What Every Single Online Business Needs to Do For GDPR Compliance
No matter at what stage you are with your online business, you have to:
- Determine why you need users’ personal data
- Determine the categories of data you need
- Determine how you are going to obtain such data
- Determine for how long you’ll keep the data
- Check out the cookies your website uses already (and you may not know about them)
- Have a privacy policy
- Obtain explicit consent for collection and/or processing of data
- Keep records of consents and data processing
- Respond to data subject requests
- Ensure the legality of your data transfers
- Plan for data breach notifications
Now onto each one of these:
1. Determine why you need personal data
You have to have reasons to process users’ data. For most businesses the reasons include:
- Marketing purposes – if you want to track users’ behavior in order to collect data that you can use to segment them and address them with a tailored message
- Improve the user experience on your website
- Analytics purposes – to collect data on how website visitors use the website.
Determining the why behind the data processing is the first step before proceeding with the categories of data you’ll need.
2. Determine the data you need
Now when you know why you need to process personal data, you have to determine what categories of data will help you get there.
Data categories are the types of personal data, such as names, email addresses, home addresses, SSNs, political views, biometric data, etc.
So, if you need to process users’ data for marketing purposes, you may need email addresses to send newsletters, or online identifiers allowing you to do retargeting.
For analytics purposes, you may install Google Analytics and get their IP addresses.
To send a product ordered from your ecommerce store, you’ll need their full name, address, and ZIP code. To provide customer support you may need their phone number.
Remember that you need to process the minimum amount of data for each purpose. Data minimization is one of the basic GDPR principles, and it does not allow processing more data than necessary for your purpose.
3. Determine how you are going to obtain such data
Here you’ll determine the tools you’ll use for collecting and processing personal data.
In general, there are two ways to collect personal data:
- Data that users give you voluntarily
- Data that you collect by cookies and other tracking technologies.
Users will give you data for the purpose of execution of a contract, such as goods delivery, or getting a freebie.
For data that does not require exchange of something, you’ll need to use tracking mechanisms. These include cookies, pixels, fingerprinting, and other methods. Make sure you determine them all at this point.
4. Determine for long you’ll keep the data
You should keep the data as long as you need it, but no longer than that.
Not only because it obliges you to erase personal data you don’t need, but also because it brings you risks without an upside. Why would you keep someone else’s personal data that you don’t need and can be breached? It is not wise and it is against the law.
So, determine a retention period for each category of personal data you collect and process. It should be aligned with the purpose of processing. So, if you do not need to process that data anymore, get rid of it.
5. Check out the cookies your website uses
Your website may be waiting to inject cookies to users’ devices without their consent and without you knowing. Social plugins, widgets, and other tools often use cookies, but website owners are not aware of that.
If you are not sure about this, scan your website on a cookie scanner. 2gdpr scanner gives good results along with basic guidance on cookie compliance. Check out your website and act according to the results.
6. Have a privacy policy
The privacy policy is a document to inform users about your privacy practices.
If you have answered the questions above and you have determined what, why, and how you do, then drafting the privacy policy will be a breeze.
A GDPR-compliant privacy policy is the one that has the essential elements prescribed with the regulation. These elements are not explicitly prescribed though but are sprinkled throughout the text of the GDPR and are a requirement anyway.
In all cases, you need a privacy policy with the following elements:
- Your identity. You are the data controller and users (a.k.a. data subjects) have the right to know who controls their data. Provide your business name and at least an email address for contact. For better transparency, provide a phone number and physical address, if your business has any.
- The purposes of data collection and/or processing. Tell your users why you need their data.
- How you collect and/or process personal data. You have to inform users about the methods you use for the collection of their data. In general, there are three ways for data collection:
- Users give you their data themselves (such as providing an email address to receive marketing promotions, discounts, free ebooks, etc.) or
- You collect their data through cookies and tracking technologies (this includes Google remarketing, Facebook Pixel, etc).
- You collect data from other parties, such as your subsidiary companies, etc.
- The categories of data you collect. Here you should name each category of data that you collect, such as name, email address, home address, phone number, IP address, Social Security Number, or any other personal information.
- With whom you share their personal data. These are the third-party tools you use for data processing. You share users’ data with them, so that they will deliver you insights based on that data. For example, you share data with Google in order to get insights from Google Analytics.
- Data subject rights. GDPR grants you users the following rights:
- Know about data processing
- Get access to their data
- Restrict and/or object to the processing of their data
- Have their data erased
- Correct inaccurate data
- Transfer data to another data controller
- Know if their data is part of automated data processing, including profiling, and object to that
- How users can exercise their rights. Users have rights, but you need to let them know how they could exercise them. As a minimum, ensure you have an email address for contacting you.
