Do I actually need a GDPR-compliant privacy policy?

All that talk about the General Data Protection Regulation (GDPR) has fuelled the business world’s scramble to update their privacy policies.

But despite the hype and horror stories about noncompliance, not all businesses need to be GDPR ready. For a business owner, this probably comes as a relief as meeting the requirements laid out by the GDPR demands a considerable amount of time, money and effort!

Before you commit to overhauling your current practices and beaming out new privacy notices, here’s what you should know about the GDPR, whether it applies to you, and the risks of noncompliance.

Who doesn’t need to be GDPR compliant?

Because the GDPR was developed specifically to protect people within the European Union (EU) and the European Economic Area (EEA), the laws could impact any business that engages with individuals or other businesses located within those boundaries.

Your business might not need to comply with the GDPR if:

• You don’t have a physical presence in the EEA
  A common example would be whether your business employs people who are based in the EEA — in which case, you’d need to protect their personal data in compliance with the GDPR.
• You do not offer products or service to customers based in the EEA
  So, for example, if you’re a US-based retailer shipping only within the US, and your business does not engage in marketing activities with EEA-based prospects, the GDPR probably won’t apply to you.
• You do not process the personal data of people located in the EEA
  Processing refers to the collection, recording, storage, access, editing or deletion of personal data, which is information that can be used to personally identify someone.
• Your business has less than 250 employees
  The GDPR makes some exceptions for small- and medium-sized businesses, so long as your data processing activities don’t threaten the data rights and freedoms of people within the EEA, are conducted infrequently, and do not touch sensitive personal data. (Data classified as “sensitive” by the GDPR includes information about your customers’ racial background, health, religious beliefs, political opinions, genetics, and biometrics.)

While the GDPR makes a more complicated task of online business and digital marketing, it’s important to appreciate why the laws were created. Currently, there is no global standard for data protection. Different regions, countries and states are subject to different laws with varying degrees of enforcement.

To provide a more cohesive and effective framework to safeguard people’s privacy, the new GDPR laws were created and came into effect in 2018. Besides mandating full compliance throughout the EU and EEA, the GDPR gives people more control over their personal data than ever before and is already inspiring new legislation around the world.

What are the penalties for noncompliance?

If your business needs but doesn’t currently have a GDPR-compliant privacy policy, it may be deemed noncompliant and attract a significant fine.

Depending on your level of infringement (and other criteria), a fine can range from €10–20 million or 2–4% of your annual revenue from the previous financial year.

Besides the financial penalty, you may also be putting your customers’ privacy, and trust in you, at risk. Each new report of a data breach and privacy violation contributes to the growing groundswell of consumer concerns. To stand apart, as worthy and credible brands, businesses would do well to align with the GDPR’s move towards trust and transparency.

Whether you need to be GDPR-ready or not, set your business up for success by making a habit of regularly reviewing your privacy policy and all related business processes. This ensures your practices continue to comply with the applicable data protection laws, doing right by your industry and your customers.

Do you need a GDPR-ready privacy policy? We’ve got you covered.

Get the right start on a compliant privacy policy with our easy-to-use generator. Generate your privacy policy now.