Many small and medium businesses think that GDPR compliance is a long road ahead and delay it as much as possible. However, it is not as closely as long and expensive as it may seem.
This guide will explain:
- What every single online business has to do, and
- What some business may need to do as well.
Although this regulation raised the bar for companies, protecting your users’ personal data should not be a problem if you are serious about your business.
And it really is not hard to comply.
Here, we will try to explain what’s the minimum you, as an online business owner, should do for compliance in order to get you rid of the doubts that it may involve lots of work.
Related guide: GDPR fines
Related guide: CCPA compliance
Related guide: Data subjects’ rights under GDPR
No matter at what stage you are with your online business, you have to:
Now onto each one of these:
You have to have reasons to process users’ data. For most businesses the reasons include:
Determining the why behind the data processing is the first step before proceeding with the categories of data you’ll need.
Now when you know why you need to process personal data, you have to determine what categories of data will help you get there.
Data categories are the types of personal data, such as names, email addresses, home addresses, SSNs, political views, biometric data, etc.
So, if you need to process users’ data for marketing purposes, you may need email addresses to send newsletters, or online identifiers allowing you to do retargeting.
For analytics purposes, you may install Google Analytics and get their IP addresses.
To send a product ordered from your ecommerce store, you’ll need their full name, address, and ZIP code. To provide customer support you may need their phone number.
Remember that you need to process the minimum amount of data for each purpose. Data minimization is one of the basic GDPR principles, and it does not allow processing more data than necessary for your purpose.
Here you’ll determine the tools you’ll use for collecting and processing personal data.
In general, there are two ways to collect personal data:
Users will give you data for the purpose of execution of a contract, such as goods delivery, or getting a freebie.
For data that does not require exchange of something, you’ll need to use tracking mechanisms. These include cookies, pixels, fingerprinting, and other methods. Make sure you determine them all at this point.
You should keep the data as long as you need it, but no longer than that.
Not only because it obliges you to erase personal data you don’t need, but also because it brings you risks without an upside. Why would you keep someone else’s personal data that you don’t need and can be breached? It is not wise and it is against the law.
So, determine a retention period for each category of personal data you collect and process. It should be aligned with the purpose of processing. So, if you do not need to process that data anymore, get rid of it.
Your website may be waiting to inject cookies to users’ devices without their consent and without you knowing. Social plugins, widgets, and other tools often use cookies, but website owners are not aware of that.
If you are not sure about this, scan your website on a cookie scanner. 2gdpr scanner gives good results along with basic guidance on cookie compliance. Check out your website and act according to the results.
The privacy policy is a document to inform users about your privacy practices.
If you have answered the questions above and you have determined what, why, and how you do, then drafting the privacy policy will be a breeze.
A GDPR-compliant privacy policy is the one that has the essential elements prescribed with the regulation. These elements are not explicitly prescribed though but are sprinkled throughout the text of the GDPR and are a requirement anyway.
In all cases, you need a privacy policy with the following elements:
Related guide: How to Understand the Privacy Practices of an Online Business Based on Their Privacy Policy
Many online business owners think that posting a privacy policy on their website is enough for compliance with data protection laws, but that couldn’t be further from the truth.
When users give you their own data, the legal basis usually is the execution of a contract between your business and the user.
But, when you collect their data by using third-party tools, you have to ask them first if they are OK with it. GDPR does not allow data collection without users’ explicit consent, so you need to obtain it before using tracking technologies.
The most practical way to obtain users’ consent is by showing them a cookie banner. But, not any banner. Only those that follow the GDPR requirements are lawful.
The cookie banner is lawful as long as the user’s consent is:
This means that you are not allowed to send cookies to your users’ devices in sneaky ways that we have covered before:
GDPR obliges businesses to keep records of their own processing activities and provide those to authorities upon request. The records should contain at least:
Aside from the processing activities records, it is very important to keep records of every consent obtained by a user.
