HIPAA, OSHA, SOX, PCI – almost every industry has some form of data or physical protection policy. And for good reason. These policies are in place to defend people and their rights to share — or not share — information. But what about online? How is your data protected, and what are your rights?
What’s a privacy policy?
Perhaps one of the earliest forms of data protection, a privacy policy is a statement or legal document that outlines how a person’s information is collected, stored, managed, and disposed of. Back in the day (think the 60s or 70s), this protected mostly physical pieces of information, but with the development of technology and the Internet, the federal and local governments have introduced a variety of legislation throughout the years in an attempt to provide the same protection to online data.
These legislations have included the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA) mentioned earlier. But, until California’s Online Privacy Protection Act (CalOPPA), none of these legislations completely protected the data provided online.
CalOPPA requires that all websites must include a privacy policy outlining what information is collected, stored, and managed, and how it’s disposed of. Additionally, Google Analytics requires that you include a privacy policy that outlines your use of cookies and Google Analytics information. Policies like these have been the outline for how American businesses manage privacy – until May 2018.
What’s GDPR?
The General Data Protection Regulation (GDPR) outlined by the EU has set a new standard for online privacy. GDPR states that any business cannot use information collected for its benefit and must protect the information gathered. Remember when all your favorite websites emailed you to say they’d updated their privacy policy (see image)? That was a result of the GDPR going into effect in May 2018. It came with strict rules and lofty noncompliance fines.
But there is one thing you should know before scrambling to find out how to protect your business: the GDPR only applies to EU and UK residents. So, why should businesses from the United States — for lack of a better word — care?
One particular article within the GDPR may impact businesses outside the EU. Article 3 outlines the territorial scope of the GDPR and states that any business targeting Union residents must adhere to the regulations outlined. This includes any information collected while monitoring Union residents.
The Internet is a vast space for people from all over the world to visit your website. While you may not necessarily be targeting residents of the EU, there is a chance that a resident from the Union will use your site, and you may inevitably collect the information from that visit. What then? Will you receive a hefty noncompliance fine? The answer is likely no, but using GDPR as a base for privacy protection is the best way to keep your business safe.
Best Practices for Privacy Policies and GDPR Compliance
Whether you target Union residents or not, the easiest way to ensure compliance is to update your website’s privacy policy and implement a procedure for collecting, managing, storing, and deleting the information received from visitors. This should include, but not be limited to:
- Providing opt-ins for information collected
- Allowing visitors to request the information you have about them
- Allowing visitors to edit/update the information you have about them – as long as it doesn’t impact administrative requirements
- Allowing visitors to delete any information you have about them – as long as it doesn’t impact administrative requirements
- Allowing visitors to change their opt-in status
- Having a process for what data is collected
- Securing and encrypting data collected
- Informing visitors how long you’ll hold their data before deleting it
- Informing visitors how their data will be properly deleted
Your GDPR Compliance Checklist
A checklist can help you determine what you’ve already accomplished and what still needs to be achieved to meet GDPR compliance. Use this GDPR outline to help you determine your next steps:
- Conduct an information audit — including what information you collect and who can access it
- Determine your legal justification for obtaining data
- Include information about your data processing and legal justification in your privacy policy
- Make data protection a key part of your development and data processes
- Encrypt, pseudonymize, or anonymize personal data when possible
- Create an internal security policy
- Determine when to conduct and carry out data protection impact assessments
- Create a process for what to do if there is a data breach
- Designate a Data Protection Officer (DPO) or someone responsible for ensuring GDPR compliance
- Complete a data processing agreement between you and any third parties that may process personal data on your behalf
- Appoint a representative to the countries where you may process data
- Create a process so that it’s easy for customers to request and receive information you have about them
- Make sure this process makes it easy to correct and update inaccurate or incomplete information
- Allow customers to request their information be deleted
- Make it easy for customers to request that you stop processing their data
- Allow customers to request a copy of their personal data in a format that can be transferred to another company
- Make sure you allow a way for customers to object to the data that you process
- Implement a procedure to protect people’s rights if you make decisions based on automatic processes
Benefits of Updating Your Privacy Policy
While updating your privacy policy or processes seems like a lot of work, there are many additional benefits than just being compliant. As more and more websites implement the GDPR standard, it will become an expectation by end-users that you provide the same protection as you would to EU residents. Upholding the GDPR standard and implementing data protection regulations also improves:
- Transparency
- Trust
- Brand reputation
- ROI
- Loyalty
What To Do If There’s a Data Breach
Mistakes occur, laptops are stolen, and — despite being diligent with the information you collect — sometimes data breaches happen. If that should happen to your business, you must inform regulatory parties within 72 hours. In addition, you should:
- Inform those individuals who are affected
- Identify the full extent of the breach and how it occurred
- Work toward preventing breaches in the future
*This blog post was written to provide general information about privacy policies and GDPR compliance. For more information, visit the links provided.