Tuesday, May 8, 2018

GDPR-Compliant Privacy Policy (Example)

1. GDPR: don’t be scared
There is no reason to fear GDPR for US/international businesses that only process limited amounts of non-sensitive personal information (e.g., no medical info) from EU. For example, let’s say you operate a website out of US and you have some EU subscribers, or you sell products to the EU. For those purposes, you collect users’ names, emails and payment details. You don’t sell otherwise disclose their info to any third parties. If that describes your business, then this article is to help you understand what is required and how to comply without unnecessary complexities.

2. What is required?
If you collect and use personal data from any residents of EU, that makes you a “controller” of personal information under the GDPR. Its Articles 13 and 14 require you to inform “data subjects” (users) of the following:
the purpose and legal basis for processing;
the data controller’s identity and contact details; 
recipients, or categories of recipients of the personal data;
how long the personal data will be retained and if no time frame can be provided how the retention period will be calculated;
if any automated decision making, for example, profiling, is being carried out and information about such automated decision making; and
whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data.
the data subject rights.

3. How to comply?
You should address the above points in your Privacy Policy in a concise, easy to understand language. When you read hundreds of pages of regulations, guidelines and instructions about GDPR compliance, while drowning in the sea of privacy update notices, that can make you mistakenly assume that you also need to implement numerous convoluted policies and then send everybody notices about it. No. In fact the GDPR states the exact opposite – the privacy information you provide has to be concise. So, let’s go through the points listed in the above paragraph.
The purpose and legal basis for processing. If you only use EU personal info to fulfill a contract with your EU subscriber/buyer, that constitutes legal basis under Art. 6.
Your identity, contact details, recipients of the personal data. All of that should already be in your Privacy Policy regardless of GDPR.
How long the personal data will be retained. This has to be reasonable depending on the purposes for which you collect the data and how long you will need it for after the business relationship with the user is terminated.
If any automated decision making, for example, profiling, is being carried out and information about such automated decision making. This doesn’t apply to most of my clients described in paragraph 1, so they can address this by stating smth like, “as a responsible business, we do not rely on any automated decision making, such as profiling.”
Whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data. One of the most important points of the GDPR that ties directly to the next requirement about informing the EU data subjects about their rights. EU grants more rights to its residents’ personal info than US, and only allows for the transfer of EU personal info outside the EEA if adequate protections of those rights are in place. Procedures you can have “in place to safeguard the personal data” can be using SSL, storing data on a password-protected server accessible only by administrator, and, most importantly, the procedures designed to protect the GDPR-specific rights below.
So, GDPR requires you to inform EU users about their GDPR rights and your procedures to secure them. The eight main GDPR rights are: 1) to be informed; 2) to access; 3) to rectification; 4) to erasure; 5) to restrict processing; 6) to data portability; 7) to object; and 8) relating to automated decision-making and profiling.  GDPR requires you to be concise, especially if you business is like most of my clients that I’ve described in the first paragraph of this article. So, in the next paragraph I will give sample language that can be inserted in your Privacy Policy for GDPR compliance purposes. Of course, you will have to actually comply with what your Privacy Policy states; otherwise, it won’t protect you.

4. Sample GDPR-compliance Privacy Policy verbiage

EU Users’ Rights. 
This section of our Privacy Policy applies to the users of our platform in EU. We would like to inform you about your GDPR rights and how we safeguard them.

a. Your GDPR rights to be informed, to access, rectify, erase or restrict the processing of your personal information. Our Privacy Policy enumerates the types of personal (and other) data we collect about our users in Section ___ above. You have the right to obtain free information about what personal data we have obtained about you, where it is stored, for how long, for what purposes it is used, to whom it was disclosed. You have the right to have us, without undue delay, rectify of inaccurate personal data concerning you. That means you can request we change your personal data in our records, or have you incomplete personal data completed. You have the “right to be forgotten,” i.e. to have us delete your personal information, without undue delay, if the data is no longer necessary in relation to the purposes for which it was collected. However, GDPR gives us the right to refuse erasure if we can demonstrate compelling legitimate grounds for keeping it.

b. GDPR gives you the right to restrict processing if any of the following applies:

i. If you contest the accuracy of your personal data, we will restrict processing it for a period enabling us to verify its accuracy.
ii. The processing is unlawful and you oppose its erasure and request instead the restriction of its use.
iii. We no longer need your personal data for the purposes of the processing, but you require us to restrict processing for the establishment, exercise or defence of legal claims.
iv. You have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether our legitimate grounds override yours.

c. Right to data portability. Upon request, we will provide you your personal data in our possession, in a structured, commonly used and machine-readable format. You have the right to transmit that data to another controller if doing so does not adversely affect the rights and freedoms of others.

d. Right to object. You can object, on grounds relating your particular situation, at any time, to processing of your personal information, if based on point (e) or (f) of Article 6(1) of the GDPR.  We will then have to stop processing, unless we can demonstrate compelling legitimate grounds for the processing. If you object to the processing for direct marketing purposes, we will have to stop processing for these purposes.

e. Right to withdraw consent. GDPR grants you the right to withdraw your erlier given consent, if any, to processing of your personal data at any time.

f. Rights related to automated decision making. As a responsible business, we do not rely on any automated decision making, such as profiling.

How to exercise your GDPR rights?

If you need to contact us in order to exercise or discuss any of your GDPR rights under this Privacy Policy, you can contact our Data Protection Officer at:  [Name, contact info]

5. Conclusion
It can be possible to comply with GDPR without undue burden.