The EU's new regulation -- The General Data Protection Regulation, or GDPR -- imposes strict rules for handling personal information collected through websites, mobile apps, SaaS platforms and ecommerce stores.
If your business owns or manages a website or app that collects or handles personal information from EU citizens, you must comply with the GDPR. Failure to comply can lead to costly penalties.
This article will walk you through the important considerations and preparations necessary to get your internal procedures and Privacy Policy ready for the GDPR.
The GDPR exists to limit the collection of personally identifiable information from EU residents so that only what is needed to conduct business is collected.
Additionally, the GDPR increases the requirements for protecting personal consumer data and educating consumers of their rights and risks.
In order to assess your existing data handling procedures, you must first identify all of the types of data you are collecting from your website visitors. This is true for all types of websites including blogs, ecommerce stores, SaaS platforms and mobile apps.
The GDPR defines personal data as follows:
This definition is unprecedented in scope. You might be surprised at how many pieces of personal data your site is collecting from your visitors. When evaluating the types of data you are collecting, you must consider the data you are collecting both directly and indirectly.
Directly collected data includes data your site visitors give you voluntarily. Examples would be information entered into a registration form, a contact form, a sign-up form, payment page and other places where your users enter their personal information.
Indirectly collected data includes data your site or third party vendors are collecting through monitoring site activities. Examples include login integrations with Facebook, LinkedIn or other social platforms, website analytics such as Google Analytics, as well as chat and community messaging platforms.
Following is a list of data your site is most likely collecting. Use this list as a guide to identify the types of personal consumer data your site(s) might be collecting.
Note: This list is not necessarily comprehensive. You may be collecting personal data not identified in this list. Be sure to consult with your site developers and third parties to ensure you create a comprehensive list of all data types being collected over your websites or apps.
Remember, different platforms may be collecting different information from your users in order to function or improve user experience.
You need to analyze your website, blog site, mobile app, ecommerce store and SaaS platforms in order to create a comprehensive list of data types you are collecting from each one and disclose it in your Privacy Policy.
Here is an example of this from Facebook's Privacy Policy in a clause entitled, What kinds of information do we collect?
You'll need to identify all methods you employ for collecting, storing, managing and sharing personal data through your site or app. The GDPR refers to this as "processing."
Your Privacy Policy must disclose all processing methods you are currently using, as well as those you might use in the future.
It is not enough to simply state that you collect personal data directly and/or indirectly. The GDPR requires you to identify the specific methods being used to collect personal consumer data.
Whether you own a website, blog, mobile app, ecommerce store, SaaS platform or all of the above, you must identify all data processing methods and itemize them in your Privacy Policy.
Examples of processing methods can include:
You might be surprised to find out just how many ways in which your site is processing private consumer data. Let's look at some examples.
Your website or blog is likely collecting personal data directly and indirectly. Nearly every website and blog has one or more opportunities to collect user data directly.
Examples include:
In the background, your site is probably collecting additional consumer data indirectly. Website platforms typically have enhancement features to improve user experience, and these work by collecting data about users. An example would be "cookies," which are used to monitor and store browsing activities, and to personalize the overall user experience.
Many sites also use analytical tools such as Google Analytics to track website performance and to better understand their audience.
Some sites, especially blogs, present advertisements to site visitors. A third party display ad vendor such as Google AdSense collects data from visitors to present "targeted" and "retargeting" ads based on their online behavior profiles.
Comment forums also collect personal consumer information such as names, internet ID's or handles, email addresses and sometimes a headshot or image of the reader.
Here is a screenshot of a WordPress user backend view of reader comments. Not only are the name, email address and profile image shown, so is the IP address, allowing the blog owner to track user location.
In addition to GDPR requirements for privacy protections, all third party vendors have their own privacy rules you must follow in order to use their services.
You will need to review the Privacy Policies for each third party sharing personal data with your site in order to meet their requirements as well as satisfy your legal obligations to the GDPR. This includes any chat forums in use for a blog, Google products such as AdSense and Google Analytics, and other third party services such as app stores and social platforms.
