Many small and medium businesses think GDPR compliance is a long road ahead and delay it as much as possible. However, it is not as close as long and expensive as it may seem.
This guide will explain:
- What every single online business has to do, and
- What some businesses may need to do as well.
Although this regulation raised the bar for companies, protecting your users’ data should not be a problem if you are serious about your business.
And it is not hard to comply.
Here, we will try to explain what’s the minimum you, as an online business owner, should do for compliance to get you rid of the doubts that it may involve lots of work.
No matter at what stage you are with your online business, you have to:
Now onto each one of these:
You have to have reasons to process users’ data. For most businesses, the reasons include:
Determining the why behind the data processing is the first step before proceeding with the categories of data you’ll need.
When you know why you need to process personal data, you must determine what data categories will help you get there.
Data categories are the types of personal data, such as names, email addresses, home addresses, SSNs, political views, biometric data, etc.
So, if you need to process users’ data for marketing purposes, you may need email addresses to send newsletters or online identifiers allowing you to retarget.
You may install Google Analytics and get their IP addresses for analytics purposes.
You need their full name, address, and ZIP code to send a product ordered from your eCommerce store. To provide customer support, you may need their phone number.
Remember that you must process the minimum amount of data for each purpose. Data minimization is one of the basic GDPR principles, and it does not allow processing more data than necessary for your ideal.
Here, you’ll determine the tools to collect and process personal data.
In general, there are two ways to collect personal data:
Users will give you data for executing contracts, such as goods delivery or getting a freebie.
You’ll need to use tracking mechanisms for data that does not require an exchange of something. These include cookies, pixels, fingerprinting, and other methods. Make sure you determine them all at this point.
You should keep the data as long as needed, but no longer.
Not only because it obliges you to erase personal data you don’t need but also because it brings risks without an upside. Why would you keep someone else’s data that you don’t need and can be breached? It is not wise, and it is against the law.
So, determine a retention period for each category of personal data you collect and process. It should be aligned with the purpose of processing. So, if you need not process that data anymore, get rid of it.
If unsure about this, scan your website on a cookie scanner. 2gdpr scanner gives good results along with basic guidance on cookie compliance. Check out your website and act according to the results.
When users give you their data, the legal basis usually is the execution of a contract between your business and the user.
But, when you collect their data using third-party tools, you must first ask them if they are OK with it. GDPR does not allow data collection without users’ explicit consent, so you need to obtain it before using tracking technologies.
The most practical way to obtain users’ consent is by showing them a cookie banner. But not any banner. Only those that follow the GDPR requirements are lawful.
The cookie banner is lawful as long as the user’s consent is:
This means that you are not allowed to send cookies to your users’ devices in sneaky ways that we have covered before:
GDPR obliges businesses to keep records of their processing activities and provide those to authorities upon request. The records should contain at least:
Aside from the processing activities records, it is essential to keep records of every consent obtained by a user.
Sooner or later, you will receive a data subject request by someone who wants to know how you handle their data. You’ll also need to prove that you have obtained their consent to process the data when that time comes. You’ll get into trouble with the law if you don’t prove it.
There are good paid tools on the market that you could use for consent management.
Data subjects are your website visitors in the GDPR vocabulary.
GDPR grants data subjects a set of rights. They include the right to:
Data subjects, i.e., your users, can exercise these rights by submitting a data subject request to you. The proposal has no prescribed form. It can be anything from a simple message like: “Tell me what data you have collected from me” or “Please delete all my data” to a formal request.
You can designate a method for submitting data subject requests, such as an email address or a form on your website. However, data subjects are not obliged to send the recommendations that way. They can do it in any way, and you’ll be obliged to respond.
Having a quick request management solution to handle these requests. It is an excellent practice. Many consent management providers also provide data subject requests management solutions, which are a good starting point. They usually come with a dashboard with all the requests, reminders to respond, and other features.
You have to respond to subject data requests within 30 days of receiving the request. You can delay the delivery for additional 30 days in the case of a complex request that requires a lot of work on your side. Just let the user know about it.
Sometimes you may need to verify the person’s identity who submits the request. You can’t send a file with personal information to anyone who requests it over the internet because it may be abused by some people who request data for other people.
If you doubt that it may be the case, you’ll need to verify the identity of the person who submits the request. So, if an email subscriber wants to access their data, you may want to prove they own the email address by sending a code by email. Or, in the case of data processing of website members, you could verify their identity by 2-factor identification or a similar way.
You may fail to respond appropriately or fail to respond at all. In both cases, the data subject won’t be happy and may submit additional requests or go straight to the data protection authority and initiate a procedure against you.
You want to avoid legal headaches, so ensure you respond to the user in time and in a way that satisfies them.
Data breaches are not an everyday occurrence, but there is no online business that can avoid hacks. Microsoft, Facebook, and Twitter are just a few names that have been hacked and have had data breaches.
