In today’s online economy, maintaining data privacy and user confidentiality should be the cornerstone of any business with an online presence.
As a business owner, there’s an important piece of legislation from the European Union that you should be aware of called the General Data Protection Regulation, or GDPR for short.
The GDPR is a far-reaching privacy regulation that will quickly catch up with any business that tries to ignore it, anywhere in the world. That’s because the GDPR affects any business that collects data from EU residents, no matter its global location.
This article will detail the specifics of the GDPR including who it applies to, what it requires and how you can comply with it.
What is the GDPR?
The GDPR was brought about in 2016 by the European Parliament after four long years of negotiating and debating the specifics of the policy. It was created as a replacement for the Data Protection Directive 95/46/EC and went into effect in May of 2018.
The regulation was designed as an attempt to bring a modern approach to digital security into Europe. The aim is to provide EU citizens with a stronger grip on the personal information they share online, and to equalize all member-states of the EU with the same legal framework.
Consumers hand over their personal data and information daily, and not just on the Internet. It happens at banks, medical centers, retail shops – almost everywhere. But often, these consumers don’t really know where that data goes or what’s done with it.
By putting frameworks such as the GDPR in place, more power and control is handed back to the individual. This raises the levels of trust felt towards government systems and corporations, which in turn can boost revenue and profit margins for businesses.
Given that such a large portion of monetary transactions occur digitally through online shopping and other ecommerce avenues, it has become imperative that the personal information tied to these activities is protected in a way that minimizes risk to the consumer.
This is why privacy legislation such as the GDPR has become so important.
Who does the GDPR Apply to?
The GDPR applies to businesses that collect and use personal information from residents of the EU, regardless of where the business itself is located. This gives the GDPR a global reach.
If your business offers goods or services to EU residents or monitors the behavior of these residents through data collection, you need to comply with the GDPR unless you fall under a GDPR exemption.
The penalties for failing to comply to the GDPR are strict, with fines of up to four percent of an organization’s yearly turnover or €20 million, whichever is greater, and tiered penalties to a range of infringements.
Different Roles under the GDPR
- A data controller is the party that determines what purposes personal data will be processed for and how the processing shall take place.
- A data processor is the party that processes personal data on behalf of and upon instruction from the data controller. Processors typically obtain, record and store the data on behalf of the data controller. An example of a data processor might be an accounting firm, marketing research company, email newsletter management service (think MailChimp) or cloud service provider.
- A Data Protection Officer (DPO) is required under certain circumstances. This individual is responsible for supervising the strategy behind data protection and ensuring a company is maintaining compliance with the GDPR. The DPO is also in charge of instructing and training the company’s employees on what’s required of them and their organization, and acts as the contact between organizations and the GDPR authorities.These are the circumstances that would require the appointment of a DPO:
- The data processing is performed for or by a public authority.
- The business activities require the regular and systematic processing of consumer data on a large-scale.
- The data involves categories of information defined as sensitive or data relating to criminal offenses.
The different roles come with different requirements, so the distinction is important.
What does the GDPR require?
The GDPR’s main areas of focus are:
- Privacy rights
- Data security
- Data control
As such, a few of the key considerations for compliance include the following:
- Organizations are now held to a higher level of responsibility and accountability regarding the handling, protecting and processing of their customers’ personal data.
- The definition of “personal data” now includes a wider range of information and covers everything from cookies data to Social Security numbers to biometric identifiers.
- Individual consumers now have more rights regarding how organizations interact with their personal data.
- There are much stricter rules regarding consent.
Thanks to the GDPR, there are now several conditions regarding the processing of personal data. These conditions are in place to ensure the data is processed lawfully and fairly.
‘Fair’ data processing refers to an organization providing clarity and openness about how it collects, stores and shares personal information.
Fairness also means an organization is open about its identity and the intent behind gathering consumer data, with assurance that such information won’t be used in misleading, deceitful ways that could have a negative effect on the consumer.
What’s more, individuals must be given a choice as to whether they want to share their information with a business. If they decide against it, they must be provided with a clear, easy way to decline.