It is even better if you have a dedicated contact form for submitting data subject requests. There are SAAS solutions on the market that allow you to collect these requests, sort them out, and answer quickly.
- Data retention period. Tell your users for how long you’ll keep their data.
- Children’s data. If you knowingly collect children’s data, you should inform users and obtain consent from their parents. If you do not do so, this section is your chance to put a disclaimer that you don’t do that and keep yourself from responsibility.
- Data Protection Officer (DPO) or legal representative. Some organizations are obliged to have a DPO, while those registered outside of the EU should have a legal representative there. If you have any of these, include their names and contact information in the privacy policy.
- Updates and the effective date of the privacy policy. Finally, end your privacy policy with the methods for informing users of any updates and the date from which the current version of the privacy policy is effective.
7. Obtain explicit consent for collection and processing of data
Many online business owners think that posting a privacy policy on their website is enough for compliance with data protection laws, but that couldn’t be further from the truth.
When users give you their own data, the legal basis usually is the execution of a contract between your business and the user.
But, when you collect their data by using third-party tools, you have to ask them first if they are OK with it. GDPR does not allow data collection without users’ explicit consent, so you need to obtain it before using tracking technologies.
The most practical way to obtain users’ consent is by showing them a cookie banner. But, not any banner. Only those that follow the GDPR requirements are lawful.
The cookie banner is lawful as long as the user’s consent is:
- Freely given. This means that you have to give the user a choice between accepting and declining the cookies. In addition, accepting cookies must not be a condition for access to website content.
- Informed. The user has to be informed of your data protection activities at the time of requesting the consent. That’s why cookie banners often have a link to the privacy policy. The privacy policy informs the user about the privacy practices of the company, and if the user has no problem with it, they could give their consent for data collection and processing.
- Specific. Your privacy policy contains the purposes for data processing. You have to obtain separate consent for each specific purpose. This means that if you collected consent for analytics purposes, you are not allowed to process the same data for marketing purposes. You’ll need additional consent for that activity.
-
Unambiguous. The consent is lawfully obtained only if the user has taken affirmative action to give the consent, such as clicking an ACCEPT button.
Assuming that they consent to the use of cookies simply by staying on the website or assuming that they accept the cookies by accepting your Terms of Service is against the GDPR.
Moreover, you must not pre-check the boxes or toggles. It is the user who has to take unambiguous action to confirm the consent for the use of cookies.
- Easily withdrawn. You have to provide users with an opportunity to withdraw the consent as easily as it has been given. If the user has given the consent by a simple click on an ACCEPT button, you must not request filling a long withdrawal form to be sent to you by email. You have to make it easy for the user.
This means that you are not allowed to send cookies to your users’ devices in sneaky ways that we have covered before:
- No pre-checked boxes
- No cookie walls
- No bundling of the cookie consent with the Terms of Service
- No assumptions that the user accepts the cookies by browsing the website
8. Keep records for obtained consent and processing activities
GDPR obliges businesses to keep records of their own processing activities and provide those to authorities upon request. The records should contain at least:
- Your contact details
- The purpose of data processing
- Description of data subjects
- Categories of data processed
- The recipients of personal data
- Details on data transfers, if any
- Data retention period, if any
- A general description of the data security measures, if applicable
Aside from the processing activities records, it is very important to keep records of every consent obtained by a user.
Sooner or later, you will receive a data subject request by someone who wants to know how you handle their data. When that time comes, you’ll also need to prove that you have obtained their consent to process the data. If you don’t prove it, you’ll get into trouble with the law.
Many online businesses opt for cheap consent management solutions that do not keep records of obtained consent. These solutions, mostly WordPress plugins, will present the user with a cookie banner and a link to the privacy policy, but that’s about it. If the user accepts your cookies, they won’t react. They record nothing, so they don’t make you compliant with the GDPR.
There are good paid tools on the market that you could use for consent management.
Some of them include OneTrust, Secure Privacy, Cookiebot, and Iubenda.
9. Respond to data subject requests
Data subjects are your website visitors in the GDPR vocabulary.
Data subject rights
GDPR grants data subject a set of rights. They include the right to:
- Know about processing
- Access their data in your control
- Object to data processing
- Restrict the processing
- Correct the data
- Transfer their data to another controller
- Have their data erased
- Know that they have been subjected to automated decision making, including profiling
Submitting the requests
Data subjects, i.e. your users, can exercise these rights by submitting a data subject request to you. The request has no prescribed form. It can be anything from just a simple message like: “Tell me what data you have collected from me,” or “Please delete all my data”, to a formal request.
