The General Data Protection Regulation (GDPR) is an EU legislation that aims to give the residents of the EU more control over their data. Under this regulation, organizations that handle data of EU residents will have to comply with data and privacy rules.
- 1. What is the GDPR and why are you required to comply with it?
- 3.1. Who Your Data Controller is and Contact Information
- 3.2. Who your DPO is and Contact Information
- 3.3. Whether You Use Data to Make Automated Decisions
- 3.4. Inform Users of the 8 Rights They Have Under the GDPR
- 3.5. Whether You Transfer Data Internationally
- 3.6. What's Your Legal Basis for Processing Data
- 4. How to Get Consent
- 5. Conclusion
What is the GDPR and why are you required to comply with it?
The GDPR is a new data and privacy security legislation which was developed by the European Parliament and Council for the protection of data rights of the EU citizens. Companies (including websites, mobile, and desktop apps etc.) that do business transactions with EU citizens are going to be affected by this regulation.
On May 25, 2018, the GDPR replaced the existing data protection law i.e. the Data Protection Directive that has been in effect since 1998. If your company collects or processes the data of EU citizens, you are required to comply with this regulation. Non-compliance can result in hefty fines of up to €20 million or four percent of annual revenues, whichever is higher.
One of the key aims and requirements of the GDPR is to keep EU citizens informed of how businesses collect, use, share, secure and process their personal data.
Under the GDPR, you are required to inform your customers about why you are processing their data and for how long will you store it. You must tell them in plain and clear words how you use their data.
Before the GDPR, it's been accepted and expected that most Privacy Policies have the following information:
- What personal information you collect
- How you collect it
- What you use it for
- How you keep it secure
- Whether you share it with third parties
- Any controls users have over any of this
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
Who Your Data Controller is and Contact Information
If you control the personal information of your customers or you process it for some other company, inform your customers about it. Tell them who you are and what your role is when it comes to their data.
In this example, Slack - a cloud-based company - informs its users that its Irish-based company controls and processes authorized user's information of customers outside the US and Canada. It also mentions that its US-based company controls and processes authorized user's information of customers in the US and Canada.
Towergate clearly tells its users that it controls their data. Any information users give is held with Towergate.
Who your DPO is and Contact Information
Not every business is required to have a Data Protection Officer (DPO) under the GDPR.
GitHub has a table within its Privacy Statement in a Resolving complaints section that gives the contact information of the DPO.
Whether You Use Data to Make Automated Decisions
If you use automated decisionmaking (for example for credit scoring or for profiling users) to provide services/products to your users, disclose this.
This is how Towergate does this:
Inform Users of the 8 Rights They Have Under the GDPR
The GDPR requires you to tell your users about their 8 rights under the GDPR, which are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision making and profiling
Or, you can address each right in a separate clause with more personalized details.
Here's an example of a clause from uSwitch that addresses user rights under the GDPR:
uSwitch tells its customers about their right to stop the processing of their personal information for marketing purposes. This right can be exercised by the user by ticking or unticking boxes in forms when their data is collected, or later via email.
Twitter also has a separate clause for accessing and rectifying personal data that instructs users how to rectify their personal data directly through the account settings page.
Whether You Transfer Data Internationally
Debenhams illustrates it in this way:
Debenhams informs its users that it transfers user data to a third-party located outside European Economic Area (EEA). It also tells its customers that it will comply with the Data Protection Act 1998 in such transfers.
What's Your Legal Basis for Processing Data
The GDPR requires you to give a legal basis for processing personal data of customers. There are 6 legal bases, which are as follows:
- The data subject has given consent to the processing
- Processing is necessary for performance of a contract between the two parties
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the data subject's vital interests
- Processing is necessary in order to protect a public interest or exercise official authority
- Processing is necessary for the purpose of legitimate interests, so long as fundamental rights and freedoms aren't infringed
The number 6 reason is a common legal basis as what counts as a "legitimate interest" is very broad.
This information will typically be in a clause about "How we use information we collect" such as in this example from Trello:
Trello also has a clause dedicated specifically to the Legal bases for processing (for EEA users):
How to Get Consent
If you use consent as your legal basis to collect personal information, it's recommended that you use checkboxes and clickwrap. This will help make sure you get adequate affirmative consent. You must ask for and obtain clear consent in cases where the information collected is of a very sensitive nature, such as health data or religious affiliation.
Here are some examples that demonstrate how to obtain user consent.
Sainsbury's uses a checkbox to ask for users' consent and also links to its Terms and Conditions page. It also asks permission for sending other information to the user with a simple yes/no radio button.
You'll also need to make your consent requests more robust with checkboxes, Agree buttons and clear text surrounding these features that informs users what exactly they're agreeing to.