In the last year, you’ve probably noticed your email inbox filled with notes about updated privacy policies. In 2016, the European Union adopted a resolution called the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. Any website that collects information from people who live in one of the dozens of countries falling under the GDPR, then you must stay compliant — even if you live in the United States or a non-EU country.
Facebook and Google face $8.8 billion lawsuits for non-compliance with the GDPR. The issue stems from users being forced to share personal data or denied access to the services offered by Google and Facebook.
As your business grows and changes, the privacy policies that worked, in the beginning, may no longer work. When in doubt, hire a lawyer and ensure your policies line up with existing laws and protect both you and your customers.
Don’t try to hide your policies in tricky language or place your documents in hard to find places. Viacom faces a lawsuit stating the company collected personal information from minors playing the “Llama Spit Spit” game on their smartphones. Viacom lawyers argued there was an arbitration clause in the app’s description, but the judge said the clause wasn’t easy to find and was buried deep in the fine print where people weren’t likely to see it.
The lesson here — be upfront with your users and make sure they fully understand the policies in place before they use your product or service. Protect minors in particular and only collect the information you absolutely must have to do business.
Make Your Current Policy GDPR Compliant
The GDPR has 99 different articles explaining the rights of consumers. There are many things business owners should include in their privacy policies. Here are a few of the vital changes:
- You’re responsible for protecting the information you collect and monitoring its use.
- Add the consumer rights points from the GDPR and explain each one.
Run your current policy through the filter of the GDPR articles and cover all the points.
12 Steps to GDPR Compliance
The Data Protection Commission provides 12 steps on their website, so organizations understand compliance. Those steps include:
- Awareness — Review your risk management.
- Accountability — Review the personal data in your files. Figure out if you still need it and if you’re keeping it safe.
- Communicate — Review your privacy notices and inform people about the ways you use their personal information.
- Review Rights — Make sure your policy complies with the personal rights outlined in law and regulations involving personal data.
- Handle Requests — Users now have a right to request their information be deleted and you must respond and handle the request within 30 days.
- Understand Legalities — Consent and collecting data gets a bit tricky with the GDPR and other policies in the works. Ensuring you meet GDPR standards is a bit confusing. If you’re unsure after reviewing GDPR documentation, enlist the help of a professional.
- Minors — Make sure your site protects minors and gets consent from guardians rather than simply assuming the permission is there. As in Viacom’s case, minors may not be aware of privacy policies or understand key factors in using your website or app.
- Protection — The goal of privacy laws is protecting the individual rights of consumers. Focus on protecting your site visitors and their information.
- Breaches — You must report any data breaches to the people whose information you hold and let them know what steps the company took to prevent a data breach in the future.
- Data Protection Officers — You’re required to name someone a DPO. For small businesses, this might include whoever owns the business. The DPO needs to understand the regulation and work hard to protect personal information.
- One Stop Shop (OSS) — This sounds complicated but is basically the place where your business makes data processing decisions. If you are the DPO and you make your decisions in Ireland, then your OSS might be located in Dublin, for example.
Follow the 12 steps above, and you’ll be well on your way to GDPR compliance.
Review Other Laws
New laws and regulations pop up all the time as well as court cases that change the way we do business online. In January 2020, the CCPA (a California law) goes into effect for larger companies and requires companies to inform consumers of the personal information they’re collecting. The law also adds additional protection for minors under 16 years of age.