GDPR and Privacy Policies
One of the principle goals of GDPR is to encourage transparency, which means companies are now required to disclose how they’re using their subscribers’ and website visitors’ information — and they must do so in a way that is clear and simple. According to one infamous study, it would take roughly 76 work days to read all the privacy policies we encounter in a year (2), so the goal is to reduce that number drastically.
Under GDPR, each organization’s privacy policy must be easily accessible, concise, transparent, intelligible, and free of charge to access. It must be written in clear language that is easy to understand, so you should also clearly define any ambiguous or confusing terminology you’ll be using and avoid legalese wherever possible. Further, each online form must also include a clear link to the company’s privacy policy.
Lastly, if the organization will be collecting data from third-party sources, they are required to provide additional information about the data and its source.
Is GDPR Working?
Initially, business leaders and experts from different fields were extremely excited about GDPR. Speaking with Verdict of the potential impact of GDPR, Giles Pratt (IP and technology partner at Freshfields) said,
“The EU regulators have introduced a pioneering piece of legislation that looks likely to set the bar for data privacy standards around the world, and offers opportunities for closer working practices among international privacy professionals in business and the regulators they engage with.”
Yet while the road to GDPR compliance is slowly being paved with good intentions, early returns suggest many companies still have a long journey ahead of them on their path to compliance. Since the legislation took effect in May of 2018, there have been more than 200,000 reports of minor and major GDPR breaches in over 30 countries according to a report published by the European Data Protection Board — which consists of numerous regulators from across the region. In all, roughly $56 million in fines have been doled out by various watchdog groups, but $50 million of that came from a single fine for Google (3).
According to Mathias Moulin, a panel member of the CNIL (the French watchdog group that handed down the fine to Google), the fine was based on a “massive and highly intrusive” breach and was based on several different factors — including the “scale… and the size of the company.” While the fine was merely a drop in the bucket for a company like Google, which boasted $137 billion in revenue in 2018, Moulin suggests that the past year “should be considered a transition year.”
That statement suggests that we can expect there to be stronger monitoring and enforcement of GDPR, which serves as a warning to organizations that have not yet prioritized GDPR compliance in their marketing efforts. It seems fair to give businesses (especially small- to mid-sized businesses) more time to implement better procedures for GDPR compliance before handing out major fines, but that time could be quickly running out as GDPR moves into its second year. Therefore, it’s important that you do your best to become GDPR compliant as soon as possible — for both the health of your business and the confidence and security of your customers.