To give you an idea of how to summarize your data processing methods in a way your users can understand, take a look at this example from The New York Times:
The GDPR requires a Privacy Policy for mobile apps. While many mobile apps integrate with a host website, a Privacy Policy displayed within the app is necessary. This is because mobile app technologies utilize unique data collection methods to acquire information about users, their devices and other apps they may be using.
Mobile apps also use direct collection methods to acquire personal information about users, such as registration information, in-app payment information, community chat forums, online identifiers and other data.
See this excerpt from the Spotify mobile Privacy Policy which spells out the types of information the app collects from users that's both provided by users and collected automatically:
Ecommerce stores collect personal information in some obvious ways, such as sign-up for a discount, billing and shipping data required for checkout, product preference data and site registration. These are direct collection methods.
They also collect information indirectly, such as with cookies to "remember" what a shopper viewed. Additionally, they collect data through third party integrations like Google Analytics and the others discussed above, as well as with payments processors.
Ecommerce stores have some unique considerations for data processing because of security concerns for online payments. Some stores save payment information for ease of future checkout, recurring subscription payments or automated re-orders.
Amazon defines this in a clause detailing the many types of information it collects directly:
If you own an ecommerce site, you need to identify all of the methods you use for handling and processing personal consumer data so you can fully disclose it in your Privacy Policy.
Software as a Service businesses (SaaS) also have special considerations for complying with the GDPR. Platforms like Facebook, LinkedIn, Google Drive and others thrive on user data, using the data to personalize the online experience.
However, according to the EMC Privacy Index, fewer than 27 percent of consumers are willing to give up their personal data in exchange for a better or more personalized browsing experience. This means the potential for consumer demand for more privacy, or even litigation, is a particularly strong concern for SaaS platforms.
If you own a SaaS platform, you want to go through all of your data collection and processing methods with a fine-toothed comb. This way, you can ensure you are complying with the GDPR and thoroughly disclosing all in your Privacy Policy.
The Toggl app dedicates a clause for Data Collection in its Privacy Policy. The language makes it clear that data is collected at multiple times during a user's interaction with the app.
The GDPR requires the appointment of a qualified Data Protection Officer (DPO) in certain instances, as well as your ongoing support for that officer and his GDPR education.
You may need to appoint a DPO who has the education and expertise to perform all functions required to oversee your data processes. The DPO also would coordinate with officials on an ongoing basis.
You will need to appoint a DPO if you are a public authority or an organization engaging in large-scale monitoring of personal data. The GDPR spells out the following circumstances in which a business must appoint a DPO:
Your DPO must be qualified to oversee your GDPR compliance. You also must provide the officer with appropriate resources, human and otherwise, to perform their duties. Additionally, your DPO must have "expert knowledge of data protection law."
Your Data Protection Officer also must:
Ensure that internal leadership and key decision makers are informed and educated about legal privacy protection responsibilities and GDPR, generally.
Train staff about privacy security procedures.
Identify and disclose any data "sub-processor."
Report personal data breaches to the local authority within 72 hours, and to affected individuals if the affected data was not encrypted.
If your business is located outside of the EU, the Data Protection Officer also must appoint a representative located within the EU to coordinate with authorities.
Your users also need to know how to reach you to discuss their data, request changes or file a complaint. Therefore, your Privacy Policy needs to include a section for privacy-related contact. This doesn't have to be complicated.
Here's a simple Contact Us clause from News UK:
The requirement to report data breaches to authorities is an important component of the regulation. You also may need to notify impacted individuals "without undue delay" when a breach is "likely to result in a high risk to the rights and freedoms" of those affected.
However, if you experience a breach but immediately implement sufficient procedures to protect data following the breach and to prevent a further breach, you may be exempt.
Here are the GDPR's requirements for handling data breaches:
Closely related to the proper handling of data breaches is the prevention of data breaches by incorporating adequate data protection policies and procedures at every level. The GDPR requires you to:
Ensure your site was built using a concept known as Privacy by Design. This means privacy protections were in place throughout every phase of your website development and remain front and center in your internal procedures.
Minimize data collection to only that which is necessary to conduct business.
