Are our website privacy policies compliant with the GDPR?
Tips for GDPR Compliant Privacy Policies
- Companies should have a lawful basis for processing personal data: The GDPR outlines six lawful circumstances for acquiring personal data: 1) the consumer has provided consent; 2) processing is necessary for the performance of a contract; 3) processing is necessary for compliance with a legal obligation of the data controller; 4) processing is necessary to protect the vital interests of the consumer or of another natural person; 5) processing is necessary for the public interest; and 6) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party, except where those interests are overridden by the interests of the fundamental rights of the consumer.
- Data Retention: The GDPR limits website operators from retaining data beyond a “reasonable” period of time. A reasonable period of time has yet to be defined and retention periods vary from country to country. Please note that the typical retention period for countries in Europe is from five to ten years for general documents and tax papers.
- Do not use complicated language: Article 12 of the GDPR requires, “using clear and plain language, in particular for any information addressed specifically to a child.” In the pursuit of transparency, the GDPR does not want users to be confused by overly complex legal language.
- Mandatory data sharing: Often the use of personal data is required in order to create a user name and then to gain access to certain parts of a website. Website privacy policies must explain what happens if personal data is not provided by users.
- International privacy laws: To enhance transparency, the GDPR requires businesses to inform their customers of any personal data that will be transferred to a different country or to an international organization.
Rethinking Website Privacy Policies
The foregoing suggestions should be considered when attempting to draft GDPR-compliant privacy policies. Making sure that privacy policies are carefully composed before the May 25, 2018 effective date, will help prevent GDPR-related exposure and liability in the future.