Sooner or later, you will receive a data subject request by someone who wants to know how you handle their data. When that time comes, you’ll also need to prove that you have obtained their consent to process the data. If you don’t prove it, you’ll get into trouble with the law.
Many online businesses opt for cheap consent management solutions that do not keep records of obtained consent. These solutions, mostly WordPress plugins, will present the user with a cookie banner and a link to the privacy policy, but that’s about it. If the user accepts your cookies, they won’t react. They record nothing, so they don’t make you compliant with the GDPR.
There are good paid tools on the market that you could use for consent management.
Some of them include OneTrust, Secure Privacy, Cookiebot, and Iubenda.
Related guide: How cookie consent should be obtained
Data subjects are your website visitors in the GDPR vocabulary.
GDPR grants data subject a set of rights. They include the right to:
Data subjects, i.e. your users, can exercise these rights by submitting a data subject request to you. The request has no prescribed form. It can be anything from just a simple message like: “Tell me what data you have collected from me,” or “Please delete all my data”, to a formal request.
You can designate a method for submitting data subject requests, such as an email address or a form on your website. However, data subjects are not obliged to send the requests in that particular way. They can do it in any way and you’ll be obliged to respond.
It is a good practice to have some kind of request management solution to handle these requests easily. Many of the consent management providers also provide data subject requests management solutions, so they are a good starting point. They usually come with a dashboard with all the requests, reminders to respond, and other features.
You have to respond to data subject requests within 30 days of receiving the request. You can delay the delivery for additional 30 days in the case of a complex request that requires a lot of work on your side. Just let the user know about it.
Sometimes you may need to verify the identity of the person who submits the request. You can’t send a file with personal information to anyone who just requests it over the internet, because it may be abused by some people who request data for other people.
If you doubt that it may be the case, you’ll need to verify the identity of the person who submits the request. So, if an email subscriber wants to access their data, you may want to verify they own the email address by sending a code by email. Or, in the case of data processing of website members, you could verify their identity by 2-factor identification, or a similar way.
You may fail to respond properly or fail to respond at all. In both cases the data subject won’t be happy and may submit additional requests or go straight to the data protection authority and initiate a procedure against you.
You want to avoid the legal headaches, so make sure you respond to the user in time and in a way that satisfies them.
Data breaches are not an everyday occurrence, but there is no online business in the world that can avoid hacks. Microsoft, Facebook, Twitter, are just a few names that have been hacked and have had data breaches.
There are two ways in which you may suffer from data breaches:
Do not forget that you are responsible for the data you control, even if it is processed by a third party. It is you who is liable to your users. Your processors are liable to you, but you are liable to the users.
In both cases, you have duties to your data subjects. GDPR obliges you to:
You can inform the data protection authority and the users in any way you find fit, as long as it is a piece of communication dedicated to the breach. For example, you can’t tell users about the breach in a regular newsletter full of coupons and other marketing materials.
So, you can just make a phone call to the authority and tell them what happened. Then they will guide you through the process that follows.
Some of them have data breach forms on their websites, so you can use those as well. The template of the UK ICO is available on this link, just to give you an idea how it may look like.
It is very important to note that, in the case of a breach, the worst thing to do is trying to hide it. Remember that not all breaches occur due to website owners’ fault, so in the end you may avoid a penalty. But if you remain silent about the breach, you won’t avoid penalties. In fact, the fines may be higher because of that.
For effortless compliance, make sure that you have taken the precautions to avoid data breaches and have a procedure in place to react in case it happens.
The EU and the GDPR want all the data processed inside the EU or a third safe country. That’s why the data transfers abroad are made as tricky as they can be.
You can transfer data outside the EU based on the legal instruments in Chapter V of the GDPR, which means based on:
Having said that, most international data transfers would involve transferring data to US companies. After all, the world’s best tech companies operate from the US. However, transfers to the US are subject to additional security measures due to the US surveillance laws.
