Skip to Content Skip to Navigation

What does GDPR compliance mean for me?

While the GDPR introduces new requirements for what you should say in your website’s privacy statement, you need more than a “GDPR ready” privacy policy to be GDPR-compliant.

What is the GDPR?

GDPR stands for General Data Protection Regulation — it’s a new set of rules within European Union (EU) law that covers data protection and privacy.

It’s fundamentally concerned with how data is collected and used, the obligations and conduct of parties responsible for collecting and handling data, and the transparency of communication around transferring and processing data. The GDPR aims to give EU citizens and residents more control over their personal data.

I live outside the EU. Does the GDPR apply to me?

The GDPR applies to businesses:

  • established in the EU, regardless of whether personal data is processed in the EU;
  • not established in the EU but that offers goods or services to EU-based individuals (free or paid); or
  • not established in the EU that monitor EU residents’ behaviour.

The GDPR most likely affects you in some way if you:

  • you get data processed in the EU or EEA;
  • you take data processing directions from someone in the EU or EEA;
  • you export data out of the EU or EEA;
  • you import data into the EU or EEA; or
  • you collect information from someone in the EU or EEA.

Will a Privacy Policy make me GDPR-compliant?

Simply having a “GDPR ready” privacy policy statement on your website is not enough to make you compliant with the GDPR — no matter where you get it from.

Think of your privacy policy statement as a promise to your users. Your privacy policy may say you allow users to unsubscribe from your direct marketing — which complies with GDPR requirements governing user rights and transparent communication. However, if you still send marketing materials to your users after they’ve unsubscribed, you are not actually GDPR-compliant. privacy policy statements provide a viable starting point for making your GDPR-ready promise, but they are not a substitute for you keeping that promise. To be fully compliant with the GDPR, you need to have “GDPR ready” business practices around handling user data.

All policies are of a general nature, based on typical, reasonable and fair use of information. They may not be suitable for websites that collect or process large volumes of personal information or sensitive personal information, nor for websites which have unusual uses of personal information.

We encourage you to seek independent advice on the operational and legal requirements that may apply to your individual business or website, and to ensure your generated privacy policy covers your unique business practices.