Here are some of the specific things the GDPR requires:
Privacy by Design
Privacy by Design (PbD) has been a best practice guide for businesses for decades, but the GDPR is the first regulation to require it by law.
As long as you show that you did your due diligence to ensure privacy and security during the design and creation of your online business, this requirement will be fulfilled under GDPR regulations.
The GDPR makes it clear that EU authorities expect to be informed swiftly and thoroughly of any data breach involving European consumers. Processors must inform their data controllers of any security breach immediately, and EU supervisory authorities must be informed within 72 hours of data breaches.
Make sure you have an action plan in place – both for software programs and human employees – so that everyone knows which processes and alert systems to follow in the case of a data breach.
Legal Bases for Data Processing
It is considered unlawful under the GDPR to collect so much as an IP address or device identifier from an EU resident without a legal basis for processing that data.
These are the possible legal bases for collecting consumer personal data, as listed by the GDPR:
- To fulfill the legitimate interests of someone without intruding upon individual rights and freedoms
- Fulfillment of a contract
- Legal obligation
- Protection of someone’s vital interest
- Public interest of vested authority
For the vast majority of businesses, the only possible legal bases that will apply are bases 1, 2, and 3 in the list above.
In the case of legitimate interests, you must be able to prove that you are fulfilling a specific service or serving a basic need for your customers, and you can only keep the personal data for as long as it takes to fulfill that service.
If your legal basis is fulfillment of a contract, then you would need a written and signed contract from each customer before collecting their information. Because of the obvious complications with methods like these, many businesses rely on consent as a reliable legal basis for data processing.
In order to obtain valid consent, the GDPR states several stipulations, described below.
How to Get GDPR-Compliant Consent
Legal consent is not what it used to be. Under the GDPR, consent is not considered valid unless certain conditions are met. EU user consent must be:
- Freely given – The user should not be obligated to provide data in order to browse a website. Their consent must be freely given under no obligation.
- Specific and informed – Users must be fully informed specifically how their information is being collected and how it will be used.
- Unambiguous – Consent may not be assumed because a user browses a website or fills out a form. No consent checkboxes may be pre-ticked in any type of webform or notice.
If a company chooses to rely on consent as the legal basis for collecting personal data, the consent must be unambiguous, affirmative and freely given.
According to Recital 32 of the GDPR, consent cannot be given by a pre-ticked box or by ‘implied consent.’ Implied consent would be where the continued browsing of the website is taken as consent. Consent also can’t be a precondition of service.
So, how do you get proper consent?
The most effective way is through an active opt-in function.
This is simply a form that has a check a box that users can click on to indicate consent and any other permissions you might like to have, such as subscribing to company mailing lists or other types of opt-in.
These two steps work to create informed consent that a user definitely is ok with sharing personal information (an email address):
However, be aware that an opt-in form must not be marked automatically to “yes” or pre-filled with a checkmark when getting consent.
Consent should also be unbundled. This means that you should separate individual consent requests rather than having them all under one overarching opt-in form.
Examples of unbundled consent might be agreement to your Terms and Conditions and subscribing to your mailing list as separate steps.
Boohoo.com has a great unbundled opt-in selection on its site where users can select the kinds of communications they want to receive.
Below are a few more examples of how consent could be requested to meet GDPR requirements:
The European Central Bank cookies notice is a good example of what it means to get open, specific, and unambiguous about consent:
This will assure that users are given the opportunity to see and understand your data handling policies before submitting any personal data.
Yelp’s signup form is a good example of this:
You will also notice that Yelp does not pre-tick the checkbox for agreeing to marketing communications. Website visitors must freely give their consent by specifically ticking the checkbox in order to receive marketing messages.
Under the GDPR, you must keep a record of all consent given to you by your customers, including how you obtained that consent.
You must include the following in your records:
- The data subjects who gave consent
- A date and time stamp for each instance
- What they consented to
- How they consented
You must also allow consent to be withdrawn at any time. If a consumer requests to withdraw consent, the request should be processed as soon as possible by you or the authorised person responsible for regularly reviewing the consent data.
