Why is it important?
As privacy is acknowledged as a fundamental right by practically every society, having a well-written policy can provide a stronger legal footing for your business if you are, unfortunately, be challenged in certain legal settings.
What is GDPR?
GDPR was implemented by the European Union (EU) in 2018. GDPR is an individual-centric regulation, where the law protects citizens within the EU by guaranteeing them certain rights relating to their personal data.
Which organizations must comply with GDPR?
The purpose of GDPR is to protect the data of EU citizens and residents. Article 3(2) of the GDPR states that organisations which
- control and process a large amount of data of citizens within the European Economic Areas (EEA), and;
- offer goods and services to citizens within the EEA are liable under the GDPR.
This means that the GDPR applies to all EU based entities (businesses and companies) even if the data are being used or stored outside of the EU. Despite it being an EU regulation, organisations all around the world have scrambled to comply with it. This is because the GDPR is applicable not only within the EU but also applies to entities offering goods and services and collect and process the data of EU customers.
What types of privacy data does GDPR protect?
Personally, identifiable information refers to data which can be traced back to a particular person, such as their name, social security number, or their email. Under the GDPR, aside from the above “direct” information, indirect information is also protected. This includes their IP address, any cultural or political identifiers and opinions, and even what time they come into work. Generally, as long as a person can be either directly or indirectly identified with the data given, it is protected under the GDPR.
Do note that the GDPR only applies to natural persons and not legal persons. This means that you may collect data of a corporation in the European Economic Area without compliance with the GDPR. However, you may not do the same for a person in the European Economic Area.
What’s the best approach to achieving full GDPR compliance?
Generally, it is advisable to start with an internal audit of your data. Analyse what data you collect, how much of it is collected, and what the data is used for. Doing so will provide you with a framework of what you can continue collecting, and what to cease collection of.
Following that, figuring out who should be responsible for what data is a sensible step. Doing so will allow you to divide work evenly throughout the enterprise and understand if you are a processor or controller if you need to outsource your data to a responsible and GDPR-compliant data processor. This is the best stage to appoint your data protection officer.
The heavy lifting will then be technical, focusing on finding the best way to pseudonymise and organise data. Even if it is technical, it is important for everyone to maintain communication and stay on the same page. Doing so will allow for the best results – full compliance with the GDPR in terms of data security, and happy customers.
What changes do I need to make to my website / app?
In the past, most websites made it mandatory for consumers to accept all terms and conditions and privacy policies before being allowed to use their service. These terms are obviously very one-sided with little privacy protections for the consumers.
- An introductory paragraph introducing your company and the purpose of the policy;
- Details about the exact information you will be collecting (e.g. website users’ name, IP address, date of birth, etc);
- Purpose of collecting personal information;
- Details about the method of collection and storage of information;
- Details about the affiliated websites involved.
If you are running an e-commerce website that contains purchasing functions and website users may insert the details of their credit card, you should also explain how such payment information will be utilized and stored.
We understand it might be difficult to draft one from scratch – take a look at our templates below before you get started!