There are two ways in which you may suffer from data breaches:
Do not forget that you are responsible for the data you control, even if processed by a third party. Your processors are accountable to you, but you are liable to the users. It is you who is liable to your users.
In both cases, you have duties to your data subjects. GDPR obliges you to:
You can inform the data protection authority and the users in any way you find fit, as long as it is a piece of communication dedicated to the breach. For example, you can’t tell users about the breach in a regular newsletter full of coupons and other marketing materials.
So, you can make a phone call to the authority and tell them what happened. Then they will guide you through the process that follows.
Some of them have data breach forms on their websites, which you can use. The template of the UK ICO is available on this link, just to give you an idea how it may look like.
It is essential to note that the worst thing to do is try to hide it in the case of a breach. Remember that not all breaches occur due to website owners’ fault, so in the end, you may avoid a penalty. But if you remain silent about the breach, you won’t avoid penalties. The GDPR fines may be higher because of that.
For effortless compliance, ensure that you have taken you won’t avoid penalties precautions to avoid data breaches in case it happens.
The EU and the GDPR want all the data processed inside the EU or a third safe country. That’s why the data transfers abroad are as tricky as they can be.
You can transfer data outside the EU based on the legal instruments in Chapter V of the GDPR, which means based on:
Most international data transfers would involve transferring data to US companies. After all, the world’s best tech companies operate from the US. However, transfers to the US are subject to additional security measures due to the US surveillance laws.
We have another long-form article on that subject. You can read it here.
Depending on the specifics of your business, you may need to do more for full compliance with the GDPR. Here is what you may also need:
Data controllers can use the services of third-party data processors to process the data they control, but only based on written instructions. Those written instructions often come in a Data Processing Agreement or as a Data Processing Addendum to the Terms of Service or the Master Agreement.
The content of this contract is prescribed with the GDPR. It must contain at least:
When you engage with a third-party data processor, such as Facebook, Quora, Google, Convertkit, or the likes, ensure that they process data based on your written instructions. Otherwise, the data processing is unlawful, and you may be fined.
The companies mentioned above are significant and severe data processors with their DPAs. In most cases, the SAAS companies that process data on behalf of other companies would have these agreements ready, either as a separate document or as a supplement to the Terms of Service or the Master Agreement.
However, some small companies that do not bother too much about data protection compliance may not have such agreements in place. That way, they may involve you in legal trouble. So, whenever you intend to engage with a new data processor, read their DPA first.
Some companies have DPAs as a good practice for streamlining their businesses, but no legal obligation whatsoever. You can secure one as a data controller if they do not have any. After all, you must provide them with written instructions for the processing.
Not all businesses must have a data protection officer (DPO) or a legal representative. But, if you are needed and don’t appoint one, you risk being fined.
A DPO is required for businesses that:
A legal representative in the Union is required for non-EU businesses that regularly process large amounts of EU users’ data.
If you must have a DPO and a legal representative, make sure you have one if you don’t consider having one good practice to take care of users’ data.
Data protection impact assessment (DPIA) is a process for assessing data processing risks. It is taking a proactive approach to the data processing to mitigate its risks.
A DPIA is obligatory for businesses that:
A DPIA is not obligatory for everyone else but is a good practice.
A DPIA will help your business map out the data flow from when it comes to your hands to when you hand it down to the data processors and delete the data. It will help you understand how other people’s data goes through your hands and let you know about any compliance gaps you need to address.
It is not obligatory, but you understand how useful it is for any online business.
As a data controller, you are responsible for taking care of data subjects’ data safety. That also includes data security measures.
You must consider implementing data security measures if you store or process data on your servers.
For most small and medium businesses, that’s out of reach due to the prices, and there are many affordable alternatives on the market.
That means that your data processors will store and process your data. They have to implement the best possible security measures to protect your data.
Companies like AWS, Google, Facebook, and others implement state-of-art security measures. They provide the best there is. Yes, they get hacked sometimes, but no security system is impenetrable.
However, take nothing for granted. Check out the security measures your processors and sub-processors use whatever tools you use. After all, it concerns your users’ data safety and compliance with the GDPR.
Privacy by design is a concept that the GDPR has introduced. It means implementing appropriate technical and organizational measures aimed at data protection, i.e., taking data protection into account in whatever you do.
In practice, this would mean thinking about data privacy when:
You get the idea. The possibilities for privacy by design are endless. As long as you implement the basic GDPR principles for data protection, you’ll likely be implementing privacy by design.
GDPR compliance requires work, but it is not hard to achieve.
It is essential to take a proactive approach. GDPR doesn’t require remedies but preventive measures. They are not hard to implement nor expensive for small businesses.
SAAS solutions on the market could make you compliant for less than a couple of hundred dollars annually. That’s not a lot to protect users’ data, nor will it hurt your business’ budget.
Otherwise, you may violate the law and get into trouble – your finances and reputation.
Now that you know how to comply, go ahead and do what needs to be done.