Why a Privacy Policy Change is Not Enough for GDPR

December 06, 2018
Tomas Honzak's picture
Chief Information Security Officer
Tomas Honzak serves as the Chief Information Security Officer at GoodData, where he built an Information Security Management System compliant with SOC 2 and HIPAA, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem. Tomas finds his passion in enabling synergies between agile methodologies and standards-based process approach and is a DevOpsSec enthusiast. Prior to his position at GoodData he led the Quality, Business Processes and Security department at Acision, a former Logica Mobile Networks division. He lives in Prague, Czech Republic and holds anMSc. from Charles University, the oldest university in Central Europe.

The frenzied attempts at ensuring GDPR compliance before the legislation went into effect in late May 2018 have given way to a much more subdued outlook on GDPR, especially within the United States. In particular, I’ve noticed that some companies—most notably social networking companies—have dealt with GDPR by simply updating their privacy policy. However, continuing with “business as usual” and a shiny new privacy policy is not enough to ensure compliance with GDPR.

To be sure, GDPR does dictate that privacy policies must be updated. Article 12 stipulates that companies must provide information using language that is transparent and easy to understand. Even though the act of rewording the privacy policy into a text even a non-lawyer would understand can be challenging on its own, companies who only change their privacy policies without reconsidering their approach to personal data have missed the point of GDPR.

GDPR requires limiting data collection to legitimate reasons

Plain and simple, at its core, GDPR prohibits the collection of personal data unless there’s a legitimate business reason for it. Let's look at an example of data that are commonly collected and at some different scenarios to see where there’s a legitimate business case for it.

Let’s say I want to buy wine from an online merchant, and I’m asked to provide my date of birth before I can complete my purchase. In this case, there is obviously a legitimate, legal reason for the wine merchant to collect this data, and if they only use the data to validate my age, then they are fully compliant with GDPR. However, they may want to use my birthday so that they can send me a discount offer a week beforehand, or maybe send targeted offers for large volumes of cheap wine ahead of a student’s 25th birthday or for a special discount on a 50-year-old bottle of Martell cognac for someone turning the same age. In these cases, the merchant would need to ask for permission—or, in GDPR terms, a consent—before they start doing so. Again, the consent needs to be presented in a way that is clear and easy to understand, not hidden behind legalese.

What if they want to use the age information to analyze my spending habits? This is where GDPR does not have a clear and straightforward answer, so companies may need to do a privacy impact assessment. Collecting information on age can clearly help this merchant’s business by improving their stock management based on their customers' age. Does it bring any disadvantage for me as an individual whose birthday they have collected? Probably not. But do they need to collect my full birthday? I would argue that just my year of birth, or even more vague “age group” would suffice. This still helps them improve their stock prediction, but it minimizes the risk for me as their customer in case of a data breach. And that is exactly how GDPR envisions companies would approach the collection of personal data.  

Best practices for companies looking to ensure ongoing GDPR compliance

I find that many companies get bogged down by the sheer volume of articles in GDPR—which is perhaps why so many have started by just updating privacy policies—and struggle to grasp the need for and purpose behind GDPR. I suggest taking these 5 actions to shift their mindsets regarding GDPR:

  1. Make an effort to understand the underlying reasons why GDPR was created and what it’s trying to accomplish
  2. Understand the culture that created GDPR, and understand that other parts of the world place a different value on personal privacy
  3. Take inventory of what data your company collects, and compare that to GDPR’s definition of “personal information
  4. Consider how that data is being used—whether it’s for the business’s advantage to try and extract more money from individuals at the cost of their privacy, whether it’s a need driven by the law, or whether the business can benefit from the information without taking an unfair advantage. These are all legitimate scenarios as long as you get consent when you might be taking an advantage and inform the person. In all other cases, limit the collection only to the data you really need.
  5. Document everything, including all decisions and adjustments made, to prove that your company has made a "good faith” effort to be in compliance if audited. Even more important, make sure your privacy policy and privacy notices give individuals a good understanding of what you do with the data you collect.

Ensuring GDPR compliance is an ongoing endeavor that constantly evolves as the regulation is updated and new issues come to light. While it may be tempting to consider a privacy policy update as a way to skirt some of the more major changes required by GDPR, companies will need to be a lot more proactive if they want to avoid fines or legal action.