What Every Single Online Business Needs to Do For GDPR Compliance
No matter at what stage you are with your online business, you have to:
- Determine why you need users’ personal data
- Determine the categories of data you need
- Determine how you are going to obtain such data
- Determine for how long you’ll keep the data
- Check out the cookies your website uses already (and you may not know about them)
- Obtain explicit consent for collection and/or processing of data
- Keep records of consents and data processing
- Respond to data subject requests
- Ensure the legality of your data transfers
- Plan for data breach notifications
Now onto each one of these:
1. Determine why you need personal data
You have to have reasons to process users’ data. For most businesses the reasons include:
- Marketing purposes – if you want to track users’ behavior in order to collect data that you can use to segment them and address them with a tailored message
- Improve the user experience on your website
- Analytics purposes – to collect data on how website visitors use the website.
Determining the why behind the data processing is the first step before proceeding with the categories of data you’ll need.
2. Determine the data you need
Now when you know why you need to process personal data, you have to determine what categories of data will help you get there.
Data categories are the types of personal data, such as names, email addresses, home addresses, SSNs, political views, biometric data, etc.
So, if you need to process users’ data for marketing purposes, you may need email addresses to send newsletters, or online identifiers allowing you to do retargeting.
For analytics purposes, you may install Google Analytics and get their IP addresses.
To send a product ordered from your ecommerce store, you’ll need their full name, address, and ZIP code. To provide customer support you may need their phone number.
Remember that you need to process the minimum amount of data for each purpose. Data minimization is one of the basic GDPR principles, and it does not allow processing more data than necessary for your purpose.
3. Determine how you are going to obtain such data
Here you’ll determine the tools you’ll use for collecting and processing personal data.
In general, there are two ways to collect personal data:
- Data that users give you voluntarily
- Data that you collect by cookies and other tracking technologies.
Users will give you data for the purpose of execution of a contract, such as goods delivery, or getting a freebie.
For data that does not require exchange of something, you’ll need to use tracking mechanisms. These include cookies, pixels, fingerprinting, and other methods. Make sure you determine them all at this point.
4. Determine for long you’ll keep the data
You should keep the data as long as you need it, but no longer than that.
Not only because it obliges you to erase personal data you don’t need, but also because it brings you risks without an upside. Why would you keep someone else’s personal data that you don’t need and can be breached? It is not wise and it is against the law.
So, determine a retention period for each category of personal data you collect and process. It should be aligned with the purpose of processing. So, if you do not need to process that data anymore, get rid of it.
5. Check out the cookies your website uses
If you are not sure about this, scan your website on a cookie scanner. 2gdpr scanner gives good results along with basic guidance on cookie compliance. Check out your website and act according to the results.
- Your identity. You are the data controller and users (a.k.a. data subjects) have the right to know who controls their data. Provide your business name and at least an email address for contact. For better transparency, provide a phone number and physical address, if your business has any.
- The purposes of data collection and/or processing. Tell your users why you need their data.
- How you collect and/or process personal data. You have to inform users about the methods you use for the collection of their data. In general, there are three ways for data collection:
- Users give you their data themselves (such as providing an email address to receive marketing promotions, discounts, free ebooks, etc.) or
- You collect their data through cookies and tracking technologies (this includes Google remarketing, Facebook Pixel, etc).
- You collect data from other parties, such as your subsidiary companies, etc.
- The categories of data you collect. Here you should name each category of data that you collect, such as name, email address, home address, phone number, IP address, Social Security Number, or any other personal information.
- With whom you share their personal data. These are the third-party tools you use for data processing. You share users’ data with them, so that they will deliver you insights based on that data. For example, you share data with Google in order to get insights from Google Analytics.
- Data subject rights. GDPR grants you users the following rights:
- Know about data processing
- Get access to their data
- Restrict and/or object to the processing of their data
- Have their data erased
- Correct inaccurate data
- Transfer data to another data controller
- Know if their data is part of automated data processing, including profiling, and object to that
- How users can exercise their rights. Users have rights, but you need to let them know how they could exercise them. As a minimum, ensure you have an email address for contacting you.
