Privacy Policy
1) GPDR stands for General Data Protection Regulation
2) It is about the protection of personal data and data protection rights to EU people.
3) Under GPDR, there are 28 EU countries: Finland, France, Germany, Italy, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK, and many more.
4) If you're using Google Analytics or any tool that collects data from the people of EU, it applies to you
5) It affects all the business, blogs or tools that interact with the EU people's data in anyway. If you get a single visiter from EU countries (mentioned above), it applies to you.
6) GDPR replaces the 1995 EU Data Protection Directive, and goes into force on May 25, 2018.
7) Fine can be as high as €20,000,000, previous it was only €50,000
8) Update your privacy policy. Need an example? Here we go: www.grammarly.com/new-privacy-policy
Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn't meet these new rules, you'll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
Under the aim of giving people more control over their information, GDPR ensures people can ask to access their data at "reasonable intervals", with controllers having a month to comply with these requests. Both controllers and processors must make clear how they collect people's information, what purposes they use it for, and the ways in which they process the data. The legislation also says that firms must use plain language to convey these things clearly and coherently to people: it's time to wave goodbye to those confusing, dense terms and conditions.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it's stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.
They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
GDPR makes it clear that people can have their data deleted at any time if it's not relevant anymore - i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don't want it collected anymore.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.