Four Hacks To Have GDPR Compliant Privacy Policy
Disclaimer: This editorial does not claim completeness and does not provide legal advice on the GDPR Compliant Privacy Policy.
Here’s the idea that is getting people really nervous:
Inside the law firms of the world, there are lawyers just waiting for 25 May 2018 to scan our websites and sue anyone not following the GDPR Compliant Privacy Policy. To defend ourselves against it, it is essential to make sure our websites do not reveal weaknesses of either machine scans (crawling) or superficial human inspection.
This means that we need to pay attention to the use of cookies, plugins and tracking tools to make sure we are all doing our duties and have compliant public documents.
First, take a deep breath, get some coffee and take ten minutes to read our suggestions below. You do not need a lawyer to do this for you.
In order to make sure that you don't overlook any details of GDPR Compliant Privacy Policy just follow the four hacks which are actually steps in the process of having a GDPR compliant website.
Step 1: Encryption
The first step of owning a website that follows GDPR Compliant Privacy Policy is to make sure your website is only accessible via HTTPS (the little lock symbol in the browser). Thanks to Let’s Encrypt and other alternatives, this is an easy problem to solve.
Step 2: Changes to website content/plugins
The second step is to consider where in your website data is collected/sent (automatically or by a person). Typically, forms, plugins, tracking tools and cookies do this. The general rule is:
‘You must tell your visitors what is being tracked/collected. Ideally, you get their consent. But at least you have to give them an option to opt out.’
To understand how this step works in your favor i.e. in your efforts to be one with the GDPR Compliant Privacy Policy, let’s break this down further:
Forms
It does not matter what type of form you will be using or its purpose. Only ask the things you really need in order to provide the service you are offering. For instance, if it’s a newsletter registration make the email address a required field and keep all other fields as optional.
Plugins
For your social media plugins, add something like Shariff to give users more control over being tracked. For videos, Youtube has a data protection mode (https://support.google.com/youtube/answer/171780?hl=de). Unfortunately, Vimeo does not support that yet and should not be embedded anymore on your website.
Tracking
Like most websites, you probably use Google Analytics. Make sure you take these steps:
- Anonymize IP addresses before you send them to Google (https://support.google.com/analytics/answer/2763052?hl=de)
- Tell your customers about it (see Step 3)
- Offer an opt-out (https://developers.google.com/analytics/devguides/collection/gajs/?hl=de#disable)
Cookies
Tell people that you are collecting cookies and give an option to opt-out. Hopefully, your website system has that built in otherwise you need to add it yourself. Below is a good example of cookie consent.
Step 3: Privacy Policy
This is the most important part. As an organization, you have the obligation to be transparent about your data processing activities. How can you be transparent? Put it all in the privacy policy. It should be precise, transparent, easily accessible, and written in clear, simple language. So Do It Yourself (DIY) with the must-haves below:
- Contact information of your organization,
- List of data categories (‘name’, ‘visitor behavior’, …) that you collect and the purposes for that this data is collected,
- Legal basis for this processing (ideally, either ‘consent’ or ‘performance of a contract’),
- how long you plan to save the data,
- A possibility for the customer to limit the processing (contact you?)
- The email address of your Data Protection Officer (if you have one), like ‘privacy@sample.com’.
- Where a customer can reach you for a complaint
There are some conditionals:
- Do you use Google Analytics? Do mention it and try to offer an opt-out.
- Do you set cookies? Mention it!
- Do you use automated processes? You have to mention that too.
- Do you use a company like Mailchimp to send your newsletters? Mention it, especially that you share your visitors’ email addresses or other information with them.
As you can see there is no 1-click solution for this (although we are working on one!). Doing it by hand is also not prohibited. In about a day, you should be able to cover most of this.
Below is a good example for a privacy policy snapshot
4 - The rights of Users
This is another part you need to add. Here’s an example for you:
“In particular, Users have the right to do the following:
Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.
Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.
Details about the right to object to the processing
Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.”
Text credit: Iubenda.com
In short, following this guide should get you on the right path towards compliance. If you have further questions and want to know how we can help: to get on board the GDPR compliant Privacy Policy sign up with us!
Image credit: http://thebusinessecoach.com/
ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.