The Business Owner's Guide to the GDPR

Written by Elizabeth Lord and last updated on 01 April 2020.

The Business Owner's Guide to the GDPR

In today's online economy, maintaining data privacy and user confidentiality should be the cornerstone of any business with an online presence.

As a business owner, there's an important piece of legislation from the European Union that you should be aware of called the General Data Protection Regulation, or GDPR for short.

The GDPR is a far-reaching privacy regulation that will quickly catch up with any business that tries to ignore it, anywhere in the world. That's because the GDPR affects any business that collects data from EU residents, no matter its global location.

This article will detail the specifics of the GDPR including who it applies to, what it requires and how you can comply with it.


What is the GDPR?

Flag of EU

The GDPR was brought about in 2016 by the European Parliament after four long years of negotiating and debating the specifics of the policy. It was created as a replacement for the Data Protection Directive 95/46/EC and went into effect in May of 2018.

The regulation was designed as an attempt to bring a modern approach to digital security into Europe. The aim is to provide EU citizens with a stronger grip on the personal information they share online, and to equalize all member-states of the EU with the same legal framework.

Consumers hand over their personal data and information daily, and not just on the Internet. It happens at banks, medical centers, retail shops - almost everywhere. But often, these consumers don't really know where that data goes or what's done with it.

By putting frameworks such as the GDPR in place, more power and control is handed back to the individual. This raises the levels of trust felt towards government systems and corporations, which in turn can boost revenue and profit margins for businesses.

Given that such a large portion of monetary transactions occur digitally through online shopping and other ecommerce avenues, it has become imperative that the personal information tied to these activities is protected in a way that minimizes risk to the consumer.

This is why privacy legislation such as the GDPR has become so important.

Who does the GDPR Apply to?

Who does the GDPR Apply to?

The GDPR applies to businesses that collect and use personal information from residents of the EU, regardless of where the business itself is located. This gives the GDPR a global reach.

If your business offers goods or services to EU residents or monitors the behavior of these residents through data collection, you need to comply with the GDPR.

The penalties for failing to comply to the GDPR are strict, with fines of up to four percent of an organization's yearly turnover or €20 million, whichever is greater, and tiered penalties to a range of infringements.

Different Roles under the GDPR

Different Roles under the GDPR

  • A data controller is the party that determines what purposes personal data will be processed for and how the processing shall take place.
  • A data processor is the party that processes personal data on behalf of and upon instruction from the data controller. Processors typically obtain, record and store the data on behalf of the data controller. An example of a data processor might be an accounting firm, marketing research company, email newsletter management service (think MailChimp) or cloud service provider.
  • A Data Protection Officer (DPO) is required under certain circumstances. This individual is responsible for supervising the strategy behind data protection and ensuring a company is maintaining compliance with the GDPR. The DPO is also in charge of instructing and training the company's employees on what's required of them and their organization, and acts as the contact between organizations and the GDPR authorities.

    These are the circumstances that would require the appointment of a DPO:

    • The data processing is performed for or by a public authority.
    • The business activities require the regular and systematic processing of consumer data on a large-scale.
    • The data involves categories of information defined as sensitive or data relating to criminal offenses.

The different roles come with different requirements, so the distinction is important.

What does the GDPR require?

What does the GDPR require?

The GDPR's main areas of focus are:

  • Privacy rights
  • Data security
  • Data control
  • Governance

As such, a few of the key considerations for compliance include the following:

  • Organizations are now held to a higher level of responsibility and accountability regarding the handling, protecting and processing of their customers' personal data.
  • The definition of "personal data" now includes a wider range of information and covers everything from cookies data to Social Security numbers to biometric identifiers.
  • Individual consumers now have more rights regarding how organizations interact with their personal data.
  • There are much stricter rules regarding consent.

Thanks to the GDPR, there are now several conditions regarding the processing of personal data. These conditions are in place to ensure the data is processed lawfully and fairly.

'Fair' data processing refers to an organization providing clarity and openness about how it collects, stores and shares personal information.

Fairness also means an organization is open about its identity and the intent behind gathering consumer data, with assurance that such information won't be used in misleading, deceitful ways that could have a negative effect on the consumer.

What's more, individuals must be given a choice as to whether they want to share their information with a business. If they decide against it, they must be provided with a clear, easy way to decline.