It is even better if you have a dedicated contact form for submitting data subject requests. There are SAAS solutions on the market that allow you to collect these requests, sort them out, and answer quickly.
- Data retention period. Tell your users for how long you’ll keep their data.
- Children’s data. If you knowingly collect children’s data, you should inform users and obtain consent from their parents. If you do not do so, this section is your chance to put a disclaimer that you don’t do that and keep yourself from responsibility.
7. Obtain explicit consent for collection and processing of data
When users give you their own data, the legal basis usually is the execution of a contract between your business and the user.
But, when you collect their data by using third-party tools, you have to ask them first if they are OK with it. GDPR does not allow data collection without users’ explicit consent, so you need to obtain it before using tracking technologies.
The most practical way to obtain users’ consent is by showing them a cookie banner. But, not any banner. Only those that follow the GDPR requirements are lawful.
The cookie banner is lawful as long as the user’s consent is:
- Freely given. This means that you have to give the user a choice between accepting and declining the cookies. In addition, accepting cookies must not be a condition for access to website content.
Unambiguous. The consent is lawfully obtained only if the user has taken affirmative action to give the consent, such as clicking an ACCEPT button.
- Easily withdrawn. You have to provide users with an opportunity to withdraw the consent as easily as it has been given. If the user has given the consent by a simple click on an ACCEPT button, you must not request filling a long withdrawal form to be sent to you by email. You have to make it easy for the user.
This means that you are not allowed to send cookies to your users’ devices in sneaky ways that we have covered before:
- No pre-checked boxes
- No cookie walls
- No bundling of the cookie consent with the Terms of Service
- No assumptions that the user accepts the cookies by browsing the website
8. Keep records for obtained consent and processing activities
GDPR obliges businesses to keep records of their own processing activities and provide those to authorities upon request. The records should contain at least:
- Your contact details
- The purpose of data processing
- Description of data subjects
- Categories of data processed
- The recipients of personal data
- Details on data transfers, if any
- Data retention period, if any
- A general description of the data security measures, if applicable
Aside from the processing activities records, it is very important to keep records of every consent obtained by a user.
Sooner or later, you will receive a data subject request by someone who wants to know how you handle their data. When that time comes, you’ll also need to prove that you have obtained their consent to process the data. If you don’t prove it, you’ll get into trouble with the law.
There are good paid tools on the market that you could use for consent management.
Some of them include OneTrust, Secure Privacy, Cookiebot, and Iubenda.
9. Respond to data subject requests
Data subjects are your website visitors in the GDPR vocabulary.
Data subject rights
GDPR grants data subject a set of rights. They include the right to:
- Know about processing
- Access their data in your control
- Object to data processing
- Restrict the processing
- Correct the data
- Transfer their data to another controller
- Have their data erased
- Know that they have been subjected to automated decision making, including profiling
Submitting the requests
Data subjects, i.e. your users, can exercise these rights by submitting a data subject request to you. The request has no prescribed form. It can be anything from just a simple message like: “Tell me what data you have collected from me,” or “Please delete all my data”, to a formal request.
You can designate a method for submitting data subject requests, such as an email address or a form on your website. However, data subjects are not obliged to send the requests in that particular way. They can do it in any way and you’ll be obliged to respond.
It is a good practice to have some kind of request management solution to handle these requests easily. Many of the consent management providers also provide data subject requests management solutions, so they are a good starting point. They usually come with a dashboard with all the requests, reminders to respond, and other features.
Responding the request
You have to respond to data subject requests within 30 days of receiving the request. You can delay the delivery for additional 30 days in the case of a complex request that requires a lot of work on your side. Just let the user know about it.
Ensuring you respond to the right person
Sometimes you may need to verify the identity of the person who submits the request. You can’t send a file with personal information to anyone who just requests it over the internet, because it may be abused by some people who request data for other people.
