On May 25th, 2018 the General Data Protection Regulation came into effect. The GDPR, as it's known, aims to protect the fundamental privacy rights of data subjects in a world increasingly driven by data. It puts greater requirements on companies who collect and process personal data, to ensure individuals understand what's happening with their data and consent to its use, if necessary. It applies to all companies processing the personal data of data subjects residing in the EU, regardless of where the company is located.

Even before the GDPR, when your company collected personal data from individuals, you needed to notify them of how their data will be used. This was usually done through a privacy policy. It's goal was to explain clearly to individuals what you will do with their information. Under the GDPR, the requirements for privacy notices expanded. A key objective of these requirements is to provide more transparent and accessible information to data subjects about how their personal data is used. The GDPR uses the term "privacy notice", not "privacy policy", to describe this information provided to individuals. This is the term you should use in your document, if you haven't change that already.

The purpose of this article is to help you make sure that your privacy notice complies with the GDPR. Below is a list of key points that your notice should cover, and some examples or explanations of each.

1-Who you are

  • The name of your company

2-What information you'll collect

  • The data subject's name, email address, etc.

3-How you'll collect the information

  • The individual provides it directly to you
  • You collect it through your website
  • Through third parties (e.g. public websites)

4-Why you're processing the information

  • Explain the legal basis for your processing

Under the GDPR, there are 6 legal foundations for processing data. For example, the data subject is your client and you need to process personal data to provide your services to the individual. Or perhaps you process it based on the individual's consent. Your privacy notice should clearly explain your basis for processing to your data subjects.

Note that if you're relying on the individual's consent to process their data, they must positively opt-in to give you their consent. In order to do that, you should have a box that the individual must check in order to affirmatively consent to this collection and use of their data.

5-When you share the information and why

  • You share the information with your third party service providers when needed for them to provide services to you, so you in turn can carry out your own services to the data subjects.

6-Where you store the information

  • Do you store the information on a cloud-based application? Where is this hosted?
  • If you transfer data outside of the EU, what security measures do you follow to protect the data and comply with GDPR regulations on transfers? For example, you only transfer data to a company in the US that is certified under the EU-US Privacy Shield.

7-How long you store the data

  • No longer than necessary to complete the purposes for which you collected the information

8-What measures to do you take to protect the data

  • You restrict access to the computers where the data is processed

9-Inform the individual of their rights with respect to the data

  • They can request a copy of the data
  • They can request that it be corrected or deleted
  • They can withdraw their consent to your use of the data

10-How they can contact you for more information

  • Your company's email contact

Finally, a special note about cookies (not the chocolate chip kind).

If the individual is visiting your website, you must explain how you use cookies on your website. Cookies are text files placed on a computer that allow your website to recognize the computer (or other device) and remember the user's preference settings (e.g. French language). You should inform users that they can set their internet browser to not accept cookies, although this could cause some of the services and features of the website to not function properly.

We hope the points above provide helpful guidance that allows you to review your notice. Additionally, keep in mind that your notice must be written in clear, straightforward language, so that individuals easily understand it. If you're processing data of children, additional requirements apply.

For more information, visit https://gdpr-info.eu or https://ico.org.uk.

Originally published September 12, 2018

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.