Here are some of the specific things the GDPR requires:

Privacy by Design

Privacy by Design (PbD) has been a best practice guide for businesses for decades, but the GDPR is the first regulation to require it by law.

PbD simply refers to business practices, websites, and data handling processes that are designed with privacy and data security in mind. Every aspect of your business, from the design of your Privacy Policy to the way you collect data from customers, should be created with thorough privacy and security practices from the outset.

As long as you show that you did your due diligence to ensure privacy and security during the design and creation of your online business, this requirement will be fulfilled under GDPR regulations.

Breach Notifications

The GDPR makes it clear that EU authorities expect to be informed swiftly and thoroughly of any data breach involving European consumers. Processors must inform their data controllers of any security breach immediately, and EU supervisory authorities must be informed within 72 hours of data breaches.

Make sure you have an action plan in place - both for software programs and human employees - so that everyone knows which processes and alert systems to follow in the case of a data breach.

It is considered unlawful under the GDPR to collect so much as an IP address or device identifier from an EU resident without a legal basis for processing that data.

These are the possible legal bases for collecting consumer personal data, as listed by the GDPR:

  1. Consent
  2. To fulfill the legitimate interests of someone without intruding upon individual rights and freedoms
  3. Fulfillment of a contract
  4. Legal obligation
  5. Protection of someone's vital interest
  6. Public interest of vested authority

For the vast majority of businesses, the only possible legal bases that will apply are bases 1, 2, and 3 in the list above.

In the case of legitimate interests, you must be able to prove that you are fulfilling a specific service or serving a basic need for your customers, and you can only keep the personal data for as long as it takes to fulfill that service.

If your legal basis is fulfillment of a contract, then you would need a written and signed contract from each customer before collecting their information. Because of the obvious complications with methods like these, many businesses rely on consent as a reliable legal basis for data processing.

In order to obtain valid consent, the GDPR states several stipulations, described below.

How to Get GDPR-Compliant Consent

Legal consent is not what it used to be. Under the GDPR, consent is not considered valid unless certain conditions are met. EU user consent must be:

  • Freely given - The user should not be obligated to provide data in order to browse a website. Their consent must be freely given under no obligation.
  • Specific and informed - Users must be fully informed specifically how their information is being collected and how it will be used.
  • Unambiguous - Consent may not be assumed because a user browses a website or fills out a form. No consent checkboxes may be pre-ticked in any type of webform or notice.

If a company chooses to rely on consent as the legal basis for collecting personal data, the consent must be unambiguous, affirmative and freely given.

In order for consent to be obtained fairly, you have to first give your consumers as much transparency as possible so they know exactly what they're agreeing to. This can be done effectively through your Privacy Policy, as long as you provide clear, understandable information within it.

According to Recital 32 of the GDPR, consent cannot be given by a pre-ticked box or by 'implied consent.' Implied consent would be where the continued browsing of the website is taken as consent. Consent also can't be a precondition of service.

So, how do you get proper consent?

The most effective way is through an active opt-in function.

This is simply a form that has a check a box that users can click on to indicate consent and any other permissions you might like to have, such as subscribing to company mailing lists or other types of opt-in.

In the following example, the only way consumers can subscribe to emails is by checking a box saying they've read the Privacy Policy and by manually typing in an email address.

These two steps work to create informed consent that a user definitely is ok with sharing personal information (an email address):

Tech New Statesman: Example of checked checkbox for clickwrap when users read Privacy Policy

However, be aware that an opt-in form must not be marked automatically to "yes" or pre-filled with a checkmark when getting consent.

Consent should also be unbundled. This means that you should separate individual consent requests rather than having them all under one overarching opt-in form.

Examples of unbundled consent might be agreement to your Terms and Conditions and subscribing to your mailing list as separate steps.

Boohoo.com has a great unbundled opt-in selection on its site where users can select the kinds of communications they want to receive.

Boohoo's opt-in form using checkboxes and clickwrap for consent to news and communications

Below are a few more examples of how consent could be requested to meet GDPR requirements:

Cookies

If you use cookies, you'll need to give notice of this and get consent use them.

The European Central Bank cookies notice is a good example of what it means to get open, specific, and unambiguous about consent:

European Central Bank's cookie consent banner

Website visitors are informed clearly that the website uses cookies to collect data anonymously. There's an option to learn more about how the website uses cookies that visitors can check out before deciding whether to accept or decline the use of cookies.