You can designate a method for submitting data subject requests, such as an email address or a form on your website. However, data subjects are not obliged to send the requests in that particular way. They can do it in any way and you’ll be obliged to respond.
It is a good practice to have some kind of request management solution to handle these requests easily. Many of the consent management providers also provide data subject requests management solutions, so they are a good starting point. They usually come with a dashboard with all the requests, reminders to respond, and other features.
Responding the request
You have to respond to data subject requests within 30 days of receiving the request. You can delay the delivery for additional 30 days in the case of a complex request that requires a lot of work on your side. Just let the user know about it.
Ensuring you respond to the right person
Sometimes you may need to verify the identity of the person who submits the request. You can’t send a file with personal information to anyone who just requests it over the internet, because it may be abused by some people who request data for other people.
If you doubt that it may be the case, you’ll need to verify the identity of the person who submits the request. So, if an email subscriber wants to access their data, you may want to verify they own the email address by sending a code by email. Or, in the case of data processing of website members, you could verify their identity by 2-factor identification, or a similar way.
Failure to respond
You may fail to respond properly or fail to respond at all. In both cases the data subject won’t be happy and may submit additional requests or go straight to the data protection authority and initiate a procedure against you.
You want to avoid the legal headaches, so make sure you respond to the user in time and in a way that satisfies them.
10. Plan for Data Breach Notifications
Data breaches are not an everyday occurrence, but there is no online business in the world that can avoid hacks. Microsoft, Facebook, Twitter, are just a few names that have been hacked and have had data breaches.
There are two ways in which you may suffer from data breaches:
- Your website is breached, or
- Any of your data processors is breached.
Do not forget that you are responsible for the data you control, even if it is processed by a third party. It is you who is liable to your users. Your processors are liable to you, but you are liable to the users.
In both cases, you have duties to your data subjects. GDPR obliges you to:
- Inform the relevant data protection authority no later than 72 hours from knowing about the breach (if you delay this, you need a good explanation about it and are under the risk of penalties).
- If the breach poses a threat to the rights of the data subjects, inform them as well. A threat would be leaking of personal information such as social security number, health data, sexual orientation, and other data that in the current set of circumstances could pose any kind of a risk.
You can inform the data protection authority and the users in any way you find fit, as long as it is a piece of communication dedicated to the breach. For example, you can’t tell users about the breach in a regular newsletter full of coupons and other marketing materials.
So, you can just make a phone call to the authority and tell them what happened. Then they will guide you through the process that follows.
Some of them have data breach forms on their websites, so you can use those as well. The template of the UK ICO is available on this link, just to give you an idea how it may look like.
It is very important to note that, in the case of a breach, the worst thing to do is trying to hide it. Remember that not all breaches occur due to website owners’ fault, so in the end you may avoid a penalty. But if you remain silent about the breach, you won’t avoid penalties. In fact, the fines may be higher because of that.
For effortless compliance, make sure that you have taken the precautions to avoid data breaches and have a procedure in place to react in case it happens.
11. Ensure the legality of your data transfers
The EU and the GDPR want all the data processed inside the EU or a third safe country. That’s why the data transfers abroad are made as tricky as they can be.
You can transfer data outside the EU based on the legal instruments in Chapter V of the GDPR, which means based on:
- Adequacy decision. The European Commission has a list of countries that are considered to offer an adequate level of data protection according to the GDPR. For each of these countries the EU has an adequacy decision. Based on that decision, you can transfer data to these countries freely, without asking anyone, as if you move the data around the EU.
The full list of adequate countries is available here.
- Standard contract clauses (SCCs). The SCCs are clauses that are part of the data processing agreement. With them, the data controller and the data processor agree on the security measures for protecting the data. This is the most common legal basis for data transfers in the absence of an adequacy decision.
- Binding corporate rules (BCRs). Similar to the SCCs, but rarely used in practice. These are rules that apply to groups of companies – joint controllers in relation to data transfers.
- Consent by the data subject. Self-explanatory. If the data subject agrees explicitly to the transfer, you are good to go. If you are a non-EU company, you can include this in the privacy policy and get the consent along with the consent for data processing.
- Performance of contract. If the data transfer is necessary for provision of the services and products you offer, you can transfer the data. However, this is a slippery slope, so better opt for another basis. Use this one as the last resort.
- Public interest or data subject interest or the transfer is necessary for the establishment, exercise, or defence of legal claims. Self-explanatory.
