In this blog we will discuss what the GDPR is and walk you through the steps that your company will need to take in order to comply. But first, how about the 2,728,828 emails you have in your inbox? Remember, you are also a customer and you have personal information that you need to care about. As we will mention below, consent is one of the main cores of the GDPR. Most, if not all, of the privacy policies you have received, include a consent clause. If they did not, they would not be in compliance with the GDPR. Pursuant to this clause, by accepting the provider’s services you are giving your consent for them to collect and use your data. So, it is important that you review these privacy policies to make sure you are comfortable with the collection of such data.
So what is the GDPR?
In brief, the General Data Protection Regulation (“GDPR”) is designed to provide maximum protection for EU citizens’ personal information. There are two main conditions that you have to meet in order to fall under the jurisdiction of the GDPR, (1) if your company is based in Europe or (2) if your company controls or processes personal data of EU citizens, regardless of where the EU citizen resides. It is worth noting here that it doesn’t matter where the customers live, so long they are European citizens. Additionally, the GDPR also applies for customers who are not European citizens but live in the EU, such as international students, refugees, or workers.
The GDPR comes with hefty fines against companies found not in compliance with the regulation. The fines range between €20 million (approximately $25 million) or 4 percent of global yearly turnover, whichever is greater for data breach violations and €10 or 2 percent of global yearly turnover, whichever is greater for non-GDPR compliant.
The core objective of GDPR is transparency. GDPR gives consumers the right to access, correct, delete, and restrict processing of their data. Further, protecting consumer’s data is a fundamental objective of GDPR. If you have a site where customers can buy things and/or provide information about themselves, here are some of the issues you should be thinking about when it comes to GDPR:
1- Consent: under GDPR, consumers must know what their data will be used for. For example, GDPR says, “Silence, pre-ticked boxes or inactivity should not constitute consent.” That means you should avoid things like newsletter subscription boxes without explaining to the customer what this subscription would actually entail.
2- Limited Data: The heart of GDPR compliance is protecting consumer’s data. You can limit your exposure by only collecting the data you need. For instance, you should not ask for the customer’s phone number if this is not necessary for the checkout process. This doesn’t mean that you can’t collect customer’s phone numbers if you intend to use them for marketing campaign, you just need to be clear and transparent about it with the customer.
3- Consumer Control: one of the main objectives of GDPR is giving consumers control over their personal information. Therefore, you should allow your consumers to request have their data deleted, corrected, or restricted in a timely manner.
4- Transparency: Another core objective of GDPR is Transparency. The GDPR aims to create a transparent relationship between the customer and the data controller. As a data controller, you should make information accessible to the consumer. Privacy policies and terms should be clear, user-friendly, and available for consumers. Further, you should avoid gathering information from your consumers in any way that isn’t completely transparent.
5- Risk Management: If despite all security measures you have taken, things go south and you experience the unfortunate event of a data breach, you should be able to act in a quick and responsible manner. The GDPR expects you to report data breaches, to the individual affected by the breach or to the Information Commissioner’s Office depending on the type of the breach and whether it may result in a risk to rights and freedoms of individuals. Your notification shall include as much information as possible about the damage occurred, how it occurred, if possible, and how you will fix it. Your organization should put in place procedures to effectively detect, report, and investigate a data breach.
Below are some more practical tips for compliance with GDPR:
– Sensitive Data such as race, health, sexual orientation, religion, and political beliefs must be protected with additional safeguards, so if you collect or can know this information about folks on your email newsletter or anywhere on your controlled sites, know that the information must be stored in certain ways.
– If you have a newsletter subscription box on your website or in the checkout process, you should switch to an Opt-in approach rather than opt-out. In other words, the default selection of subscription to communications from your website to your client should be no and you should let consumers choose to opt-in if they want to.
– Similarly, do not request one consent for several services. If your checking-out process requires consumers to provide their emails for verification purposes, do not assume that you can use their emails for future marketing communication.
– Make withdrawal of services easy for the consumer.
– Name any third-parties with which you will share the consumer’s information with (including any of your other websites) AND request single consent for each one of them.
– If your website online payment system collects personal information from your consumers before you transfer this information to data processors such as square or Shopify, you need to modify your web store and make sure to delete your user’s personal information after a specific amount of time. Remember, never keep data you don’t need.
– If you are using third-parties tracking applications, such as Google Analytics or Adroll, as a data controller, you will need to make sure that these apps are in compliance with GDPR too. The good news is that most of the big names in user tracking have already announced compliance with the GDPR. That being said, checking to make sure that the tracking apps you use on your website are in compliance with the GDPR is a good strategy.
– SSL and HTTPS: using HTTP over SSL is always a good and recommended practice but it, alone, might not be enough for the GDPR purposes. HTTPS guarantees that the data transferred through your website is encrypted but it doesn’t go further than that. You need to make sure that any data is stored in a secured database and that the database itself is encrypted.
Because the GDPR is a new regulation, there is no case law yet regarding it. Legal challenges that we are not currently familiar with will likely come up in the future. Although the GDPR doesn’t require specific procedures to be followed by each website, it draws a big picture of the expectations on websites that handle consumer personal information. Being transparent, organized, and careful in your handling of data and communications with customers should likely demonstrate good faith in the event of a GDPR challenge. Always remember – treat your customer’s data as you would like others to treat yours.