This article has been written by Shreya Jain pursuing a Diploma in Business Laws for In-House Counsels. This article has been edited by Ruchika Mohapatra (Associate, Lawsikho).
Table of Contents
What is GDPR
“GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Economic Area (EEA).” It aims at protecting the rights of the users in securing their data; ensuring the amendments of data privacy laws with the ever-changing landscape of technology; and creating legislation for the EU as a whole. It had various effects on the companies and businesses during its advent.
The advent of GDPR
With the enactment of GDPR in the EU, it had some widespread effects across different companies and has multiple expected and unexpected results, which include:
Changing the position of data protection
Data protection has become an integral part of the business world after the arrival of GDPR. Other countries have also started focusing on data protection. California in the US has also signed into law “California Consumer Privacy Act”.
Greater reliance on third parties and data experts
Companies started seeking GDPR legal advice from data experts and other experts outside the companies and spent enormous amounts on its compliances. Demand for Data Processing Officers has risen over 700%. Enforcement agencies were established which include- The European Commission (EC), European Data Protection Board (EDPB), and the 28 EU Member States (each country has agencies to help regulate the GDPR).
Businesses were overall unprepared
There were mixed views and lots of confusion in the mind of companies regarding their compliances. They were under-confident and were worried to safeguard their companies from paying off strict penalties.
Fewer fines have been given than expected
Companies were not fined much in the year the GDPR was enforced and only $63 in fines were issued.
Enforcement agencies overwhelmed with the scope
Enforcement agencies were overwhelmed with the number of complaints filed and the data breaches recorded.
Completely cut ties with the EU residents
Fewer companies who could not meet the requirement to comply with GDPR, resultantly cut the ties with the EU residents, hence, limiting the market for EU residents.
Get rid of their non-compliant data
Other companies got rid of the data they were holding and decided to start afresh.
Huge expenses incurred on the GDPR prep by the countries across the world
UK companies spent around $1.1 billion collectively on GDPR, American companies spent around $7.8 billion on GDPR prep.
Involvement of supplementary agencies
The hiring of supplementary agencies to navigate the GDPR’s norms and compliances such as DPOs or other data privacy experts because in-house counsel was less equipped with data privacy laws.
How do you safeguard users’ privacy rights
Companies are required to have explicit consent from the users to collect, use, or store their data.
Access to information
Companies must provide documentation of users’ data whenever asked for it.
Companies provide the rights to the users to request the erasure of their data.
To change the details of the users which were earlier provided.
Data subjects can object to the usage of their data.
Data subjects can ask for the location of their data, its storage, and transfers.
Restriction on use
Data subjects can deny using their data for marketing purposes.
Which business needs to comply with the GDPR
All the businesses need to comply with GDPR that has established or operates in the European Union. It is irrelevant where the data processing takes place in the world, if you are a non-EU business and offer the services to customers based in the EU, then you have to ensure compliance with the GDPR. If you are aiming to sell the products to the EU residents; they are your prospective buyers, you will be liable to comply with the GDPR norms.
Who your data controller is and contact information of the data controller
The Data Controller is the one who controls the personal information of its customers. The data controller informs the customer about their data and its processing, who the company is, how it uses or controls users’ data, how it stores users’ data, etc. Contact details of the data controller are also provided to the users to approach them in case of any concern related to their data.
Who is your DPO
Whether you use data to make automated decisions
The data controller must disclose to its users if their data is used for automated decision making such as credit scoring or profiling.
Inform users of the 8 rights they have under GDPR
GDPR provides 8 rights to data subjects and the data subjects need to be informed of those rights along with an adequate procedure to avail those rights. 8 rights available to data subjects include:
- The right to be informed;
- The right to access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights related to automated decision making and profiling
What’s your legal basis for the processing of data
Article 6 of the GDPR provides 6 legal bases for processing the personal data of its customers. An organisation needs to have a valid legal basis to process the data. Legal bases include consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
How to get consent
If consent is used as a legal basis to collect information, then consent should be acquired explicitly from the users. The Data controller should use checkboxes and click wraps to acquire consent to help customers make an informative decision. If the data is sensitive, consent should be obtained clearly.
Impact of non-compliance of GDPR on business privacy policies
A company has to abide by norms provided under the GDPR to avoid an extensive penalty of 20 million Euros or 4% of the global turnover of the companies, whichever is greater. It includes appointing a dedicated Data Privacy Officer who will be responsible for following all the compliance norms.
Changes in the Business privacy policies
- Prominently displayed and easy to access.
- Language should be concise, easy to understand and clear.
- The details about who you are and the other details help the data subject to make an informative decision whether or not they are willing to share their data.
- Inform users of your contact details and the physical location of your business.
- What personal information will you be collecting?
- Who will be collecting this information?
- Where will you store this personal information?
- Whose information are you collecting?
- Why is the information being collected?
- Whom are you sharing this information with?
- How can users access their [personal data?
- How can users easily limit or opt out of handing over this information?
- How do you inform the users if there is any data breach?
Simplify phrasing, with simpler sentences and content up to the mark. One of the best practices includes rephrasing the section headings as questions.
Example- Do you provide my information to a third party?
Structuring content with intuitive navigation, user experience is important
- Privacy-related information should be visible. For example- a new/separate page, a distinct tab, altogether a new policy.
- Contents should be categorised into sections, in the links form (when you tab the link, it provides relevant information to that point)
- Whenever possible, provide sub-sections to the sections to provide a better understanding.
- User input fields (for consent) should be empty (no pre-checked box should be available while taking explicit consent from the user)
- All the options like opt-in, opt-out, etc should be available for the users so that they make an informative decision while clicking a box. Considering implied consent while using a website is not a fair way to opt consent from the users. Such practices should be avoided.
- Provide a tab option to revisit the above options without any disturbances.
Designing for ease (Macro)
Provide a brief interpretation of the sections in very plain language, it is like aid to interpretation of the section. To provide a better user experience, non-textual design elements should be used, such as icons, distinct colours for heads and subheads, better alignments, etc.
Designing for ease (Micro)
Readable font type, adequate line spacing, and paragraph spacing, distinct font size for heads and subheads, distinct colours for heads and subheads, usage of typographic treatment consistency- similar texts should appear similar throughout the document.
Creating Emphasis (for disclaimers, onerous clauses, etc.)
For disclaimers, provide headings such as “note”, “disclaimer”, etc., use proper capitalisation, may use markers, may write in italic, bold, or underlined, etc.
Providing language support
Language should be in readable form and options must be provided to convert the document in the language of the regions where the services are provided.
Providing for offline use
Supply an offline version of the document even if the same is available online.
Presenting in other forms
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: