Insights

News

Security

Privacy Policy Updates. How Will EU Privacy Rules Affect Your Company?

By Tatsiana Tsiukhai

May 18, 2018

6 min read

The most important changes in data privacy regulation for the past 20 years will go into effect on May 25th, 2018. Every company that offers goods and services to European Union (EU) citizens or collects their personal data must comply with the new EU privacy rules.

Companies that do not abide by these new rules may be fined up to 4 percent of their global revenue. Hence it is absolutely vital for companies to make necessary updates by the stated date in order to avoid potential penalties. Over the last few months, we’ve worked with many of our clients on implementing these new rules and want to share our experience in this article. Follow our tips for your privacy policy updates.

Who is affected by the new EU privacy rules?

The new rules for sharing personal data online are collectively called the General Data Protection Regulation, or GDPR, and passed by the European Union. This EU law has 11 chapters and 99 articles and aims to protect personal data and digital privacy.

While these new privacy rules apply in Europe, they affect companies all around the world. According to the GDPR, it doesn’t matter where your business is located or headquartered if you meet either of these criteria:

offer products or services to citizens of the EU;
collect personal data from EU citizens.

For example, if your company is based in the US, but collects email addresses from the citizens of the EU, the law affects you. The GDPR (as a regulation, not a directive) doesn’t require national governments to pass legislation. Therefore, businesses must comply with the rules to avoid severe fines.

What does this law mean for you and your customers?

You can collect a lot of personal data from your customers, including their names, email addresses, credit card numbers, Facebook IDs, and IP addresses. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life”.

The GDPR strengthens individual privacy rights and requires companies to be more transparent about how all personal data is handled. With the new rules, your customers can ask what kind of personal information you collect. It must be possible for customers to download their private data from you and transfer it to another vendor (which may even be your direct competitor). Customers may also request to permanently delete their personal data.

screenshot of new privacy rules notification — To comply with the new rules, companies and organizations are collecting consent from existing contacts to send more emails.

How will big tech giants update their privacy policy?

Many companies have already notified their users about policy changes. Google shared their updated version of privacy rules that will take effect on May 25th, 2018. Amazon confirmed its compliance with the GDPR and introduced features and services on its General Data Protection Regulation Center webpage.

Facebook announced updates to its privacy policies and unveiled new tools that provide access to your personal data. For example, users in the EU will be asked whether they want to turn off the face recognition feature and whether they want to see targeted ads based on political, religious, and relationship information. Facebook will prompt users to agree to its terms of service and data policy that were revealed earlier. In particular, they introduced Access Your Information, which makes it possible to download a secure copy of your personal data including pictures, contacts, posts, and more.

screenshot of google new pricacy rules — Google has already shared its updated version of privacy rules.

What do the new privacy rules require?

Every company that operates in Europe or has European users will have to observe the GDPR’s standards. The key changes may require a major update of your privacy policy and include the following points:

1. Companies must provide users with the right to access their personal information. A copy of the information must be available free of charge and in an electronic format. Users will have the legal right to transfer their data to another entity that also collects data.

2. Users will have the right to be forgotten. They should be able to erase certain personal data, stop further dissemination of the information, and have the potential to require third parties to halt processing of their data as needed.

3. Breach notification will become mandatory and must be done within 72 hours from when you first become aware of the breach.

4. Consent has to be clear and distinguishable and provided in an intelligible and easily accessible form.

5. Penalties may be severe. The maximum fine is up to a percent of annual global turnover or €20 million (whichever is greater). For Facebook, that would be $1.6 billion; for Google, $4.4 billion.

Check the full overview of the main changes and find out how they differ from the previous directive on the GDPR portal.

Tips for updating your privacy policy

A privacy policy usually tells your visitors why, how, and what personal data you collect, how you secure it, and whether you use cookies and give third parties access to this information. According to the new regulation, you must include the following information in your privacy policy to be GDPR-compliant.

1. Identify the data controller that collects information from EU citizens (usually, it is your company). Also, make sure to include your contact information.

2. Don’t forget about lawful reasons for processing data. For example, a person can give consent to the processing of their personal data for one or more specific purposes.

3. List out the rights users have under the GDPR – the right of access, right of rectification, right to erasure, right to restrict processing, right to data portability, right to object, and right not to be subject to automated decision-making.

4. Inform users whether you use personal information to make automated decisions (i.e. credit scoring, profiling users, etc.).

5. Let users know whether providing personal data is required and what happens if they don’t. For example, an email address may be required to create an account.

6. Tell users whether you transfer their personal data to third countries or international organizations.

7. Use plain, understandable language in your privacy policy and avoid long explanations filled with legal jargon.

You must be compliant with the new rules by May 25th, 2018. In case you are still not prepared for the new privacy rules we are here to help you stay up to date. Moreover, there are automatic generators that can help you create your privacy policy according to the GDPR – check Termsfeed, Privacy Policy, and others.

Dozens of automatic generators can help you create your privacy policy.

Don’t forget to update your signup forms. Silent or soft opt-in is no longer acceptable for GDPR consent.

According to the new EU privacy rules, companies are obligated to prove that they have the consent of users for the right to process their personal data. Collect consent from new contacts accordingly and get the permissions of existing contacts – just conduct a consent campaign regarding the GDPR.

Kenshoo has already complied with the new rules and updated its signup form.

To comply with the new rules, you will have to offer users an explicit consent checkbox; for example, “I consent to have Your Company collect my name and email”. It is crucial that users consent to your updated privacy policy.

MailChimp has introduced a step-by-step guide on how signup forms can help companies comply with the GDPR.