GDPR Compliance Policy

The aim of this article is to spread awareness and help small businesses, and your industry to understand General Data Protection Regulation (GDPR) and make your own GDPR compliant policy to prevent you from getting charged with heavy fines.

If you’re reading this, I’ll assume you already know what the General Data Protection Regulation (GDPR) is. If not here’s a brief explanation. It’s a reform introduced by the European Union to promote the overall security of the data the citizens submit to organizations, to prevent it from being exploited and misused in any sort.

What does it mean to GDPR for businesses?

It does not matter if you have 1 or 100 individuals hired as staff members, GDPR applies to every organization whether it is a private or small company.

When it comes to protecting data and information, the study suggests that small organizations and companies are the ones that will be least prepared for GDPR. They essentially don’t have sufficient energy or assets to devote to conveying their frameworks up to GDPR compliance standards.

Actually private ventures or small organizations process the same amount of data as huge organizations. Under the responsibility guideline for the General Data Protection Regulation, the data controller which in this case, is you as an individual or a company has to exhibit GDPR compliance accordingly.

It doesn’t matter if you are an entrepreneur, you are expected to be compliant with the GDPR reforms. It isn’t anything bad actually, you might actually increase your productivity and get a good return on investment.

How to make your business GDPR compliant?

In order to make your business GDPR compliant, you should have a clear idea about how and what information do you store, how it is managed and who oversees the information that is being stored. It’s the same for small organizations and businesses as well, you have to take a gander at how you are storing customer data in your databases.

This process is called ‘data mapping’.

Do you require agreements set up with customers you’re as of now transacting with?

If you use a cloud service, to store your data, under the GDPR reforms you have to sign an agreement with the individual that is holding that information on your behalf. In this case, it would the owner of the cloud storage service, and that individual will be treated as a data processor.

Under the old data protection laws, you didn’t require a composed agreement with customers and data processors, now you do.

While making a GDPR compliant policy, please make sure to remember to keep everything concise, easy to understand and transparent for the end-consumer of your services. It is mentioned in the  GDPR with great emphasis on the simplicity of policies.

Having an informative, yet concise and user-friendly user policy completes the necessities required to be compliant with the GDPR reforms.

Privacy Policy – Why is it important?

All around the world, it is made necessary for organizations to have a privacy policy in place by data protection laws. Chances of having this document already in place on your website are very high, however, you do not have to delete and make a new one from scratch. You can make amends to the previous one and update it to be compliant with the GDPR reforms.

A Privacy Policy enlightens the user with the following information:

  • What personal data do you collect?
  • How and why do you collect that data?
  • How do you use that data?
  • How do you secure it?
  • Do third parties have access to it?
  • Do you store or use cookies?
  • How can a user control any aspect of this?

In the past, privacy policies contained pages of legal dense documents which were very hard to comprehend. GDPR is working to avoid that intimidation and make everything user-friendly and understandable for the end user while going through a privacy policy of an organization.

If you already have a Privacy Policy in place on your website for your organization, you have to make sure to update your current Privacy Policy by cutting out the difficult parts, using clear language to make it GDPR compliant.

Following points to add in a GDPR Compliant Policy

Apart from those seven standard points stated above, to be GDPR compliant, you must add these points to your privacy policy as well. You do not have to highlight each point separately, as long it is mentioned in your privacy policy in comprehensible language, you are considered to be compliant with the GDPR reforms.

  • Identify yourself as a Data Controller or a Data Processor (or both)

The data controller is the individual or the company that decides for what reason and how the data submitted by the consumers will be handled.

The data processor is an individual or an organization that is processing personal data on behalf of the controller. The data processor is most likely to be a third-party organization working with the company, such as payment gateways or processors.

  • Contact Information of your Organization

Your privacy policy should contain your contact information, where the end consumer can contact if he wants to ask questions, regarding your policies or for customer support. If you do not have it in your policy, it’s a fairly easy edit to make.

If you have hired a Data Protection Officer (DPO), you must state the relevant contact information of that individual as well.

  • You must inform the users of the 8 rights they have under the GDPR

The following eight user rights are very important and are required to be addressed in any privacy policy, it is a necessity made by GDPR in order to become compliant. It is however not required for you to explain these eight rights in a separate clause, but they should be addressed in some way in your privacy policy.

User Rights:

  1. The right to be informed. The organization must be transparent in how they are utilizing the personal information. Personal data may include data such as work email and work mobile if they belong to a specific individual.
  2. The right of access. Individuals will have the right to know what information is being held and will be processed in what way.
  3. The right of rectification. Individuals will have the right to change personal data if it is inaccurate or incomplete.
  4. The right to erasure. The right of erasure is also known as the right of being forgotten. Individuals will have the right to have their personal data removed or deleted without the need for a specific reason to be submitted back.
  5. The right to restrict processing. An individual will have the right to block or stop the processing of their personal data.
  6. The right to data portability. This allows an individual to retain and reuse their personal data for their own purpose.
  7. The right to object. This right allows the individual to object to their personal data being used.
  8. Rights of automated decision making and profiling. The GDPR has implemented different measures to protect individuals against the risk of making a potentially dangerous decision without human intervention.

What is your purpose of collecting the data?

According to the GDPR reforms, it is necessary for an organization to address the purpose of collecting data from their consumers. Even if it is an email for communication or a physical address for billing. Every purpose should be defined clearly.

Do you transfer data internationally?

If your business or organization transfers personal data to a different country or to a different international organization, you have to let your users know about it. Even if it’s an international branch of your organization, you are still viable to tell your users about that transmission of data.

You must also include an explanation and description of the security measures you have selected and implemented for the international transmission of data. You also have to state how the end user can attain a copy of those measures for themselves.

The legal basis of processing data?

Under the GDPR reforms, you are required to have a lawful basis for processing any kind of personal information from your consumers. There are six available lawful bases, the data you process must fall under one of these categories in order to be compliant with the GDPR reforms.

  1. The data subject has given permission to the processing of his or her personal data for one or more purposes.
  2. Processing is necessary for the performance of a contract to which the data subject or the user is a party or in order to take steps at the request of the data subject being prior to entering into a contract;
  3. Processing is important for compliance with a legal obligation to which the controller is subject;
  4. Processing is important in order to protect the vital interests of the data subject or another person;
  5. Processing is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or the data subject.

The two most common would be:

  1. The subject or the user has given consent to have data processed for the specific purpose.
  2. Processing is necessary for pursuing a legitimate interest.

Do not forget to state the information regarding the interest that you are processing the data for in your privacy policy.

  • Consent

Consent is when a website owner, takes permission to save your data. It is used by many website owners and organizations as a legal base to collect data. If you have a legitimate interest, you do not require a consent to collect and store data.

When getting consent, usage of check boxes is important. This will require the user to tick the checkbox stating that he/she is agreeing to submit their data. Make sure to write what the user is agreeing to clearly.

  • Privacy Notice

A privacy notice is a short, straightforward and a notice full of useful information that allows the user to understand why and what kind of data you are collecting. These notices should be added to the point where you are requesting the data to be collected from.

Final Words:

  • It is fairly easy to say, that GDPR wants you to drop the legal and dense language in the privacy policy. Usage of easy to understand language is required.
  • Aiming to be GDPR compliant? Make sure to update and make the necessary changes required by the side of the GDPR reforms.
  • Usage of checkboxes while collecting the data from users is a good way to get consent and stay out of trouble.

By following the guideline above and adding the points necessary in your own privacy policy. You are compliant with the rules and regulations of GDPR and you do not have to worry about being penalized.