On May 25th, 2018 the General Data Protection Regulation came into effect. The GDPR, as it's known, aims to protect the fundamental privacy rights of data subjects in a world increasingly driven by data. It puts greater requirements on companies who collect and process personal data, to ensure individuals understand what's happening with their data and consent to its use, if necessary. It applies to all companies processing the personal data of data subjects residing in the EU, regardless of where the company is located.
The purpose of this article is to help you make sure that your privacy notice complies with the GDPR. Below is a list of key points that your notice should cover, and some examples or explanations of each.
1-Who you are
- The name of your company
2-What information you'll collect
- The data subject's name, email address, etc.
3-How you'll collect the information
- The individual provides it directly to you
- You collect it through your website
- Through third parties (e.g. public websites)
4-Why you're processing the information
- Explain the legal basis for your processing
Under the GDPR, there are 6 legal foundations for processing data. For example, the data subject is your client and you need to process personal data to provide your services to the individual. Or perhaps you process it based on the individual's consent. Your privacy notice should clearly explain your basis for processing to your data subjects.
Note that if you're relying on the individual's consent to process their data, they must positively opt-in to give you their consent. In order to do that, you should have a box that the individual must check in order to affirmatively consent to this collection and use of their data.
5-When you share the information and why
- You share the information with your third party service providers when needed for them to provide services to you, so you in turn can carry out your own services to the data subjects.
6-Where you store the information
- Do you store the information on a cloud-based application? Where is this hosted?
- If you transfer data outside of the EU, what security measures do you follow to protect the data and comply with GDPR regulations on transfers? For example, you only transfer data to a company in the US that is certified under the EU-US Privacy Shield.
7-How long you store the data
- No longer than necessary to complete the purposes for which you collected the information
8-What measures to do you take to protect the data
- You restrict access to the computers where the data is processed
9-Inform the individual of their rights with respect to the data
- They can request a copy of the data
- They can request that it be corrected or deleted
- They can withdraw their consent to your use of the data
10-How they can contact you for more information
- Your company's email contact
Finally, a special note about cookies (not the chocolate chip kind).
We hope the points above provide helpful guidance that allows you to review your notice. Additionally, keep in mind that your notice must be written in clear, straightforward language, so that individuals easily understand it. If you're processing data of children, additional requirements apply.
Originally published September 12, 2018
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.