Privacy policies have historically been pretty vague and incredibly broad in describing how companies “may” use your data. For example, if you wrote an article and posted it on LinkedIn before the GDRP, you may have granted the company a perpetual right to use your article in any manner it wished for its own commercial gain (Exhibit A). Might have thought twice before agreeing to that if you had read the policy? To LinkedIn’s credit, or to the GDPR’s credit, they’ve reigned in the overly broad terms, at least somewhat.
We can probably agree that transparency is generally a good thing given the recent exposure about less-than-transparent practices of the internet giants. But what does your David-sized company have to do about it? It's actually pretty simple, and can be summed up by one of my favorite adages.
Say what you mean, and mean what you say.
Or, when it comes to your data practices:
Say what you do, in clear and concise terms, and do what you say.
In order to be transparent, you have to know what you are actually doing with all that data you are collecting, using, and sharing.
Start by mapping out your data processing activities.
Be sure to identify:
o The types of personal data that you collect directly from individuals
Personal data is any information relating to an identified or identifiable person, including online identifiers.
o The types of personal data you collect from third party sources
o The methods you use to collect personal data
Including automated tracking tools, Google forms, payment processing systems
o How you use personal data
Including uses related to providing your service, for internal operations or analytics purposes, marketing, behavioral tracking and targeted advertising, email newsletters
o How, why, and with whom you share personal data
Including vendors like cloud storage providers, Google Analytics, your CRM platform
o How you store personal data and how long you retain it
o The security controls and other physical and technical safeguards you use to protect personal data
o Whether you currently give individuals any control over their personal data, and how so
The transparency requirements under the GDPR require you to provide data subjects with certain information, when:
(1) data is collected directly from the individual;
(2) data is collected from a third party (subject to some exceptions); or
(3) data is processed or shared for a new purpose that is not compatible with an original purpose or requires additional consent.
There are exceptions and special rules related to notices required when data is collected from a third party or processed or shared for a new purpose. Most notably, you do not have to provide all of the required information when you get personal data from a third party if the individual already has the information, or if it would be impossible or involve a disproportionate effort.
(1) Identity and contact information about the data controller (that’s you if you determine how and why you collect personal data)
(2) Contact information for the Data Processing Officer (if necessary, more to come on DPOs)
(3) The intended purpose(s) and corresponding lawful basis for processing personal data
Including the legitimate interests of the controller if applicable
(4) Other people or companies with whom you share personal data (or the categories of data recipients in general)
(5) Whether you intend to transfer personal data outside the EU
Transfers outside the EU are allowed only under certain conditions, but at least one of the conditions will likely apply if you are providing goods or services.
(6) How long you retain data, or how you determine how long to retain data
(7) The data subject’s rights (these are very important and will be broken down in more detail in a later post)
Right to access data
Right to have data corrected
Right to have data erased
Right to restrict processing
Right to object to processing
Right to receive a copy of all data (aka "data portability")
(8) Notice that the data subject may revoke consent at any time where processing is based on consent
(9) Notice that the data subject has the right to complain to the authorities
(10) Notice of any obligations of the data subject to provide certain data in relation to a contract, and any consequences of failing to provide the required data (if applicable)
For example, if you are selling hats, you have to notify the purchaser that they must provide their billing information in order for you to process their order, and they can’t place an order if they don’t provide all required billing information.
(11) Whether you use automated decision-making or profiling in connection with the data processing, and the significance and potential consequences involved
Profiling means automated processing used to “analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Lastly, the information you provide must be in writing, easily accessible, concise and easy to understand, and age appropriate if your data subjects include children. Don’t forget, there are special rules when it comes to processing personal data of minors.
Overwhelmed yet? We don't blame you.
*This blog provides general information for educational purposes only. It is not intended to constitute specific legal advice and does not create an attorney-client relationship.*