The GDPR (General Data Protection Regulation) is the regulation within European law that provides data protection to all individuals in the European Union or the European Economic Area.
Europe's GDPR rules are the world's strongest data protection rules. The legislation builds on the first data protection rules introduced in the 1990s by integrating technological advances and knowledge about how tech companies process data.
In most cases, the GDPR doesn't mean you need to change everything about the way you process data. Instead, it's an evolution in data protection. Many businesses already comply with the GDPR by using encryption, reporting data breaches, and limiting the data they capture.
People now have more rights to access the data companies hold about them.
There's also greater accountability for businesses to uphold secure and transparent data processing and management practices. The EU's accountability system features a hallmark series of fines that range from 2 to 4 percent of total global turnover for the worst offenders.
Although the GDPR features thousands of technical details, the spirit of the law is transparency and accountability.
After all, poor data practices take a toll on data subjects. Breaches, over-sharing, and poor collection practices dramatically impact European citizen's reasonable expectations for privacy.
The GDPR holds two principles in high regard: data processor obligations and data subject rights.
Data processors find their obligations laid out in Article 28:
Data subjects find their rights listed in Chapter 3: Rights of the data subject. Their rights include:
Finally, there are the six privacy principles of the GDPR:
The GDPR comes with a large number of principles and rights to learn, but getting acquainted with them helps build a compliant GDPR Protection Policy and better understand what impact your processes and procedures have on your ability to operate.
Your Data Protection Policy should outline the way you comply with the obligations and rights addressed by the GDPR.
Let's get started.
After introducing your company and your GDPR Protection Policy, you'll fill out the following sections with the relevant details from your GDPR preparedness plan.
You need to share whatever types of data you collect from data subjects. Make the list as complete as possible and update it regularly. Failure to provide transparency about the data you collect is a GDPR violation.
Some of the types of data you may collect include:
TK Maxx, a retailer with physical and digital footprints in the EU, added its complete list of information collected:
As you can see, the list is granular and includes specific examples of data it keeps in its database. Your list should also explicitly reference data. This becomes simpler when you collect only the necessary amount of data, which the GDPR also requests you do.
Do you collect only data provided directly by users, or do you get your data supply from a third party? However you collect it, you also need to share the mechanisms by which you come by your data.
Topshop, a global retailer, combines the "How Data Is Collected" section with the list of data categories they collect.
The method works well for Topshop because the types of data it collects are completely intertwined with its collection methods. Topshop tends to go light on the details, but it implies what types of data it will collect and use.
Forbes includes a clause titled "Voluntary Submission" that breaks down ways a user may submit different information to the company including when the company asks for it or through a member profile page a user creates:
The GDPR requires you to have an imminent use for all the data you collect. In other words, if you don't need it soon, then don't collect it. Data minimization is a key part of data security for the legislation.
Expect to list roughly - or explicitly - how you intend to use the data and to what end.
Marie Claire Boutique, an online retailer, discloses how it uses personally identifiable information such as to improve products and services:
River Island, a UK-based retailer, takes a more granular approach to account for the data it collects from users. It comes in the form of an extensive, bullet-point list:
River Island lists specific instances when user data comes in handy. Most of them refer to essential business practices like responding to refund requests, delivering orders, and processing payments.
You need a legal basis for every piece of data you collect. GDPR Article 6 covers the lawfulness of processing and lists these 6 legal bases:
If the data you collect doesn't fall under one of these legal bases, then you aren't allowed to collect that data. You need to find a basis for every category of data you collect, which you should do as part of your pre-GDPR audit and processing plan.
Costa Coffee, a European coffee chain, shares its legal basis of legitimate interests and gives details about its reasoning:
Costa Coffee also collects some data under the legal basis of Consent. The organization differentiates between what data it collects under this basis and how it might use the data:
Marriott International provides a brief overview of its security practices within its policy:
Marriott not only shares that it uses "reasonable" measures, but also encourages customers to get in touch if they fear their data has been compromised.
Stabucks also provides a similarly short data security section noting its use of protective measures.
Like Marriott, it makes a point to say that no technology is perfect and none can offer 100 percent security. These statements are important for liability and do not violate the GDPR.
If you share the data you control or process with any other party, you need to say so in your disclose this.
Generally, you need to:
Customers need to know that you don't hand out their data like candy.
As you can see, EE doesn't name its service providers and partners specifically, but it acknowledges it works with other companies and commits to remaining the data controller in each scenario.
Article 37 of the GDPR requires some groups to nominate a Data Protection Officer. It is necessary whenever you are a public authority or body and you process data held by EU citizens.
You'll also need a Data Protection Officer if you:
The Health Service Executive, the Republic of Ireland's health body, is a public body and therefore requires the use of a Data Protection Officer. It lists the details in its Data Protection Policy here:
You can simply state that you have appointed a Data Protection Officer and provide the contact details for the DPO.
Do you use software or a web application that makes decisions about customers without human intervention? If so, European citizens have a right to know - and you need to detail how to use human intervention.
Article 22 provides a right not to be subjected to automated processing, including profiling and automated decision-making. It applies when the decision results in a legal effect or provides similar significant effects on their life.
The most common automated decision-making activities tend to relate to finance. If you offer financing on your site or you are a financial institution, then you'll need this section.
Bank of Ireland completes a substantial amount of automated analysis of data. Its uses include:
Because of this, the bank's section on automated processing is substantially longer than an organization who uses automated processing only casually:
Even if you don't intend to use profiling or another processing activity covered under Article 22, you might choose to include such a clause anyway.
OSP Cyber Academy explains that it does not engage in automated decision-making under its User Rights section:
The GDPR affords users eight rights:
Your role as a data processor is to not only support these rights but to help make users aware of them. When users know their rights, they are better able to exercise them.
These rights come up over and over throughout your Policy in one way or another. You should, however, list these rights explicitly within the text.
Many compliant organizations choose to list them under their own heading for maximum transparency.
Virgin Media lists each of the rights and provides a form that users can use if they wish to exert any of the rights:
If you send data outside of the EU, you need to share those practices to provide data subjects the opportunity to make an informed decision about sharing their data with you.
You need to share whether you send data abroad, whether you engage in any data treaties, and why you send the data away.
EE, which we looked at earlier, is part of BT Group - an international telecommunications operation with footprints across the world. As such, it processes data outside the EU, typically in India and the Philippines. The company shares where it processes data and to which countries it may disclose user data to:
The GDPR also brought in new regulations for the protection of personal data of children. The GDPR lists the age of consent for children at 16, but member states have the latitude to change the limit to as low as 13.
If your site is accessible to children and you provide a service that attracts children and teens, address it in your policy.
Twitch TV, a video game service, attracts children of all ages and directly addresses children's privacy requirements in its policy. It implores children under 13 not to use any Twitch service for any reason at any time:
It also provides a section directly related to the GDPR by stating that it will "not knowingly engage in that processing for users under the age of consent established by applicable data protection law."
It discloses that it will stop processing of data as soon as it realizes it has inadvertently engaged in processing data of children below the age of consent and will remove the data.
These statements are helpful because they recognize that EU states may set different age limits. It also acknowledges that it may accidentally process the data and puts in place a procedure to remove it, which makes the organization's data processing procedures GDPR-compliant.
Cookies collect personal data and thus are covered by the GDPR.
Waitrose includes cookies in its clause about what types of personal information it collects:
UK retailer Sainsbury's provides a separate section for cookies: