Over the past month your inbox has probably been flooded with announcements of companies that have updated their privacy policies, and no, it’s not a coincidence. It’s a result of the General Data Protection Regulation (GDPR) that went into effect in late May 2018.


If you’re not familiar with the GDPR, allow us to catch you up. The GDPR is a regulation of the European Union (EU) that created guidelines for collecting and processing information of individuals that live in the EU. This regulation includes rules on data management as well as the rights of the individuals. Compliance with the GDPR is required not only of businesses and companies in the EU, but also any company, business, or organization that collects data from EU citizens. In short, if someone in the EU can access your website or has subscribed to your email list, the GDPR applies to you. If you don’t comply, you could face a fine.


The goal of the GDPR is to take a lot of the technical jargon, terms, and conditions that can be really confusing to those that use your website and make it easier to understand. In the marketing world, this is called the Grandma test. If your Grandma, Grandpa, or even your 15-year-old cousin have no idea what it means after one read through, you need to revise it.


Aside from the Grandma test, how will you know if your privacy policy is GDPR-compliant? And what should you do if it isn’t? The first step is taking a good look at your policy (if you can’t remember the last time you updated it, it’s definitely time to review it). To be GDPR-compliant, it doesn’t have to be really long or complex. It just needs to clearly communicate the information you collect from your website visitors, how you collect it, why you collect it, and what you use it for. A solid, GDPR-compliant privacy policy will include the following:

  1. A quick statement explaining who you are. This statement should include the company name, how you value your visitor’s information and how you keep it safe, as well as what the privacy policy is about. Remember to write in your usual tone so your brand voice is consistent.
  2. The types of data you collect. This should include:
    1. Cookies (what they are, the reason you collect them, and the information cookies store);
    2. Google Analytics (information collected, whether it is anonymized, why you collect it, and what you do with it);
    3. Wi-Fi, if applicable (explain any information regarding how you monitor guest Wi-Fi access in your physical location);
    4. Mailing lists (give a clear definition of what information you are collecting when a visitor signs up, why you need it, and what you will do with it) – if you use an outside email marketing platform like Campaign Monitor, Constant Contact, or MailChimp, be sure to share that and direct your visitors to your platform’s privacy policy;
    5. Ticketing information, if applicable (include any info collected through your box office system and what the information is used for);
    6. Third parties you share data with if any. However, don’t refer to them as third parties. Be transparent and say who you’re sharing info with and the reason why. (Note whether the information is anonymized, the efforts made to keep it secure, why you’re sharing it, and link to the third party’s own privacy policy if you are able.)
    7. Access to personal information. Let visitors know that they are able to access, edit, or request that their information be deleted from your system at any time. (Include the contact info of the appropriate person to request updates and/or deletion from).
    8. Changes to the privacy policy. Let visitors know when you’ll review your policy, as well as the date of the most recent update.

So now that you know what you need to do, it’s time to review that privacy policy and make any updates necessary to be compliant with the GDPR. As always, RPS is here to help so if you’d like us to take a look and help you bring your privacy up to date, let us know using the form below:

Categories: News from RPS