This article has been written by Shreya Jain pursuing a Diploma in Business Laws for In-House Counsels. This article has been edited by Ruchika Mohapatra (Associate, Lawsikho). 

Introduction 

General Data Protection Regulation, hereinafter referred to as GDPR, is an indispensable part of the businesses providing goods or services to the European residents. To comply with the GDPR and avoid huge data breach penalties, businesses have to take care of a few essential points in their workings; and the formation of an effective privacy policy is one such point. Henceforth, a major GDPR concern for a company is to serve an organization with a comprehensive data and privacy framework that comes under the ambit of the Regulation. Firstly, let us understand what GDPR is and what impact it has on ongoing businesses and organizations.

What is GDPR

“GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Economic Area (EEA).” It aims at protecting the rights of the users in securing their data; ensuring the amendments of data privacy laws with the ever-changing landscape of technology; and creating legislation for the EU as a whole. It had various effects on the companies and businesses during its advent. 

Download Now

The advent of GDPR

With the enactment of GDPR in the EU, it had some widespread effects across different companies and has multiple expected and unexpected results, which include: 

Changing the position of data protection

Data protection has become an integral part of the business world after the arrival of GDPR. Other countries have also started focusing on data protection. California in the US has also signed into law “California Consumer Privacy Act”. 

Greater reliance on third parties and data experts

Companies started seeking GDPR legal advice from data experts and other experts outside the companies and spent enormous amounts on its compliances. Demand for Data Processing Officers has risen over 700%. Enforcement agencies were established which include- The European Commission (EC), European Data Protection Board (EDPB), and the 28 EU Member States (each country has agencies to help regulate the GDPR). 

Businesses were overall unprepared

There were mixed views and lots of confusion in the mind of companies regarding their compliances. They were under-confident and were worried to safeguard their companies from paying off strict penalties. 

Fewer fines have been given than expected

Companies were not fined much in the year the GDPR was enforced and only $63 in fines were issued. 

Enforcement agencies overwhelmed with the scope

Enforcement agencies were overwhelmed with the number of complaints filed and the data breaches recorded.

Completely cut ties with the EU residents

Fewer companies who could not meet the requirement to comply with GDPR, resultantly cut the ties with the EU residents, hence, limiting the market for EU residents. 

Get rid of their non-compliant data

Other companies got rid of the data they were holding and decided to start afresh. 

Huge expenses incurred on the GDPR prep by the countries across the world

UK companies spent around $1.1 billion collectively on GDPR, American companies spent around $7.8 billion on GDPR prep. 

Involvement of supplementary agencies

The hiring of supplementary agencies to navigate the GDPR’s norms and compliances such as DPOs or other data privacy experts because in-house counsel was less equipped with data privacy laws.

GDPR nevertheless focuses and aspires to protect the privacy of users/ data subjects and make companies liable/ accountable in case of any data breach. Companies are also liable to pay fines if they fail to secure data breaches. Therefore, companies are legally bound to create an effective privacy policy. 

What is a Privacy policy

Privacy Policy is primarily a document contained on a website that states how a business will collect, store, protect, use, or dispose of personal information provided by its users.

Why is Privacy policy necessary

It is required by law for a company/organization to have a Privacy Policy in place if you are collecting personal information from its users. Privacy policy helps in building trust with users. It also helps in meeting legal requirements. Sometimes, it is required by other concerning parties to have a privacy policy intact in an organization. It helps in evading costs and expenses in legal matters due to an ineffective privacy policy, to make a profit by building the trust of the users, avoid risks, and keep the earning of the organization safe and secured. 

How do you safeguard users’ privacy rights

Consent 

Companies are required to have explicit consent from the users to collect, use, or store their data.

Access to information 

Companies must provide documentation of users’ data whenever asked for it.

Data erasure 

Companies provide the rights to the users to request the erasure of their data.

Data update 

To change the details of the users which were earlier provided.

Objections 

Data subjects can object to the usage of their data.

Location 

Data subjects can ask for the location of their data, its storage, and transfers.

Restriction on use

Data subjects can deny using their data for marketing purposes.

Which business needs to comply with the GDPR

All the businesses need to comply with GDPR that has established or operates in the European Union. It is irrelevant where the data processing takes place in the world, if you are a non-EU business and offer the services to customers based in the EU, then you have to ensure compliance with the GDPR. If you are aiming to sell the products to the EU residents; they are your prospective buyers, you will be liable to comply with the GDPR norms. 

GDPR compliant privacy policy

Who your data controller is and contact information of the data controller

The Data Controller is the one who controls the personal information of its customers. The data controller informs the customer about their data and its processing, who the company is, how it uses or controls users’ data, how it stores users’ data, etc. Contact details of the data controller are also provided to the users to approach them in case of any concern related to their data.

Who is your DPO

In case the company has a DPO, the same has to be mentioned in the privacy policy, as well as the contact information of the DPO has to be mentioned.

