Collecting data from visitors to your website is essential if you want to understand them. However, you need to inform them how you collect their personal information.
Let’s dive right in.
The General Data Protection Regulation (GDPR) Explained
The General Data Protection Regulation, or GDPR, is a set of regulations the European Union (EU) passed down in 2016 to protect the personal data of EU citizens.
Here are the seven principles of GDPR:
- Lawfulness, fairness, and transparency: Personal data must be collected and processed in a legal, fair, and transparent manner
- Purpose limitation: You must collect personal data for a specific, explicit, and legitimate purpose
- Data minimization: Collected personal data must be limited to only what is relevant and limited to the purpose for which it is collected
- Accuracy: Personal data must be accurate, and data subjects have the right to request rectification of incorrect data
- Storage limitation: You can store personal data only for the period that you’re actively using it for a specified purpose, after which you have to anonymize it
- Integrity and confidentiality: You must keep the data you collect secure from internal and external threats such as accidental loss, destruction, and unauthorized and unlawful processing
- Accountability: Your organization is held accountable for the way it handles consumers’ personal data and if it’s following all the GDPR privacy rules
Finally, it’s also important to add that failure to comply with GDPR brings possible types of fines. These are based on the severity of the violation:
- For less severe violations, the fine is either up to €10 million or 2% of the businesses’ annual global turnover (whichever is higher)
- And for more severe the fine is €20 million maximum or 4% of the business’s annual global turnover (again, whichever is higher)
- Strengthen consumer trust: Communicating the measures you’ve taken to comply with GDPR reassures visitors that their data is safe and secure in your hands.
- Build meaningful relationships: By being upfront about how their information will be handled so visitors to your site can feel reassured when sharing personal data—allowing them to develop more trusting and meaningful relationships with your business.
- Increase transparency: For consumers to give their data, they need to feel like companies are transparent about how it’s collected and used— a GDPR-compliant policy on your website showcases that information in an easy-to-understand format so visitors know exactly what happens with the data they provide you.
- Definition of terms: Terms used in this document with a legal meaning may be defined here to ensure that users understand them accurately. Common terms to define are “Personal Data,” “Data Controller,” and “Processing."
- Use of consumer data: This section should include details on how the company uses personal information it has collected from users, such as for marketing purposes or to improve its services.
- Types of data collected: List each type of user information the company collects and how it is used, including names, email addresses, or bank account numbers.
- Personal data retention: Describe the company’s policies for retaining customer information, such as when and why it will be deleted.
- Data processing information: Provide details on the company’s methods for data processing, such as pseudonymization or encryption.
- Disclosure to 3rd parties: Explain if and how personal consumer data is shared with third-parties and the reasons behind it.
- Data transfer: Outline what measures are in place to ensure data is safe during transfer, such as encryption or carrying out an assessment on security implications whenever personal information crosses borders.
- Data security: Show the technical and organizational measures implemented by the company to keep customer information secure from unauthorized access and accidental loss. Common measures include encryption, access control, and backup systems.
- Legal basis for data processing under GDPR: Explain the legal reasons behind why customer information is collected and processed, such as providing a service or engaging in direct marketing activities.
- GDPR data subject rights: Outline the various individual GDPR-related protections that are available to consumers, including the right of access, erasure, and other GDPR data subject rights.
- Exercising GDPR data subject rights: List out how users can exercise their GDPR-related rights with regard to the information held by the company.
- Children’s Privacy: Provide any special considerations for data related to children, and outline the steps taken by the company to protect minors’ privacy. Outline that consent from the guardian must be given if the individual using the website is under 16.
- Links to 3rd-party websites: State if the website is linked to external websites and whether those sites are GDPR compliant.
- Contact us: Include information on who customers should contact with any GDPR-related questions or if they need help exercising their rights.
- Article 12 (Transparent information, communication, and modalities for the exercise of the rights of the data subject)
- Article 13 (Information to be provided where personal data are collected from the data subject)
- Article 14 (Information to be provided where personal data have not been obtained from the data subject)
Importance of Customizations
- What data are you collecting?
- Why are you collecting this data (purpose)?
- How will you store data, and for how long?
- How will you use this data?
- What 3rd parties will you share data with?
- What rights do the users (data subjects) have, and how can they exercise those rights, especially children’s privacy, if you’re collecting data from minors
- How to contact you?
Tip: Consider adding a “last updated” date on the policy page to ensure users are always aware of any changes or updates.
- Identify and fully convey what data your business collects, stores, and processes
- Obtain clear consent from your consumers to use their data
- Clearly explain how you will store, process and collect data
- Explain data subject rights and establish adequate processes to exercise them
- Appoint a data protection officer (DPO)
- Secure data from unauthorized and unlawful access, accidental loss, or destruction
- Have a data breach response plan
- Perform DPIA for high-risk data
- Educate and train your employees regularly on compliance best practices
- Review and audit your data-collecting, storing, and processing activities
Remember to customize this template to meet your particular legal, business, and customer needs.
Get in touch with Captain Compliance today, and we’ll help ensure your business compliance.