Whether you actually started your business yesterday, or it just seems that way, you probably need to meet GDPR privacy standards. The General Data Privacy Regulation (GDPR), which went into effect in May 2018, is one of the strictest consumer privacy standards in the world. If you collect, store or process data from the European Union, you need to stay compliant with the GDPR.
We’ve published several other articles about the GDPR for your edification—now it’s time to turn our attention to the GDPR and privacy policies.
While there is plenty of nuance as to whether GDPR authorities will target small, out-of-bounds businesses with no real ties to the EU, it’s always best to set a standard at the beginning of your operations. The sooner you get into GDPR compliance, the sooner your business can expand to new locations.
While the GDPR is complex, there are certain elements you should include:
- Who is collecting the data: Article 13 requires you to provide “the identity and the contact details of the controller and, where applicable, of the controller’s representative.” In general, this refers to your company and the specific person responsible for answering any GDPR inquiries.
- Why you’re allowed to collect the data: Article 13 provides for six different legal bases upon which you can collect consumer data. Two of the most common reasons are “consent” and “legitimate interest.”
- Why you’re collecting the data: Next, you’ll need to show why you’re collecting the data. One of the most common reasons is sales and marketing: for instance, you might collect email addresses for marketing lists.
- What kinds of data you’re collecting: Users must be informed what kind of data you’ll collect, whether that’s tracking cookies, email addresses or another form of sensitive data.
- How long you’re storing the data: You should also be transparent about how long you will store the data—for instance, if you regularly purge your email list of people who unsubscribe. It’s wise to set an outer limit as to how long any data will be stored.
- If you use the data in automated decision-making: Companies who use user data as part of automated decision making (for instance, credit scoring) must alert the user as to how their data will be utilized.
- The data subject or supplier’s rights: The GDPR requires you to inform the user (the data subject, or supplier)’s rights: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability and the right to object.
- Ways of informing the user when the policy has changed: This is one of the most simple requirements: you just have to list how you’ll tell your users or data suppliers when your privacy policies have changed. This could be as simple as a website notification.
SixFifty has the Solution
No matter how large or small your business, SixFifty’s solutions can help.
If you’re ready to get started or have further questions, schedule a demo with SixFifty today.
Written by Meili Bell
Meili Bell is the Content Manager at SixFifty. She spends her workdays writing, editing, project managing and reading about the intersection of law and technology. Meili comes to SixFifty from Gifted Music School, a nonprofit music school for the most dedicated young musicians in the region, where she was program director of the school’s flagship program for the last ten...
Full Bio and other articles by Meili Bell