Now, fast forward to May of 2016. The European Union passed a new and comprehensive regulation on data privacy, called GDPR (General Data Protection Regulation). This single set of rules applies to all companies that conduct business with the EU’s 28 member states, including their entire population, regardless of where they live. Thus, any US company that processes personal data on EU citizens must comply, although it is only enforceable in the EU.
The premise of GDPR is simple – people should have more control over their personal data in the digital world. Of course, the reality is much more complicated. The biggest companies in the world are struggling with meeting all of the requirements around privacy policies. In fact, Google, Facebook, Equifax and Ticketmaster are some of the companies either being fined or investigated. To date, the largest fine has been issued to Google, at over $64 million. In response, they are appealing.
Privacy gets serious
GDPR Data Protection Rules consist of a very long and detailed list of regulations for handling consumer data. Here are the basics:
- Consent – Companies must obtain consent that is easily given and that can be freely withdrawn at any time.
- Right to Data Access – Companies are required to detail how they use their customers’ information in a clear and understandable way. Users can request their data profile, which must be provided with full details and for free.
- Right to Be Forgotten – Consumers can opt out at any time. Further, there’s a more rigorous “right to be forgotten” process that allows people to have their data completely erased.
- Data Portability – Users have rights to their own data. They can obtain their data and reuse it elsewhere as they choose.
- Privacy by Design – From the start, companies must design their systems with security protocols in place.
- Potential Data Protection Officers – In some cases, companies may need to have a Data Protection Officer (DPO). This depends on the size of the company and the level of data it is currently collecting and processing.
What is the definition of “personal data”?
There seems to be some uncertainty around this at the moment, but basically it covers five areas:
- Biographical information including date of birth, Social Security numbers, phone numbers and email addresses
- Looks, appearance and behavioral data, which includes eye color, weight and character traits
- Workplace and education data including salary, tax info and student ID numbers
- Private and subjective data such as religion, political opinions and geo-tracking data
- Health, sickness and genetics data containing medical history, genetic and biometric data
In particular, healthcare organizations around the world will benefit from complying. For years, they have been a prime target for cybercriminals. Compliance provides better protection from hackers and better protection for valuable customer information. Privacy policies are especially important in the healthcare industry due to the sensitive nature of information that is collected.
Best Practices for Privacy Policies
First, let’s note that different kinds of data collection merit different kinds of notices. However, the primary questions your company needs to answer are:
- What data is being collected?
- Who is collecting it?
- How and why are you collecting?
- How are you using it?
- Do you plan to share it?
- How long will you store it?
- What control do I have over it?
While it seems like a lot, you don’t have to provide it all in the initial notice, and your responses can be quite simple. Start by giving your user just what they need to know when they enter your site. Then, provide a link to the rest of your information along with a link to the private policy in the footer. Here are a couple of examples:
Embrace GDPR Principles
Overall, GDPR puts all the power in the hands of users regarding their data. And, in the long run, helps protect your customers and improve your own procedures. Further, adding or adjusting your privacy policies is a responsibility that goes beyond geographical limits. It gives you a head start in data management and protection.
Currently, the US has a patchwork of data protection regulations. However, as the big tech companies, particularly Apple and Facebook, comply with GDPR, it’s clear that they support the benefits of these strong data privacy laws. Only time will tell what rules and regulations Congress will implement.
How Belgrave Can Help
TTalk to your marketing strategy team for more information about privacy policies and how your company can implement one. We can advise you on how and where to put it on your site. However, you will need to employ your legal team to execute the actual policy.
Give us a call and we can help you get started.