GDPR Best Practices: How Companies Adapted to Comply

By: Jon Avidor

The European Union’s privacy regulation General Data Retention Protection Regulation (GDPR) came into effect on May 25, 2018, which prompted companies to quickly review or change the way in which it collects and process users’ personal data. The new regulation gives European Union citizens more control over the private information they share online and applies to all companies worldwide that do business with E.U. citizens. Compliance with GDPR is critical for companies, as non-compliance could cost a company fines of as much as 4% of its annual revenue or 20 million Euros, whichever is more. We looked at how companies including major brands have changed their terms of use and privacy policies in compliance with the newly effective GDPR rules and requirements as a follow-up to an earlier GDPR article.

 User-Friendly Language and Interface

The crux of GDPR is that users now have the right to their own data and must consent to companies collecting their data by opting in, rather than opting out.  For users to understand what data they are divulging, how that data is being used, and what a user can do to remove or update their data, companies had to update its terms of use and privacy policies to be understood by the average user. This required the use of less technical language and the inclusion of definitions for lesser-known or ambiguous terms.  For example, Google now includes explanatory videos of how Google uses the data it collects from its users, and Twitter includes scroll-over definitions for terms such as “location data” and “advertising partner data” so that users can have a better understanding of what these terms mean in regard to personal data. These terms are important to define for users because terms such as “location data”, “online identifiers” or “genetic data” are now deemed to be personal information under GDPR.

Additionally, shifting away from dense, aesthetically unpleasing terms of use and privacy policies, companies have updated their interfaces to create a better user experience. The less technical language coupled with the more user-friendly interface have made the terms of use and privacy policy easier and more inviting to read and understand.

Personal Privacy Controls

Most companies now include a privacy settings tab that allows users to review what specific personal data the website has collected, review or rectify that data, and approve what data the website may continue to retain or share. These controls also allow users to have a transparent understanding of how the companies will use the data provided by its users. Companies have also included step-by-step tutorials and guides on how users can access and review this information.  In some instances, such as LinkedIn, any visitor to the site, regardless of whether the user has a registered account, has the right to access and control their personal data on the site.  Some sites only provide this feature for users accessing their site with registered accounts.

Data Protection Officer

The role of a data protection officer (DPO) is a mandatory implementation under GDPR for public authorities that process person data, companies that systematically monitor personal data on a large scale or companies that collect or process sensitive personal data or data regarding criminal convictions and offenses. The appointed DPO (either a designated employee or a hired outside consultant) must possess expert knowledge of data protection law and practices. The DPO is responsible for educating its company and employees on important compliance requirements, training staff involved in data processing, and conducting routine security audits.

To comply with GDPR, large scale data processing companies, such as Salesforce and Google, have appointed DPOs that will be the point-person for its companies’ users to inquire about the data collection procedures of its companies and policies as it pertains both generally and individually.

GDPR Compliance Good-Faith Effort

There is no magic language or magic sauce that a company can use to ensure complete and total compliance with GDPR.  There are many complexities and unanswered questions regarding GDPR, making it difficult for companies to guarantee complete and total compliance. By demonstrating good-faith efforts to substantially comply with the requirements of GDPR, companies may be able to mitigate the risk of paying the exorbitant fines for noncompliance.