicable privacy laws.

Summary

The GDPR applies to organizations that collect personal information from EU residents and entities located outside of the EU that offer goods or services to EU residents or monitor EU residents' behavior.

The GDPR may apply to you even if you don't directly collect users' personal information. If you use plugins or SDKs that collect user data from EU residents, you will need to take steps to ensure GDPR compliance.

You should take the following steps to comply with the GDPR:

  • Choose a legal basis for processing data
  • Conduct a data impact protection assessment
  • Maintain an easily accessible Privacy Policy
  • Keep the data you collect safe
  • Appoint a DPO or privacy officer
  • Honor users' privacy rights

A GDPR-compliant Privacy Policy should be clearly written and easily accessible and should contain the following clauses:

  • How and why you collect and process personal data
  • Third parties you share personal data with
  • How you keep personal data secure
  • What you do with children's personal data
  • How users can exercise their rights
  • How users can contact you

In addition to adhering to the GDPR's rules, following these tips can help ensure compliance:

  • Use compliant plugins
  • Use a legal agreement generator to create a GDPR-compliant Privacy Policy