Have you noticed that almost all websites, browsers, social media accounts, apps and everything and anything that makes use of digital data have been notifying you of their updates to their Privacy Policy and Terms & Conditions? Well, that’s because of the European Union’s (EU) General Data Protection Regulation (GDPR), an initiative to improve user privacy by empowering users to have more control of how their personal data will be used.

Over the past couple of weeks, major corporations such as Google, Facebook, Instagram and more have been sending updates on Terms and Conditions asking users to read their Privacy Policies and update their security setting. As Data Gatherers, Data Controllers and Data Processors operating under the EU, these companies fall under the regulations set by the EU in response to strengthening data protection through heightened privacy policies.

What is GDPR and how does it affect you?

If your business operates inside the European Economic Area (EEA), or if you have customers coming from the European Union, applying the rules and regulations of the GDPR is a must! GDPR aims to strengthen data protection by giving customers control over how the data are used by companies that gather, control, and process them. Simply put, GDPR is about transparency and user consent, giving the power back to the user. Under the GDPR, businesses are required to provide clear  instruction on how they are going to use and share your data through their Terms & Conditions and the Privacy Policies. Users may give consent or may refuse to give consent to having their information used by third parties or for other purposes, including marketing and promotions.

• Clear Language – Privacy policies are to use a clear and straightforward language for the reader to understand why their personal information is needed and what happens to it afterwards.
• Consent from User – An affirmative consent, be it in the form of ticking a box or providing other options to limit where a user’s data can be used, should be clearly available and easily understood.
• More Transparency – Users should be informed and should have the option to refuse when their data is to be transferred outside the EU or otherwise stipulated in the form that the user has given consent to.
• Stronger Rights – Users should be informed in the event of a data breach, and they should be able to request to transfer or delete their data when appropriate.
• Stronger Enforcement – The European Data Protection Board shall oversee the implementation of GDPR to strengthen data privacy and protect user rights.

What must your company do?

Protect data, to protect your business. Here are some reminders of what companies must do to strengthen data protection and enhance user rights.

• Terms & Conditions – Amend your terms to ensure that they are in compliance with GDPR, i.e. clearly inform users of how their personal information will be used.
• Privacy Policy – Provide options for users to allow or deny the company the rights to their personal information to be used in marketing campaigns or purposes other than what they initially signed up for.
• Data Protection Officer – Assign a Data Protection Officer that shall not only check if guidelines from GDPR are followed, but that data protection and user rights are upheld at all times.
• Have a Record – Keep track of what users want in terms of if they want their data to be shared and to what limit is it to be used.
• Notification – Notify your users in case of a breach of data and if ever their personal information is to be shared outside the purpose of what they’ve given their consent to.

Companies that fail to comply with GDPR may be issued a formal letter by the European Commission, warning the company of their status and giving them the chance to amend their Terms & Conditions, and Privacy Policies. In the event of complete infringement of GDPR, the European Commission can sanction the company through a reprimand or a temporary ban on processing in the EU, leading up to a fine of up to €20 million or 4% of the business’ total annual worldwide turnover.

Companies who operate outside the European Union, but have customers from the region, are legally bound to follow the laws of their respective countries. For example, American companies will have to follow the Data Protection Law and are required to adjust their policies in response to America’s take on the EU’s GDPR, which states that data from non-EU users shall be governed by the Privacy Laws of the United States of America. Accordingly, all companies operating outside the European Union will have to follow their country’s Privacy Policy, like Australia and their Privacy Act of 1988. And though this is the case, all businesses outside the EU are also encouraged to improve their Terms & Conditions and Privacy Policies based on GDPR because of their strong hold to enhance data protection and strengthen user privacy.

How we can help you…