In today’s online economy, maintaining data privacy and user confidentiality should be the cornerstone of any business with an online presence.

As a business owner, there’s an important piece of legislation from the European Union that you should be aware of called the General Data Protection Regulation, or GDPR for short.

The GDPR is a far-reaching privacy regulation that will quickly catch up with any business that tries to ignore it, anywhere in the world. That’s because the GDPR affects any business that collects data from EU residents, no matter its global location.

This article will detail the specifics of the GDPR including who it applies to, what it requires and how you can comply with it.

What is the GDPR?

What is the GDPR?

The GDPR was brought about in 2016 by the European Parliament after four long years of negotiating and debating the specifics of the policy. It was created as a replacement for the Data Protection Directive 95/46/EC and went into effect in May of 2018.

The regulation was designed as an attempt to bring a modern approach to digital security into Europe. The aim is to provide EU citizens with a stronger grip on the personal information they share online, and to equalize all member-states of the EU with the same legal framework.

Consumers hand over their personal data and information daily, and not just on the Internet. It happens at banks, medical centers, retail shops – almost everywhere. But often, these consumers don’t really know where that data goes or what’s done with it.

By putting frameworks such as the GDPR in place, more power and control is handed back to the individual. This raises the levels of trust felt towards government systems and corporations, which in turn can boost revenue and profit margins for businesses.

Given that such a large portion of monetary transactions occur digitally through online shopping and other ecommerce avenues, it has become imperative that the personal information tied to these activities is protected in a way that minimizes risk to the consumer.

This is why privacy legislation such as the GDPR has become so important.

Who does the GDPR Apply to?

Who does the GDPR Apply to?

The GDPR applies to businesses that collect and use personal information from residents of the EU, regardless of where the business itself is located. This gives the GDPR a global reach.

If your business offers goods or services to EU residents or monitors the behavior of these residents through data collection, you need to comply with the GDPR unless you fall under a GDPR exemption.

The penalties for failing to comply to the GDPR are strict, with fines of up to four percent of an organization’s yearly turnover or €20 million, whichever is greater, and tiered penalties to a range of infringements.

Different Roles under the GDPR

Different Roles under the GDPR

The different roles come with different requirements, so the distinction is important.

What does the GDPR require?

What does the GDPR require?

The GDPR’s main areas of focus are:

As such, a few of the key considerations for compliance include the following:

Thanks to the GDPR, there are now several conditions regarding the processing of personal data. These conditions are in place to ensure the data is processed lawfully and fairly.

‘Fair’ data processing refers to an organization providing clarity and openness about how it collects, stores and shares personal information.

Fairness also means an organization is open about its identity and the intent behind gathering consumer data, with assurance that such information won’t be used in misleading, deceitful ways that could have a negative effect on the consumer.

What’s more, individuals must be given a choice as to whether they want to share their information with a business. If they decide against it, they must be provided with a clear, easy way to decline.

Here are some of the specific things the GDPR requires:

Privacy by Design

Privacy by Design (PbD) has been a best practice guide for businesses for decades, but the GDPR is the first regulation to require it by law.

PbD simply refers to business practices, websites, and data handling processes that are designed with privacy and data security in mind. Every aspect of your business, from the design of your Privacy Policy to the way you collect data from customers, should be created with thorough privacy and security practices from the outset.

As long as you show that you did your due diligence to ensure privacy and security during the design and creation of your online business, this requirement will be fulfilled under GDPR regulations.

Breach Notifications

The GDPR makes it clear that EU authorities expect to be informed swiftly and thoroughly of any data breach involving European consumers. Processors must inform their data controllers of any security breach immediately, and EU supervisory authorities must be informed within 72 hours of data breaches.

Make sure you have an action plan in place – both for software programs and human employees – so that everyone knows which processes and alert systems to follow in the case of a data breach.

It is considered unlawful under the GDPR to collect so much as an IP address or device identifier from an EU resident without a legal basis for processing that data.

