It’s time to update your Privacy Policy to comply with the General Data Protection Regulation GDPR. This policy, along with other documents, serves to legally protect your information and rights, as well as keep you out of trouble with your site visitors. It’s important, especially with the new GDPR regulations going into effect May 25, 2018. Fines for ignoring the GDPR are very high, with a maximum fine of almost $25 million.

What is a Privacy Policy?

According to our friends at Wikipedia, “A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy.”

Why Does It Matter?

With the popularity of social media and online businesses, consumers are becoming more aware and concerned with the information about them that is being collected, stored and used. The main purpose of a privacy policy on a website is to inform visitors of the type of information that may be collected when they visit the site. This may be something as simple as the “cookies” that are stored so that when they return to your site, it is easier for them to log in, register or even just be recognized as a returning visitor. It could also cover any contact information they may give you, the information you collect, such a phone numbers or email addresses and other types of data not mentioned here.

If you think your business is too small to worry about a privacy policy, you may want to think again. In light of all the breaches publicized daily, consumers are paying attention, and a good privacy policy helps you build trust with your website visitors. Privacy policies should focus on being transparent and should be helpful to visitors, not a bunch of legal terms that no one understands.

There are many places online that can provide you with an example of a standard privacy policy. But as tempting as it may be to just copy and paste those samples, it’s not recommended. The Better Business Bureau states “There is no cookie-cutter privacy policy. Your business is unique and your privacy policy should reflect that. Seek legal guidance before you finalize your policy. You are legally liable if you fail to abide by your privacy policy statement or if the statement does not comply with local and national laws.” And keep in mind that as your business and website changes, your privacy policy may need to be updated.

What is the GDPR?

In 2012 the European Commission met to formulate new protections for its citizen’s personal data and privacy. Those have been completed resulting in the new GDPR taking effect on May 25, 2018. In a nutshell, this is a new set of rules that give their citizens more control over their personal data. It makes it easier for someone to access their data, ask for it to be deleted, understand what’s being collected and how, and more. It is a serious effort to keep consumers safe. You can learn more about it here.

Does GDPR Apply to My Business?

GDPR applies to any organization operating within the EU, as well as those outside of the EU which offer goods or services or collects information about customers or businesses in the EU. Something as basic as the cookies your site automatically collects Is considered a collection of information. So basically, if your website can be accessed by anyone in the EU, it applies to you.

What if I Don’t Comply with GDPR?

Fines range from a maximum of over 23 million dollars or 4% of the business’ annual global turnover. The amount of the fines will vary based on company size, level of effort to protect data, transparent communication, reporting data breaches, the way data is collected and other factors.

It appears that those businesses who act promptly to update their policies and show an appropriate effort to follow these new rules will receive more leniency than those who do nothing. Even if you can’t get everything done in time, just getting started and letting your website visitors know you’re changing your policy, is showing an effort that will be taken into consideration.

How Do I Make my Website GDPR?

Step 1: Review & Identify

Find all the places personal customer information is stored on your website. Find out what information you’re collecting and make sure you or any 3rd party partners are asking permission to collect this information.

Step 2: Permissions & Information

Understand the journey website visitors take a journey when they use your website. When you ask for information, be sure it happens during the right part of the journey. Random requests for information when it isn’t clear why you need it is a signal your website may not be GDPR-compliant. When you do ask for permissions and information, make sure you do so before you collect that information.

Step 3: Talk to Your Attorney

Now is the time to touch base with your attorney to ensure your processes are compliant with GDPR. Your attorney can make sure your GDPR policy statement is legally written. This is also a good time to get your tech team on board to build and set up the (Information Technology) IT part of the process.

Step 4: Delete or Conceal

Once you have used the information for the customer-approved reason, remove it by either deleting it or concealing it. Make sure you have an automatic process to assure this step doesn’t get missed.

You can see a copy of my Privacy Policy on my website here. I hope this information has been helpful to you and provides, at the least, a place to start. Please share this information with others who might benefit. And, as always, I welcome your comments!

You should also have these common documents Copyright, Website Disclaimer, Terms & Conditions and any other documents suggested by your attorney on your website.

I am not an attorney in the state of Arizona nor in any other state. I do not have any special training to present the facts of law to you. So anything I say here is my own opinion from the research I have done and legal folks I’ve talked with about my particular situation. I strongly encourage you to seek legal counsel for your own situation to protect your rights and business. These statements apply to the United States of America and may not apply to other countries.


Sherree Mongrain was an early adopter of social media and has watched the internet transform the way we work, play, and live for over 18 years. Her unique perspective and straight-forward approach make her popular with entrepreneurs and small businesses who want actionable information they can understand and that helps them grow their business. She specializes in online marketing strategy and planning, creating content--blogs, website pages, graphics, and videos, and working specifically with small business owners.