Contact Forms

When collecting information via online contact forms, link to your Privacy Policy and require users to click something to show they agree with your Policy before submitting their information.

This will assure that users are given the opportunity to see and understand your data handling policies before submitting any personal data.

Yelp's signup form is a good example of this:

Yelp:  Sign-up form with checkboxes for GDPR consent

You will also notice that Yelp does not pre-tick the checkbox for agreeing to marketing communications. Website visitors must freely give their consent by specifically ticking the checkbox in order to receive marketing messages.

Under the GDPR, you must keep a record of all consent given to you by your customers, including how you obtained that consent.

You must include the following in your records:

  • The data subjects who gave consent
  • A date and time stamp for each instance
  • What they consented to
  • How they consented

You must also allow consent to be withdrawn at any time. If a consumer requests to withdraw consent, the request should be processed as soon as possible by you or the authorised person responsible for regularly reviewing the consent data.

If you can't prove that you've obtained valid consent from the EU contacts in your marketing communications database, then a repermission campaign may be in order.

A repermission campaign is an email or other form of communication that asks users to confirm their contact details and consent.

The email screenshot below demonstrates a simple way to achieve this:

Screenshot of repermission email from Pure Outdoor and The Adventure Hub

A campaign like this is an excellent way to update consent records.

Data Protection Impact Assessments

It will be a rare occasion that a Data Protection Impact Assessments (DPIA) will ever be necessary for a small business, but it's advisable to be informed when this step is necessary.

A DPIA is simply a process for identifying and mitigating potential data security risks in certain situations.

The GDPR requires a DPIA before any data processing occurs if the data processing involved is likely to result in a high risk to the rights and freedoms of individuals.

These are situations in which a DPIA would be required:

  • Large-scale automated decision-making or profiling based on user data
  • Data processing that involves sensitive categories of information such as such as ethnicity, religion, sexual orientation, criminal records, etc.
  • Any large scale systematic monitoring of a public area

Update your Privacy Policy

When it comes to your Privacy Policy, the GDPR has some requirements that may mean your Policy will need some changes:

  1. Clear, plain language: The Privacy Policy must be written in clear language that's easy to understand, and it must be made easily accessible to anyone who comes into contact with your online business.

    Google's simple, clearly written Privacy Policy with concise lists, visuals and short sentences demonstrates this idea. The Policy is linked in the footer of every single Google search page:

  2. Screenshot of excerpt from Google Privacy Policy What types of data is collected clause

  3. Legal basis: The Privacy Policy must state your legal basis for processing consumer data. This is another section well-represented in the Microsoft Privacy Policy:
  4. Microsoft Privacy Statement: Excerpt of clause for legal bases - GDPR

  5. Contact information: List your business contact information as well as that of your Data Protection Officer (DPO), if applicable.

    Yelp keeps its contact section short and simple:

    Yelp Privacy Policy: Contact clause for data privacy manager

    If your business does require the appointment of a DPO, make sure that the contact information for this person is included within the Privacy Policy.

    Here's how Microsoft does this:

  6. Microsoft Privacy Statement: Excerpt of clause for legal bases - GDPR

  7. International transfers: If ever it is necessary to transfer EU user data over international borders, such as when sending data to a third-party processor located in another country, you will need to take some precautions to ensure that all international data transfers are GDPR compliant.

    Here's Google's international transfer clause:

    Google Data Transfer Frameworks: Privacy Shield Frameworks clause

    Here's how Facebook addresses international data transfers in a Privacy Policy clause:

  8. Facebook Data Policy: International Data Transfer clause

  9. EU consumer rights: Your Privacy Policy must mention the specific rights granted to EU-based consumers under the GDPR.

    These include the following:

    • The right of access - the right to know if their data is being processed and the right of every user to easily access their own personal data.
    • The right to be informed - consumers must be informed of how their data is to be used, who it will be shared with, and why.
    • The right to rectification - the right to be informed of incorrect data on record and the ability to revise or make changes to one's own data.
    • The right to erasure - any consumer who wishes to have all of their data completely erased from record has the right to make this request free of charge.
    • The right to restrict processing - the right to limit or restrict which personal data is processed and how.
    • The right to data portability - companies must uphold any consumer's request to transfer all personal data on record to another company or entity.
    • The right to object - consumers may object to the collection or processing of their data at any time.
    • The right not to be subject to a decision based solely on automated processing - users may object to being included in automated decision-making or profiling based on their personal data.
    • If ever a European resident feels that their privacy rights are not being upheld at any time, they may report privacy infringements to their local EU supervisory authority.