These are the possible legal bases for collecting consumer personal data, as listed by the GDPR:

  1. Consent
  2. To fulfill the legitimate interests of someone without intruding upon individual rights and freedoms
  3. Fulfillment of a contract
  4. Legal obligation
  5. Protection of someone’s vital interest
  6. Public interest of vested authority

For the vast majority of businesses, the only possible legal bases that will apply are bases 1, 2, and 3 in the list above.

In the case of legitimate interests, you must be able to prove that you are fulfilling a specific service or serving a basic need for your customers, and you can only keep the personal data for as long as it takes to fulfill that service.

If your legal basis is fulfillment of a contract, then you would need a written and signed contract from each customer before collecting their information. Because of the obvious complications with methods like these, many businesses rely on consent as a reliable legal basis for data processing.

In order to obtain valid consent, the GDPR states several stipulations, described below.

How to Get GDPR-Compliant Consent

Legal consent is not what it used to be. Under the GDPR, consent is not considered valid unless certain conditions are met. EU user consent must be:

If a company chooses to rely on consent as the legal basis for collecting personal data, the consent must be unambiguous, affirmative and freely given.

In order for consent to be obtained fairly, you have to first give your consumers as much transparency as possible so they know exactly what they’re agreeing to. This can be done effectively through your Privacy Policy, as long as you provide clear, understandable information within it.

According to Recital 32 of the GDPR, consent cannot be given by a pre-ticked box or by ‘implied consent.’ Implied consent would be where the continued browsing of the website is taken as consent. Consent also can’t be a precondition of service.

So, how do you get proper consent?

The most effective way is through an active opt-in function.

This is simply a form that has a check a box that users can click on to indicate consent and any other permissions you might like to have, such as subscribing to company mailing lists or other types of opt-in.

In the following example, the only way consumers can subscribe to emails is by checking a box saying they’ve read the Privacy Policy and by manually typing in an email address.

These two steps work to create informed consent that a user definitely is ok with sharing personal information (an email address):

Tech New Statesman: Example of checked checkbox for clickwrap when users read Privacy Policy

However, be aware that an opt-in form must not be marked automatically to “yes” or pre-filled with a checkmark when getting consent.

Consent should also be unbundled. This means that you should separate individual consent requests rather than having them all under one overarching opt-in form.

Examples of unbundled consent might be agreement to your Terms and Conditions and subscribing to your mailing list as separate steps.

Boohoo.com has a great unbundled opt-in selection on its site where users can select the kinds of communications they want to receive.

Boohoo's opt-in form using checkboxes and clickwrap for consent to news and communications

Below are a few more examples of how consent could be requested to meet GDPR requirements:

Cookies

If you use cookies, you’ll need to give notice of this and get consent use them.

The European Central Bank cookies notice is a good example of what it means to get open, specific, and unambiguous about consent:

European Central Bank's cookie consent banner

Website visitors are informed clearly that the website uses cookies to collect data anonymously. There’s an option to learn more about how the website uses cookies that visitors can check out before deciding whether to accept or decline the use of cookies.

Contact Forms

When collecting information via online contact forms, link to your Privacy Policy and require users to click something to show they agree with your Policy before submitting their information.

This will assure that users are given the opportunity to see and understand your data handling policies before submitting any personal data.

Yelp’s signup form is a good example of this:

Yelp:  Sign-up form with checkboxes for GDPR consent

You will also notice that Yelp does not pre-tick the checkbox for agreeing to marketing communications. Website visitors must freely give their consent by specifically ticking the checkbox in order to receive marketing messages.

Under the GDPR, you must keep a record of all consent given to you by your customers, including how you obtained that consent.

You must include the following in your records:

You must also allow consent to be withdrawn at any time. If a consumer requests to withdraw consent, the request should be processed as soon as possible by you or the authorised person responsible for regularly reviewing the consent data.

If you can’t prove that you’ve obtained valid consent from the EU contacts in your marketing communications database, then a repermission campaign may be in order.

A repermission campaign is an email or other form of communication that asks users to confirm their contact details and consent.

The email screenshot below demonstrates a simple way to achieve this:

Screenshot of repermission email from Pure Outdoor and The Adventure Hub

A campaign like this is an excellent way to update consent records.

