In the last year, you’ve probably noticed your email inbox filled with notes about updated privacy policies. In 2016, the European Union adopted a resolution called the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. Any website that collects information from people who live in one of the dozens of countries falling under the GDPR, then you must stay compliant — even if you live in the United States or a non-EU country.

Even though GDPR compliance is the reason you’ve seen so many privacy policy update notices, reviewing your privacy policy protects you and informs consumers about what you do with their information and how you protect it.

How Often Should You Update Your Privacy Policy?

New laws come into existence from time to time, as is the case with the GDPR. Updating your privacy policy and ensuring you comply with laws protects you from lawsuits.

In one court case, True.com attempted to sell their database of daters to another dating website for $700,000. Unfortunately for the company, they had promised never to sell or disclose their users’ emails within their privacy policy. The Texas Attorney General stopped the sale of the site because the privacy policy was a contract.

Facebook and Google face $8.8 billion lawsuits for non-compliance with the GDPR. The issue stems from users being forced to share personal data or denied access to the services offered by Google and Facebook.

As your business grows and changes, the privacy policies that worked, in the beginning, may no longer work. When in doubt, hire a lawyer and ensure your policies line up with existing laws and protect both you and your customers.

Although laws slowly come into being, plan on checking your privacy policy at least once a year to ensure everything is in order. Always inform users of any changes and get their agreement with the new policy.

Choose Transparency

Don’t try to hide your policies in tricky language or place your documents in hard to find places. Viacom faces a lawsuit stating the company collected personal information from minors playing the “Llama Spit Spit” game on their smartphones. Viacom lawyers argued there was an arbitration clause in the app’s description, but the judge said the clause wasn’t easy to find and was buried deep in the fine print where people weren’t likely to see it.

The lesson here — be upfront with your users and make sure they fully understand the policies in place before they use your product or service. Protect minors in particular and only collect the information you absolutely must have to do business.

Make Your Current Policy GDPR Compliant

The GDPR has 99 different articles explaining the rights of consumers. There are many things business owners should include in their privacy policies. Here are a few of the vital changes:

  • Your privacy policy should be easy for the average person.
  • You’re responsible for protecting the information you collect and monitoring its use.
  • Add the consumer rights points from the GDPR and explain each one.

Run your current policy through the filter of the GDPR articles and cover all the points.

12 Steps to GDPR Compliance

The Data Protection Commission provides 12 steps on their website, so organizations understand compliance. Those steps include:

  1. Awareness — Review your risk management.
  2. Accountability — Review the personal data in your files. Figure out if you still need it and if you’re keeping it safe.
  3. Communicate — Review your privacy notices and inform people about the ways you use their personal information.
  4. Review Rights — Make sure your policy complies with the personal rights outlined in law and regulations involving personal data.
  5. Handle Requests — Users now have a right to request their information be deleted and you must respond and handle the request within 30 days.
  6. Understand Legalities — Consent and collecting data gets a bit tricky with the GDPR and other policies in the works. Ensuring you meet GDPR standards is a bit confusing. If you’re unsure after reviewing GDPR documentation, enlist the help of a professional.
  7. Understand Consent — The basis of the Facebook and Google lawsuits falls to the idea that people weren’t given a chance to consent but were forced to accept the two companies’ terms of use. Make sure you actually get consent and don’t just force compliance. Come up with an alternate plan if the person doesn’t share private data.
  8. Minors — Make sure your site protects minors and gets consent from guardians rather than simply assuming the permission is there. As in Viacom’s case, minors may not be aware of privacy policies or understand key factors in using your website or app.
  9. Protection — The goal of privacy laws is protecting the individual rights of consumers. Focus on protecting your site visitors and their information.
  10. Breaches — You must report any data breaches to the people whose information you hold and let them know what steps the company took to prevent a data breach in the future.
  11. Data Protection Officers — You’re required to name someone a DPO. For small businesses, this might include whoever owns the business. The DPO needs to understand the regulation and work hard to protect personal information.
  12. One Stop Shop (OSS) — This sounds complicated but is basically the place where your business makes data processing decisions. If you are the DPO and you make your decisions in Ireland, then your OSS might be located in Dublin, for example.

Follow the 12 steps above, and you’ll be well on your way to GDPR compliance.

Review Other Laws

New laws and regulations pop up all the time as well as court cases that change the way we do business online. In January 2020, the CCPA (a California law) goes into effect for larger companies and requires companies to inform consumers of the personal information they’re collecting. The law also adds additional protection for minors under 16 years of age.

The Internet is a rapidly changing animal — the rules or lack of rules that worked twenty years ago no longer work today. Stay current on changes to privacy policies and data protection by reading widely across business journals and update your privacy policy when it makes sense to do so. If you focus on protecting your site visitors, then the rest of your policy will naturally comply with rules and regulations.