    Although this may seem like a weighty clause to include in your Privacy Policy, it doesn't have to be as detailed as you may think. Many companies find ways to condense it into a digestible clause, such as this version by DKNY:

  10. DKNY EU Privacy Policy: Your Rights clause - GDPR

How to create a GDPR Privacy Policy

FreePrivacyPolicy: Privacy Policy Generator - Steps How to Create Privacy Policy

Our Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display.

  1. Start the Free Privacy Policy Generator, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Add your website or app information:
  7. FreePrivacyPolicy: Privacy Policy Generator - Add your website or app information - Step 3

  8. Answer a few questions about what information you collect from your users:
  9. FreePrivacyPolicy: Privacy Policy Generator -  What information you collect - Step 4

  10. Select options for how your users can contact you:
  11. FreePrivacyPolicy: Privacy Policy Generator - How your users can contact - Step 5

  12. Select whether or not you wish to create a Professional Privacy Policy that would include wording for GDPR and CalOPPA:
  13. FreePrivacyPolicy: Privacy Policy Generator - Select what Privacy Policy you want to create - Step 6

  14. Enter your email address where you'd like your new Privacy Policy sent:
  15. FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 7

  16. Click Create Privacy Policy and you're done. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
  17. FreePrivacyPolicy: Privacy Policy Generator - Copy or link to your hosted Privacy Policy - Step 8


Examples of GDPR Privacy Policies

Examples of GDPR Privacy Policies

When writing your Privacy Policy, there are several questions you should keep in mind:

  • What personal information will you be collecting? (Email addresses, IP addresses, first and last names, billing information, etc.)
  • Who will be collecting this information? (Specified data collectors, such as you and/or your company)
  • Why is the information being collected? (For marketing, access of services, internal business purposes, etc)
  • How is the data being stored, and how long is it kept for? (Such as on a network or server database)
  • Is it being shared with any other organization? (Parent companies, subsidiaries, third-party services or any affiliates?)
  • How can users access their personal data? (In the event where they need to update, correct or delete any of this information)
  • How can users easily limit or opt-out of handing over this information?
  • Do any of the intended uses of the data have the potential to cause harm or damage to the individual?

By tailoring your Privacy Policy around answering these questions, you should be able to protect both your company and your consumers.

Here are some company websites with great Privacy Policies that have been written in compliance with the GDPR.

Slack's Privacy Policy effectively details the different types of information it collects from users of its virtual workspace and how that information is received (whether it's collected by Slack or provided by the users).

Slack Privacy Policy: Information We Collect and Receive clause

Trello's Privacy Policy states how it collects information from its users.

Trello Privacy Policy: Information you provide to us clause

Google's Privacy Policy informs users about how they can adjust privacy settings and controls quickly and easily at any time.

Google Privacy Policy: Your Privacy Controls and choices clause

The New York Times' Privacy Policy lists its different purposes for collecting user data and includes what the legitimate interest for doing so is:

The New York Times Privacy Policy: What do we do with the personal information we collect about you clause

Here's how the Unison UK Privacy Policy includes a clause about data subject rights under the GDPR:

Unison UK Privacy Policy: Clause for rights of data subjects under the GDPR

You don't need to create such a long clause to address user rights, so long as you do mention them and let your users know how to go about exercising them (such as by contacting you.)

Here's how Sotheby's addresses user rights in a shorter clause:

Sotheby's Privacy Policy data subject Rights clause for GDPR compliance

Conclusion

As a business owner, the GDPR will apply to you if you collect or use personal data from residents of any member state within the European Union, regardless of where you're personally doing business from.

To comply with the GDPR you'll need to:

  • Assess the procedures currently in place within your company regarding the collecting of personal data.
  • Be aware of whether you're a data controller, data processor or both, and what responsibilities come with each role.
  • Determine whether or not you need a Data Protection Officer.
  • Conduct a Data Protection Impact Assessment if required.
  • When getting consent, get proper consent and keep proper records.
  • Update your Privacy Policy language and content.