If you doubt that it may be the case, you’ll need to verify the identity of the person who submits the request. So, if an email subscriber wants to access their data, you may want to verify they own the email address by sending a code by email. Or, in the case of data processing of website members, you could verify their identity by 2-factor identification, or a similar way.
Failure to respond
You may fail to respond properly or fail to respond at all. In both cases the data subject won’t be happy and may submit additional requests or go straight to the data protection authority and initiate a procedure against you.
You want to avoid the legal headaches, so make sure you respond to the user in time and in a way that satisfies them.
10. Plan for Data Breach Notifications
Data breaches are not an everyday occurrence, but there is no online business in the world that can avoid hacks. Microsoft, Facebook, Twitter, are just a few names that have been hacked and have had data breaches.
There are two ways in which you may suffer from data breaches:
- Your website is breached, or
- Any of your data processors is breached.
Do not forget that you are responsible for the data you control, even if it is processed by a third party. It is you who is liable to your users. Your processors are liable to you, but you are liable to the users.
In both cases, you have duties to your data subjects. GDPR obliges you to:
- Inform the relevant data protection authority no later than 72 hours from knowing about the breach (if you delay this, you need a good explanation about it and are under the risk of penalties).
- If the breach poses a threat to the rights of the data subjects, inform them as well. A threat would be leaking of personal information such as social security number, health data, sexual orientation, and other data that in the current set of circumstances could pose any kind of a risk.
You can inform the data protection authority and the users in any way you find fit, as long as it is a piece of communication dedicated to the breach. For example, you can’t tell users about the breach in a regular newsletter full of coupons and other marketing materials.
So, you can just make a phone call to the authority and tell them what happened. Then they will guide you through the process that follows.
Some of them have data breach forms on their websites, so you can use those as well. The template of the UK ICO is available on this link, just to give you an idea how it may look like.
It is very important to note that, in the case of a breach, the worst thing to do is trying to hide it. Remember that not all breaches occur due to website owners’ fault, so in the end you may avoid a penalty. But if you remain silent about the breach, you won’t avoid penalties. In fact, the fines may be higher because of that.
For effortless compliance, make sure that you have taken the precautions to avoid data breaches and have a procedure in place to react in case it happens.
11. Ensure the legality of your data transfers
The EU and the GDPR want all the data processed inside the EU or a third safe country. That’s why the data transfers abroad are made as tricky as they can be.
You can transfer data outside the EU based on the legal instruments in Chapter V of the GDPR, which means based on:
- Adequacy decision. The European Commission has a list of countries that are considered to offer an adequate level of data protection according to the GDPR. For each of these countries the EU has an adequacy decision. Based on that decision, you can transfer data to these countries freely, without asking anyone, as if you move the data around the EU.
The full list of adequate countries is available here.
- Standard contract clauses (SCCs). The SCCs are clauses that are part of the data processing agreement. With them, the data controller and the data processor agree on the security measures for protecting the data. This is the most common legal basis for data transfers in the absence of an adequacy decision.
- Binding corporate rules (BCRs). Similar to the SCCs, but rarely used in practice. These are rules that apply to groups of companies – joint controllers in relation to data transfers.
- Performance of contract. If the data transfer is necessary for provision of the services and products you offer, you can transfer the data. However, this is a slippery slope, so better opt for another basis. Use this one as the last resort.
- Public interest or data subject interest or the transfer is necessary for the establishment, exercise, or defence of legal claims. Self-explanatory.
Having said that, most international data transfers would involve transferring data to US companies. After all, the world’s best tech companies operate from the US. However, transfers to the US are subject to additional security measures due to the US surveillance laws.
We have another long-form article on that subject. You can read it here.
Additional Things You May Need
Depending on the specifics of your business you may need to do more for a full compliance with the GDPR. Here is what you may also need:
1. Data processing agreement (DPA)
Data controllers can use the services of third-party data processors for processing of the data they control, but only on the basis of written instructions. Those written instructions most often come in the form of a Data Processing Agreement, or as a Data Processing Addendum to the Terms of Service or to the Master Agreement.