We have another long-form article on that subject. You can read it here.
Depending on the specifics of your business you may need to do more for a full compliance with the GDPR. Here is what you may also need:
Data controllers can use the services of third-party data processors for processing of the data they control, but only on the basis of written instructions. Those written instructions most often come in the form of a Data Processing Agreement, or as a Data Processing Addendum to the Terms of Service or to the Master Agreement.
The content of this contract is prescribed with the GDPR. It must contain at least:
When you engage with a third-party data processor, such as Facebook, Quora, Google, Convertkit, or the likes, ensure that they process data based on your written instructions. Otherwise, the data processing is unlawful and you may be fined.
The companies that we just mentioned above are big and serious data processors that have their own DPAs. In most cases, the SAAS companies that process data on behalf of other companies would have these agreements ready, either as a separate document, or as an addendum to the Terms of Service or the Master Agreement.
However, some small companies that do not bother too much about data protection compliance may not have such agreements in place. That way they may involve you in legal trouble. So, every time when you intend to engage with a new data processor, make sure you read their DPA first.
If they do not have any, it is up to you as a data controller to secure one. After all, it is your duty to provide them with written instructions for the processing. The fact that some companies have DPAs in place is a good practice for streamlining their businesses, but no legal obligation whatsoever.
Not all businesses are required to have a data protection officer (DPO) or a legal representative in the EU. But, if you are required and you don’t appoint one, you risk to be fined.
A DPO is required for businesses that:
A legal representative in the Union is required for non-EU businesses that process large amounts of data of EU users on a regular basis.
If you are required to have a DPO and a legal representative, make sure you have one. If you don’t consider having one as a good practice to take care of users’ data.
Data protection impact assessment (DPIA) is a process for assessing the risks of data processing. It is taking a proactive approach to the data processing in order to mitigate the risks associated with it.
A DPIA is obligatory for businesses that:
For everyone else, a DPIA is not obligatory, but is a good practice.
A DPIA will help your business map out the data flow from the moment it comes to your hands, to the moment you hand it down to the data processors, to the moment you delete the data. It will help you understand how other peoples’ personal data goes through your hands and will let you know about any compliance gaps you need to address.
It is not obligatory, but you understand how useful it is for any online business.
You, as a data controller, are responsible to take care for the safety of data subjects’ data. That also includes data security measures.
You need to think of implementing data security measures if you store or process data on your own servers.
For most small and medium businesses that’s out of reach due to the prices, and there are many affordable alternatives on the market.
That means that your data processors will store and process your data. That means that they have to implement the best possible security measures for protecting your data.
Companies such as AWS, Google, Facebook, and the likes implement state-of-art security measures. Yes, they get hacked from time to time, but no security system is impenetrable. They provide the best there is.
However, take nothing for granted. Whatever tools you use, make sure you check out the security measures your processors and sub-processors use. After all, it is about your users’ data safety, and your compliance with the GDPR.
Privacy by design is a concept that has been introduced by the GDPR. It means implementing appropriate technical and organizational measures aimed at data protection, i.e. taking data protection into account in whatever you do.
In practice, this would mean thinking about data privacy when:
You get the idea. The possibilities for privacy by design is endless. As long as you implement the basic GDPR principles for data protection, you’ll likely be implementing privacy by design.
GDPR compliance requires work, but it is not hard to achieve.
It is important to take a proactive approach. GDPR doesn’t require remedies, but preventive measures. They are not hard to implement nor expensive for small businesses. There are SAAS solutions on the market that could make you compliant for less than a couple of hundred dollars per year. That’s not a lot to protect users’ data nor it will hurt your business’ budget.
Otherwise, you may violate the law and get into trouble – both in terms of your finances and your reputation.
Now that you know how to comply, go ahead and do what needs to be done.
1 Comment
Andy Globe
March 21, 2022 1:25 pm
Great post, helpful WordPress and GDPR guide ness. keep posting more articles.