The document outlines key requirements for compliance with the EU's General Data Protection Regulation (GDPR), which went into effect on May 25th. It emphasizes the need for informed consent, the right to access and erase data, and the importance of privacy by design in website functionality. Businesses face significant penalties for non-compliance, making it essential to update privacy policies and practices accordingly.

1. Are You
Prepared for the GDPR?

2. Are you ready for the EU’s General Data Protection Regulation?
The deadline has already passed, but you may still have work to do
to get compliant.
The General Data Protection Regulation (GDPR) went into effect on
May 25th.
Websites attracting EU residents must comply with the GDPR.

3. Let’s take a look at some of the key requirements of the GDPR.

4. Determine whether you will rely on one of the GDPR’s legitimate interests
for processing data, or if you will rely on consent.
If you go with consent, you must collect informed consent from your site
visitors before collecting personal data from them.
You also must allow visitors to retract consent as easily as they provided it.
Legitimate Interests versus Consent

5. As a website owner, you should
adopt clickwrap designs when
obtaining consent.

6. Use simple language placed in a conspicuous location wherever
you are asking for consent to collect personal data.

7. Right to Access
If requested, you must provide users with a free electronic copy of the
data you have collected from them, as well as:
The purposes of processing it
Who you have shared the data with
Other information required by Article 15 (1)
(1) Link to: https://gdpr-info.eu/art-15-gdpr/

8. Right to be Forgotten
If certain grounds apply, data controllers must erase user data upon
request by the subject.
These grounds can be found in Article 17 (2).
(2) Link to: https://gdpr-info.eu/art-17-gdpr/

9. Data Portability
Data controllers must transfer a user’s personal data to another entity
upon request when:
The legal basis for processing the data is either consent,
explicit consent or contractual necessity, and
The personal data is processed through automated means

10. Privacy by Design
Your website must be designed with privacy protections in mind.
Embed privacy and security into all aspects of your website
design and functionality.
Focus on security breach prevention rather than remediation.
Respect user privacy and keep your practices transparent.

11. Data Protection Officers
Has expertise in data protection laws
Is given appropriate resources to perform duties and maintain
expert knowledge
Reports to the highest level of management
Has no conflict of interest
1.
2.
3.
4.
If you’re required to have a DPO, this person will be someone who:

12. Breach Notification
Data controllers must notify a supervisory authority within 72 hours
after a data breach occurs, unless the breach is unlikely to result in
risks.
If the notification is not made within 72 hours, a reason for the delay
must be given.
Data processors must notify the controller “without undue delay” if
a breach occurs.

13. Privacy Policy Updates
The GDPR requires you to have a Privacy Policy that is written in clear,
concise and easy-to-understand language.

14. Make sure your Privacy Policy includes the following information:
What information do you collect from website visitors?
Who is collecting it: you, a third party or both?
How are you collecting personal information?
Why do you need personal information?
How do you use the personal information you collect?

15. Do you share the data with third parties?
What are the potential risks to EU citizens providing you
with their data?
How can EU citizens opt out giving you their data?
How can EU citizens request a free copy of their data?
How can EU citizens instruct you to transfer their data to
another party?

16. Put this information into specific clauses with plain and simple
language.
See this example of a clause explaining how personal information
is used:

18. Penalties
Penalties for non-compliance can be costly.
The GDPR uses a tiered penalty system. Violations can lead to fines
of up to the greater of four percent of “annual global turnover” or
€20 Million.

19. If you aren’t already prepared for the GDPR, you need to update
your Privacy Policy and make other changes to your business
practices to get compliant.