Pseudonymise personal data as soon as possible.
Remain transparent with data subjects about your data processing procedures.
Take extra precautions in securing all technologies deployed to run your sites or apps by securing email, protecting WiFi, ensuring compliance with all third parties, etc.
Here is the GDPR's requirement for Appropriate technical and organisational measures that explains these obligations further:
As you can see, the overall theme of the GDPR's requirements focuses on your customers' rights. Their ability to understand their privacy rights and risks, and to control the use of their personal data, are central to the new GDPR regulation. Never before has any legislation mandated such broad rights defining consumer privacy and giving them control over their private information.
Just as importantly, the burden to provide the education and ability to control the information is on you.
Your site visitors must be able to:
Article 12 of the GDPR, Transparent information, communication and modalities for the exercise of the rights of the data subject, spells out the important consumer rights you must respect:
In order to keep your users informed about their rights and make your Privacy Policy accessible, you must place a link to your Privacy Policy in a conspicuous location where your site visitors can find it with ease. Most websites place a link in the footer.
Here's an example from The Times of London:
The simple organization and easy-to-see white typeface on a black background make the link stand out.
Mobile apps need to handle this differently because they rarely have a footer and must function with limited screen space. Additionally, because apps are distributed through third party app stores, app owners must display a link to their Privacy Policy in the app store as well.
Here are examples of links from the Capital One mobile app. In the first one you'll see a link to the Privacy Policy from inside the app store.
In the following example you'll see how the Privacy Policy is also provided within the app itself, at the bottom of the home screen.
Additional protections are given to minors, which the GDPR defines as a child aged 16 or younger. However, EU member states may set their own age limits so long as the limit is not below age 13.
Because of the concern for minors, website and app owners are expected to make an extra effort to protect the privacy of minors.
Many mobile apps, and especially VR apps, attract primarily children. If your website or app attracts minors, you must make every effort to acquire consent from the child's legal guardian. You also must ensure the user granting parental consent to process the minor's data is authorized to provide that consent.
At minimum, you will want to:
Acquire informed consent of a parent or guardian before processing any personal information of a minor.
Fully inform guardians of how personal data is collected and processed for minors.
Provide a simple way for allowing minors and their guardians to access to that data, require its deletion or instruct you to transfer it to another entity.
Not collect any personal information from minors that is not necessary to your business's performance.
The Facebook app provides a good example for disclosing a minor's policy inside the Data Policy:
When designing your website and creating your Privacy Policy and data handling procedures, you want to think about your users' rights and consider their perspective. The language you use in your Privacy Policy and on your site where you collect personal data should be plain and simple so it's easily understood.
You should also think about ways to make it easy for your site users to review their privacy settings, make changes, update their data, access your Privacy Policy and communicate with you about their data.
You should:
Create a link to your Privacy Policy in your website footer or Settings page of your mobile app.
Connect that link to your full Privacy Policy.
Organize your Privacy Policy in a way that covers each requirement of the GDPR.
Provide special considerations to minors and their guardians.
Build your site with Privacy by Design in mind, ensuring maximum protection of data at every level.
Hire or appoint qualified individuals to oversee your data handling procedures as well as your compliance with the GDPR.
This seems like a lot of work, and it is. Failure to comply with the GDPR can lead to fines of up to four percent of "annual global turnover" or 20 Million, whichever is greater. In some cases, failure to comply could lead to costly lawsuits or criminal enforcement.
Take your time to work through each point covered in this article. Pay special attention to your type of site or sites, your typical site visitor, the data types you collect and methods you use to collect and process the data.
Appoint a qualified and competent Data Protection Officer and work with this individual to establish expert understanding of the GDPR.
Consult with your third parties and familiarize yourself with their contracts and Privacy Policies.
Finally, consult with your technology experts, tapping into their input and expertise to ensure you identify all types of data you collect, methods for processing it, instances in which you share it and procedures for copying or deleting it on request.
With these efforts, you will be ready to formalize your policies and procedures into a compliant Privacy Policy that meets or exceeds the GDPR requirements and protects your business from legal liabilities.