The content of this contract is prescribed with the GDPR. It must contain at least:
- The categories of data to be processed
- The purpose of processing
- The duration of processing
- The categories of data subjects
- The rights and the duties of the controller
That the data processor will process data only upon the written instruction, i.e. the DPA
- Provisions on the confidentiality of the processed data
- The security measures for the processing
- Provisions on the sub-processors, if any
- That the processor would help the controller to comply with the law, if needed
- That at the choice of the controller, the processor would return or delete all the controller’s data
- That the processor will make available to the controller all information necessary for compliance, including audit and inspections.
When you engage with a third-party data processor, such as Facebook, Quora, Google, Convertkit, or the likes, ensure that they process data based on your written instructions. Otherwise, the data processing is unlawful and you may be fined.
The companies that we just mentioned above are big and serious data processors that have their own DPAs. In most cases, the SAAS companies that process data on behalf of other companies would have these agreements ready, either as a separate document, or as an addendum to the Terms of Service or the Master Agreement.
However, some small companies that do not bother too much about data protection compliance may not have such agreements in place. That way they may involve you in legal trouble. So, every time when you intend to engage with a new data processor, make sure you read their DPA first.
If they do not have any, it is up to you as a data controller to secure one. After all, it is your duty to provide them with written instructions for the processing. The fact that some companies have DPAs in place is a good practice for streamlining their businesses, but no legal obligation whatsoever.
2. Appoint a DPO or legal representative
Not all businesses are required to have a data protection officer (DPO) or a legal representative in the EU. But, if you are required and you don’t appoint one, you risk to be fined.
A DPO is required for businesses that:
- Process large amounts of sensitive personal data
- Processing personal data that requires regular systematic monitoring of many data subjects (think of companies like Google and Facebook)
A legal representative in the Union is required for non-EU businesses that process large amounts of data of EU users on a regular basis.
If you are required to have a DPO and a legal representative, make sure you have one. If you don’t consider having one as a good practice to take care of users’ data.
3. Data protection impact assessment
Data protection impact assessment (DPIA) is a process for assessing the risks of data processing. It is taking a proactive approach to the data processing in order to mitigate the risks associated with it.
A DPIA is obligatory for businesses that:
- Process data likely to result in a high risk to the rights and freedoms of persons
- Conduct automated processing, including profiling
- Process large scale of sensitive personal data, or
- Systematically monitor public areas.
For everyone else, a DPIA is not obligatory, but is a good practice.
A DPIA will help your business map out the data flow from the moment it comes to your hands, to the moment you hand it down to the data processors, to the moment you delete the data. It will help you understand how other peoples’ personal data goes through your hands and will let you know about any compliance gaps you need to address.
It is not obligatory, but you understand how useful it is for any online business.
4. Security measures
You, as a data controller, are responsible to take care for the safety of data subjects’ data. That also includes data security measures.
You need to think of implementing data security measures if you store or process data on your own servers.
For most small and medium businesses that’s out of reach due to the prices, and there are many affordable alternatives on the market.
That means that your data processors will store and process your data. That means that they have to implement the best possible security measures for protecting your data.
Companies such as AWS, Google, Facebook, and the likes implement state-of-art security measures. Yes, they get hacked from time to time, but no security system is impenetrable. They provide the best there is.
However, take nothing for granted. Whatever tools you use, make sure you check out the security measures your processors and sub-processors use. After all, it is about your users’ data safety, and your compliance with the GDPR.
5. Privacy by design
Privacy by design is a concept that has been introduced by the GDPR. It means implementing appropriate technical and organizational measures aimed at data protection, i.e. taking data protection into account in whatever you do.
In practice, this would mean thinking about data privacy when:
- Determining your privacy practices
- Designing new services
- Designing new apps or other products, and so on.
You get the idea. The possibilities for privacy by design is endless. As long as you implement the basic GDPR principles for data protection, you’ll likely be implementing privacy by design.