Below is a list -  reworked from the European Commission’s online guidance on data protection reform - of some of the things your business may need to consider and work on, when reviewing your privacy and data protection policies. Consider these in relation to both wording and to privacy design features.


1. Write your policies in clear straightforward language.

2. You cannot use a user’s data without their affirmative consent. Silence is not consent.


3. If you are transferring data outside of the EU, clearly tell your users.

4. You must have a well-defined purpose for collecting and processing data. If this purpose changes, inform your users about the new purposes.

5. If your business uses automated decision making (such as algorithms) about users based on their personal data, you must inform them and give them the ability to contest it.


6. If there has been a harmful data breach (such as stolen data), you must inform users within 72 hours.

7. You must enable users to move their data from your business to another competing service (so think about developing interoperable formats to enable data portability).

8. Make it easy for users to access the data your business has on them, as they have a right to obtain a copy.

9. Make it easy for users to elect to have their data deleted and with clear safeguards.


10. If a case concerns several EU countries, the European Data Protection Board can provide the 28 protection authorities with guidance and interpretation and adopt binding decisions.

11. If you violate the rules your business could face hefty fines by the authorities – up to $20M Euro or 4% of your worldwide turnover!

Useful points to remember

  • The EU GDPR protects natural persons. It does not cover legal persons (entities created by statute). It does not concern the processing of anonymous information, including for statistical or research purposes. It does not apply to the personal data of deceased persons.
  • The processing of personal data must have connection to a professional or commercial activity.
  • Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.
  • Natural persons have a fundamental (but not absolute) right to protection in relation to the processing of personal data. As stated in the EU Regulation - “The processing of personal data should be designed to serve mankind.” Unless there is a legal, professional or other binding obligation of secrecy, the transmission of personal data is legitimate in the event of a possible criminal act or threat to public security.
  • Maintain records of processing activities under your responsibility, in case you need to demonstrate compliance to a supervising data protection authority.
  • Even if the processing of personal data does not take place in the EU, the EU GDPR applies to the processing in the context of the activities of your business in the EU.
  • Expect a public EU Commission evaluation report by end May 2020 on how the GDPR is tracking.
  • Australian businesses need to also comply with the Australian Privacy Principles (APPS)

Article written on 18 January 2019 by Agnes McKay