Having said that, most international data transfers would involve transferring data to US companies. After all, the world’s best tech companies operate from the US. However, transfers to the US are subject to additional security measures due to the US surveillance laws.
We have another long-form article on that subject. You can read it here.
Additional Things You May Need
Depending on the specifics of your business you may need to do more for a full compliance with the GDPR. Here is what you may also need:
1. Data processing agreement (DPA)
Data controllers can use the services of third-party data processors for processing of the data they control, but only on the basis of written instructions. Those written instructions most often come in the form of a Data Processing Agreement, or as a Data Processing Addendum to the Terms of Service or to the Master Agreement.
The content of this contract is prescribed with the GDPR. It must contain at least:
- The categories of data to be processed
- The purpose of processing
- The duration of processing
- The categories of data subjects
- The rights and the duties of the controller
-
That the data processor will process data only upon the written instruction, i.e. the DPA
- Provisions on the confidentiality of the processed data
- The security measures for the processing
- Provisions on the sub-processors, if any
- That the processor would help the controller to comply with the law, if needed
- That at the choice of the controller, the processor would return or delete all the controller’s data
- That the processor will make available to the controller all information necessary for compliance, including audit and inspections.
When you engage with a third-party data processor, such as Facebook, Quora, Google, Convertkit, or the likes, ensure that they process data based on your written instructions. Otherwise, the data processing is unlawful and you may be fined.
The companies that we just mentioned above are big and serious data processors that have their own DPAs. In most cases, the SAAS companies that process data on behalf of other companies would have these agreements ready, either as a separate document, or as an addendum to the Terms of Service or the Master Agreement.
However, some small companies that do not bother too much about data protection compliance may not have such agreements in place. That way they may involve you in legal trouble. So, every time when you intend to engage with a new data processor, make sure you read their DPA first.
If they do not have any, it is up to you as a data controller to secure one. After all, it is your duty to provide them with written instructions for the processing. The fact that some companies have DPAs in place is a good practice for streamlining their businesses, but no legal obligation whatsoever.
2. Appoint a DPO or legal representative
Not all businesses are required to have a data protection officer (DPO) or a legal representative in the EU. But, if you are required and you don’t appoint one, you risk to be fined.
A DPO is required for businesses that:
- Process large amounts of sensitive personal data
- Processing personal data that requires regular systematic monitoring of many data subjects (think of companies like Google and Facebook)
A legal representative in the Union is required for non-EU businesses that process large amounts of data of EU users on a regular basis.
If you are required to have a DPO and a legal representative, make sure you have one. If you don’t consider having one as a good practice to take care of users’ data.
3. Data protection impact assessment
Data protection impact assessment (DPIA) is a process for assessing the risks of data processing. It is taking a proactive approach to the data processing in order to mitigate the risks associated with it.
A DPIA is obligatory for businesses that:
- Process data likely to result in a high risk to the rights and freedoms of persons
- Conduct automated processing, including profiling
- Process large scale of sensitive personal data, or
- Systematically monitor public areas.
For everyone else, a DPIA is not obligatory, but is a good practice.
A DPIA will help your business map out the data flow from the moment it comes to your hands, to the moment you hand it down to the data processors, to the moment you delete the data. It will help you understand how other peoples’ personal data goes through your hands and will let you know about any compliance gaps you need to address.
It is not obligatory, but you understand how useful it is for any online business.
4. Security measures
You, as a data controller, are responsible to take care for the safety of data subjects’ data. That also includes data security measures.
You need to think of implementing data security measures if you store or process data on your own servers.
For most small and medium businesses that’s out of reach due to the prices, and there are many affordable alternatives on the market.
That means that your data processors will store and process your data. That means that they have to implement the best possible security measures for protecting your data.
Companies such as AWS, Google, Facebook, and the likes implement state-of-art security measures. Yes, they get hacked from time to time, but no security system is impenetrable. They provide the best there is.
However, take nothing for granted. Whatever tools you use, make sure you check out the security measures your processors and sub-processors use. After all, it is about your users’ data safety, and your compliance with the GDPR.
5. Privacy by design
Privacy by design is a concept that has been introduced by the GDPR. It means implementing appropriate technical and organizational measures aimed at data protection, i.e. taking data protection into account in whatever you do.
In practice, this would mean thinking about data privacy when:
- Determining your privacy practices
- Designing new services
- Designing new apps or other products, and so on.
You get the idea. The possibilities for privacy by design is endless. As long as you implement the basic GDPR principles for data protection, you’ll likely be implementing privacy by design.