Data Protection Impact Assessments

It will be a rare occasion that a Data Protection Impact Assessments (DPIA) will ever be necessary for a small business, but it’s advisable to be informed when this step is necessary.

A DPIA is simply a process for identifying and mitigating potential data security risks in certain situations.

The GDPR requires a DPIA before any data processing occurs if the data processing involved is likely to result in a high risk to the rights and freedoms of individuals.

These are situations in which a DPIA would be required:

Update your Privacy Policy

When it comes to your Privacy Policy, the GDPR has some requirements that may mean your Policy will need some changes:

1. Clear, plain language: The Privacy Policy must be written in clear language that’s easy to understand, and it must be made easily accessible to anyone who comes into contact with your online business.

Google’s simple, clearly written Privacy Policy with concise lists, visuals and short sentences demonstrates this idea. The Policy is linked in the footer of every single Google search page:

Screenshot of excerpt from Google Privacy Policy What types of data is collected clause

2. Legal basis: The Privacy Policy must state your legal basis for processing consumer data. This is another section well-represented in the Microsoft Privacy Policy:

Microsoft Privacy Statement: Excerpt of clause for legal bases - GDPR

3. Contact information: List your business contact information as well as that of your Data Protection Officer (DPO), if applicable.

Yelp keeps its contact section short and simple:

Yelp Privacy Policy: Contact clause for data privacy manager

If your business does require the appointment of a DPO, make sure that the contact information for this person is included within the Privacy Policy.

Here’s how Microsoft does this:

Microsoft Privacy Statement: Excerpt of clause for legal bases - GDPR

4. International transfers: If ever it is necessary to transfer EU user data over international borders, such as when sending data to a third-party processor located in another country, you will need to take some precautions to ensure that all international data transfers are GDPR compliant.

Here’s Google’s international transfer clause:

Google Data Transfer Frameworks: Privacy Shield Frameworks clause

Here’s how Facebook addresses international data transfers in a Privacy Policy clause:

Facebook Data Policy: International Data Transfer clause

5. EU consumer rights: Your Privacy Policy must mention the specific rights granted to EU-based consumers under the GDPR.

These include the following:

Although this may seem like a weighty clause to include in your Privacy Policy, it doesn’t have to be as detailed as you may think. Many companies find ways to condense it into a digestible clause, such as this version by DKNY:

DKNY EU Privacy Policy: Your Rights clause - GDPR

Examples of GDPR Privacy Policies

Examples of GDPR Privacy Policies

When writing your Privacy Policy, there are several questions you should keep in mind:

By tailoring your Privacy Policy around answering these questions, you should be able to protect both your company and your consumers.

Here are some company websites with great Privacy Policies that have been written in compliance with the GDPR.

Slack’s Privacy Policy effectively details the different types of information it collects from users of its virtual workspace and how that information is received (whether it’s collected by Slack or provided by the users).

Slack Privacy Policy: Information We Collect and Receive clause

Trello’s Privacy Policy states how it collects information from its users.

Trello Privacy Policy: Information you provide to us clause

Google’s Privacy Policy informs users about how they can adjust privacy settings and controls quickly and easily at any time.

Google Privacy Policy: Your Privacy Controls and choices clause

The New York Times‘ Privacy Policy lists its different purposes for collecting user data and includes what the legitimate interest for doing so is:

The New York Times Privacy Policy: What do we do with the personal information we collect about you clause

Here’s how the Unison UK Privacy Policy includes a clause about data subject rights under the GDPR:

Unison UK Privacy Policy: Clause for rights of data subjects under the GDPR

You don’t need to create such a long clause to address user rights, so long as you do mention them and let your users know how to go about exercising them (such as by contacting you.)

Here’s how Sotheby’s addresses user rights in a shorter clause:

Sotheby's Privacy Policy data subject Rights clause for GDPR compliance

Conclusion

As a business owner, the GDPR will apply to you if you collect or use personal data from residents of any member state within the European Union, regardless of where you’re personally doing business from.

To comply with the GDPR you’ll need to:

2 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.