.png)
Alex Franch
On 20 August 2021, the Data Protection Commission (DPC) slammed WhatsApp with a €225 million GDPR fine. The WhatsApp team failed to properly explain how they process data across borders in their GDPR policy.
Was the fine worth it? Or just a political shake-down?
At its core, GDPR gives your users more control over their personal data. Yes, big tech companies already have a scary amount of data about how you fry your bacon. At least with GDPR, you sleep better knowing you can ask them to delete everything, anytime.
GDPR compliance is a critical part of protecting your business and your customers. Being compliant means people can trust that your organization collects personal data legally and under strict, transparent conditions. Your users and clients know you protect their data from misuse and exploitation, as well as respect their rights to recall whenever they choose to.
Now back to the WhatsApp problem. What went wrong?
After the fine, the messaging service added more detail on why they share data across borders and the legal bases for users' information they process. Even for a corporation as large as WhatsApp, it’s not very easy to make sure your policy documents stay up-to-date on everything your business is doing with data, from collection to processing to storage.
You make changes to business processes very often. Should your policy documents follow suit?
How do you know it is time for a change/update?
Most times your GDPR policy does not require a complete overhaul as long as you’ve got the underlying structure right.
For reference, a great structure answers these questions (at least):
- What personal information do you collect?
- How and why do you collect this information?
- How do you use this information?
- How do you keep this information safe?
- How long is this information kept?
- Is this information shared or sold? If so, with whom?
- Do any third parties collect personal information or have access to the information you have collected?
- Do you use cookies? How?
If the answer to these questions ever changes, you would need to update your policy document.
Is this regular update absolutely necessary?
The average total cost of a, data breach is USD 3.86 million. Before you raise your hands about not having that kind of money, this cost includes betrayed trust, tarnished goodwill, and trampled honour. Priceless intangibles.
Sometimes the bark is louder than the bite. The last thing you want is to be fined for a violation of GDPR rights or a data breach. Taking active, transparent steps to protect the data your customers entrust with you is simply….responsible.
How often should you review your GDPR?
Short answer: As frequently as the data you handle and the way you handle data changes.
Since it’s so easy to get swept into the labyrinth of corporate activities, I recommend you review your GDPR policy at least once a year so that it reflects how you currently process data. Some certifications, (like the ,California Consumer Privacy Act) contain a clear requirement that organizations must update their policies at least once every 12 months.
Is there any other reason you might need to update your GDPR?
GDPR law and regulations do change.
It doesn’t matter whether you care much about daylight savings. If you don’t update your calendar, you could miss important meetings.
Similarly, governmental laws and regulations change from time to time. Ignorance of the law never made a good defence. It’s your responsibility to look out for these changes and update your GDPR compliance document accordingly.
Your team finds it difficult to implement your GDPR policy guidelines.
If you notice your actual data usage differs from what’s in your policy document, something needs to change. Your process, or your document.
Privacy policies and GDPR compliance documents that are impractical to implement are more common than you would suspect, especially among start ups. In my experience, the usual culprit is somebody copying and trying to adapt a generic or competitor’s template. Square pegs, round holes.
It’s easy to confirm that your organisation’s policy document is still valid by re-iterating your use cases. You could always book a free consultation with us to get a second, more professional opinion.
Some privacy policy violation happened.
Employees revealed something they shouldn’t? A hacker compromised your system? Or did you get fined?
Privacy policy violations happen whether you expect them or not. As part of your official response to a breach, it is often a great idea to update your GDPR policy to handle future occurrences. It took WhatsApp less than two months to push out a new change (pretty quick for an organisation that size).
You introduced a new product or service.
Introducing a new product or service to your consumers means some update or addition to your process. Which roughly translates to a need to update your GDPR compliance document.
For example, if you introduce a new product for children, you need to update your GDPR or that could trigger special child privacy laws. An example of such a law is the Children's Online Privacy Protection Act (COPPA), which mandates special handling of data for children under 13.
How do I update my GDPR?
One way would be to have a lawyer on retainer. If you are a startup large enough to justify the legal cost, then definitely go for this. Having a professional keep an eye out for you will save you a lot of money in potential fines. And you can’t really put a price tag on worry-free sleep.
Picture it. A worry-free sleep.
If you don’t have a lot of legal work to justify paying lawyer fees, a solution like Privasee is the next best thing. A service put together by lawyers to keep your legal costs low while giving you the needed legal umbrella. Privasee experts ensure you have Privacy policies and GDPR compliance documents that stay updated as the tide changes.
A third option would be to do it yourself. If your company is small, and you have the time to keep up with changes in the legal space, you can absolutely do this. It might help to subscribe to our newsletter to stay up-to-date on things you need to look out for.
Conclusion
GDPR is an ever-evolving regulation that responds to cross-border law changes, deltas in political and technological climates, government pulses and public concerns.
As such, your company’s GDPR compliance document cannot afford to go stale. Fines are no fun. You have more important things to do with money. Also, trust takes a long time to build. Being outed for a policy breach doesn’t help.
Let Privasee take away the stress, so you can focus on your business with full legal confidence.
Learn more
Related posts
.png)
%20-%20what%20is%20it%2C%20explained..png)
FAQ
Frequently asked questions
Do I need to connect all my tools and third parties?
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
What is the scope of my privacy policy?
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
Do I need to replace my current policy for the privacy portal?
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Do I need help filling out my details?
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
Why can’t I just use a template and add it to my website myself?
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
What if you don’t have the tools and third parties that I have?
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Which plan should I choose?
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
How easy is it to set up?
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
What size companies is Privasee aimed at?
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
I already have a privacy policy, do I need Privasee?
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.