If you can’t prove that you’ve obtained valid consent from the EU contacts in your marketing communications database, then a repermission campaign may be in order.
A repermission campaign is an email or other form of communication that asks users to confirm their contact details and consent.
The email screenshot below demonstrates a simple way to achieve this:
A campaign like this is an excellent way to update consent records.
Data Protection Impact Assessments
It will be a rare occasion that a Data Protection Impact Assessments (DPIA) will ever be necessary for a small business, but it’s advisable to be informed when this step is necessary.
A DPIA is simply a process for identifying and mitigating potential data security risks in certain situations.
The GDPR requires a DPIA before any data processing occurs if the data processing involved is likely to result in a high risk to the rights and freedoms of individuals.
These are situations in which a DPIA would be required:
- Large-scale automated decision-making or profiling based on user data
- Data processing that involves sensitive categories of information such as such as ethnicity, religion, sexual orientation, criminal records, etc.
- Any large scale systematic monitoring of a public area
3. Contact information: List your business contact information as well as that of your Data Protection Officer (DPO), if applicable.
Yelp keeps its contact section short and simple:
Here’s how Microsoft does this:
4. International transfers: If ever it is necessary to transfer EU user data over international borders, such as when sending data to a third-party processor located in another country, you will need to take some precautions to ensure that all international data transfers are GDPR compliant.
- Follow EU-U.S. Privacy Shield certification or similar EU-certified safeguards to transfer the data.
- Uphold EU Model Contractual Clauses in regard to international consumer data transfers.
Here’s Google’s international transfer clause:
These include the following:
- The right of access – the right to know if their data is being processed and the right of every user to easily access their own personal data.
- The right to be informed – consumers must be informed of how their data is to be used, who it will be shared with, and why.
- The right to rectification – the right to be informed of incorrect data on record and the ability to revise or make changes to one’s own data.
- The right to erasure – any consumer who wishes to have all of their data completely erased from record has the right to make this request free of charge.
- The right to restrict processing – the right to limit or restrict which personal data is processed and how.
- The right to data portability – companies must uphold any consumer’s request to transfer all personal data on record to another company or entity.
- The right to object – consumers may object to the collection or processing of their data at any time.
- The right not to be subject to a decision based solely on automated processing – users may object to being included in automated decision-making or profiling based on their personal data.
- If ever a European resident feels that their privacy rights are not being upheld at any time, they may report privacy infringements to their local EU supervisory authority.
Examples of GDPR Privacy Policies
- What personal information will you be collecting? (Email addresses, IP addresses, first and last names, billing information, etc.)
- Who will be collecting this information? (Specified data collectors, such as you and/or your company)
- Why is the information being collected? (For marketing, access of services, internal business purposes, etc)
- How is the data being stored, and how long is it kept for? (Such as on a network or server database)
- Is it being shared with any other organization? (Parent companies, subsidiaries, third-party services or any affiliates?)
- How can users access their personal data? (In the event where they need to update, correct or delete any of this information)
- How can users easily limit or opt-out of handing over this information?
- Do any of the intended uses of the data have the potential to cause harm or damage to the individual?
Here are some company websites with great Privacy Policies that have been written in compliance with the GDPR.
You don’t need to create such a long clause to address user rights, so long as you do mention them and let your users know how to go about exercising them (such as by contacting you.)
Here’s how Sotheby’s addresses user rights in a shorter clause:
As a business owner, the GDPR will apply to you if you collect or use personal data from residents of any member state within the European Union, regardless of where you’re personally doing business from.
To comply with the GDPR you’ll need to:
- Assess the procedures currently in place within your company regarding the collecting of personal data.
- Be aware of whether you’re a data controller, data processor or both, and what responsibilities come with each role.
- Determine whether or not you need a Data Protection Officer.
- Conduct a Data Protection Impact Assessment if required.
- When getting consent, get proper consent and keep proper records.