Whether you use data to make automated decisions

The data controller must disclose to its users if their data is used for automated decision making such as credit scoring or profiling.

Inform users of the 8 rights they have under GDPR

GDPR provides 8 rights to data subjects and the data subjects need to be informed of those rights along with an adequate procedure to avail those rights. 8 rights available to data subjects include:

  1. The right to be informed;
  2. The right to access;
  3. The right to rectification;
  4. The right to erasure;
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object;
  8. Rights related to automated decision making and profiling

Any transfer made by the controller has to be mentioned in the privacy policy of the company to make the users aware of the location and processing of their data and make an informative decision.

What’s your legal basis for the processing of data

Article 6 of the GDPR provides 6 legal bases for processing the personal data of its customers. An organisation needs to have a valid legal basis to process the data. Legal bases include consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.

How to get consent

If consent is used as a legal basis to collect information, then consent should be acquired explicitly from the users. The Data controller should use checkboxes and click wraps to acquire consent to help customers make an informative decision. If the data is sensitive, consent should be obtained clearly. 

Impact of non-compliance of GDPR on business privacy policies

A company has to abide by norms provided under the GDPR to avoid an extensive penalty of 20 million Euros or 4% of the global turnover of the companies, whichever is greater. It includes appointing a dedicated Data Privacy Officer who will be responsible for following all the compliance norms. 

Changes in the Business privacy policies

  1. Prominently displayed and easy to access.
  2. Keep it updated and always inform users when you make privacy policy changes.
  3. Language should be concise, easy to understand and clear.
  4. The details about who you are and the other details help the data subject to make an informative decision whether or not they are willing to share their data.
  5. Inform users of your contact details and the physical location of your business.
  6. Businesses should also keep in mind several questions while writing a privacy policy.
  • What personal information will you be collecting?
  • Who will be collecting this information?
  • Where will you store this personal information?
  • Whose information are you collecting?
  • Why is the information being collected?
  • Whom are you sharing this information with?
  • How can users access their [personal data?
  • How can users easily limit or opt out of handing over this information?
  • How do you inform the users if there is any data breach?

Suggestions to create an effective privacy policy for businesses as per the norms of GDPR

Simplify texts

Simplify phrasing, with simpler sentences and content up to the mark. One of the best practices includes rephrasing the section headings as questions.

Example- Do you provide my information to a third party?

Structuring content with intuitive navigation, user experience is important

  • Privacy-related information should be visible. For example- a new/separate page, a distinct tab, altogether a new policy.
  • Contents should be categorised into sections, in the links form (when you tab the link, it provides relevant information to that point) 
  • Whenever possible, provide sub-sections to the sections to provide a better understanding.
  • Provide intra-or-inter document links while referring to any point mentioned in the privacy policy document or otherwise.
  • User input fields (for consent) should be empty (no pre-checked box should be available while taking explicit consent from the user)
  • All the options like opt-in, opt-out, etc should be available for the users so that they make an informative decision while clicking a box. Considering implied consent while using a website is not a fair way to opt consent from the users. Such practices should be avoided. 
  • Provide a tab option to revisit the above options without any disturbances.

Designing for ease (Macro)

Provide a brief interpretation of the sections in very plain language, it is like aid to interpretation of the section. To provide a better user experience, non-textual design elements should be used, such as icons, distinct colours for heads and subheads, better alignments, etc.

Designing for ease (Micro)

Readable font type, adequate line spacing, and paragraph spacing, distinct font size for heads and subheads, distinct colours for heads and subheads, usage of typographic treatment consistency- similar texts should appear similar throughout the document.

Creating Emphasis (for disclaimers, onerous clauses, etc.)

For disclaimers, provide headings such as “note”, “disclaimer”, etc., use proper capitalisation, may use markers, may write in italic, bold, or underlined, etc.

Providing language support

Language should be in readable form and options must be provided to convert the document in the language of the regions where the services are provided.

Providing for offline use

Supply an offline version of the document even if the same is available online.

Presenting in other forms

Presenting a privacy policy in any form is good, better is, presenting the same in various forms like audio, video or writing form. It will aid user engagement and comprehension.

Conclusion

GDPR has mainly benefitted Data Subjects and provided them various rights to control their personal data. Other countries are also expected to follow the footsteps of the EU by enacting legislation concerning data protection and privacy laws. Privacy of the users is a  major concern and in no time other countries would have similar safeguards to secure the data of the users. Data protection officers and other legal experts are also going to fetch more opportunities and resultantly, more money with the rise of data security and new legislations in this regard. Privacy policy plays an integral part in GDPR compliance. Nevertheless, technologies are developing at full pace and to cope up with it, companies have to keep a constant check and update their privacy policy from time to time. Employees and staff play an essential role in the company and must be addressed with the responsibilities they have on their shoulders when they deal with the personal data of the customers. 

References


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here