28 January 2020
The EU's General Data Protection Regulation (GDPR) has had online businesses the world over scrambling to comply before it came into full effect on May, 25th 2018, and for good reason.
The fines associated with GDPR infringement could be crippling, and end users will have the right to report such infringements directly to GDPR supervisory authorities.
Will your data processing protocols hold up to the scrutiny?
Here are a number of things you should know and do in order to first and foremost avoid complaints, and handle them successfully if you do end up receiving any.
For companies that process massive amounts of personal information, like international banks or large-scale social networks, complying with the GDPR will be a long and intensive process.
For the average online business, however; it can be boiled down to the following major components:
Those who do not comply with the GDPR will face hefty fines. In the most extreme cases, such as a data breach that affects multiple EU users and results due to noncompliance, a fine of up to €20 million or 4% of annual global turnover could be applied. Most major governments, such as those of the United States and Canada, have expressed an intention to uphold and aid in the enforcement of these regulations.
The GDPR makes the process for consumers to file complaints about privacy issues very simple. In fact, they will even have several avenues through which to do so.
Any EU consumers who feel that their privacy has been compromised or infringed upon may take any of the following courses of action:
If the complaint is filed via any of the first three methods listed above, the decision and potential penalties will be decided solely by the appropriate authorities. The affected parties would be informed of the final decision within three months time.
If the accused business is found at fault, there are several potential consequences.
For very small infractions, the business may simply be required to remedy the problem or noncompliant practices.
For large-scale infractions or major privacy breaches that could have been avoided, the business may incur enormous fines and legal fees.
As EU consumers become acquainted with the new laws under the GDPR, the complaints are bound to come rolling in. Not only will users become more aware of their privacy rights, but they may also recognize the potential for monetary gain if their rights are compromised.
Complaints will happen, so it's best to be prepared with a decided course of action when they do.
First, it is ideal if the complaints come directly to your business before the problem should escalate to legal authorities. In this way, you will be made aware of any potential flaws in your privacy practices and can correct them immediately. Ideally, the relationship with the user can be mended and their privacy concerns allayed without the need to go through any legal litigation.
Make this process easy for your customers by laying out a simple and dedicated contact method for privacy complaints. If your business employs a Data Protection Officer (DPO), this would be the ideal person to handle such complaints. Make the contact details for this person easy to access throughout your website or mobile application.
For example, BASF offers a dedicated web form on a separate page for contacting their DPO:
Whether the complaint is made directly to your business or is submitted to a legal authority, make sure to cover all your bases with a thorough internal investigation. Even a seemingly frivolous complaint could be made much worse if it appears that your company did not make any attempt to resolve the problem.
Treat all complaints with the same process of investigation. Investigate each complaint you receive and, especially in the case of high-risk accusations that involve the data of multiple persons, record evidence.
Whether the problem occurred due to staff oversight, noncompliance with the GDPR, a system failure, or the wild imagination of an accuser, your best defense is a thorough investigation and documentation of the incident.
Next, do your best to remedy the problem as soon as possible. This may be a simple case of explaining what went wrong and mending your relationship with the consumer, or it may require a change of protocol, programming, or third-party software provider.
In the case of litigation, you'll want to show proof that you took immediate action to solve the problem.
When it comes to legal matters, prevention is always the best policy. Performing a GDPR risk assessment could go a long way to prevent privacy complaints before they ever happen.
Here are a few procedures that can save you quite a few headaches later on:
Perform a full data inventory to confirm the legality of the personal data you have on file.
Identify any EU users and assure that you can provide a valid record of their express consent for all the information you hold about them. This includes information that you collected via cookies, such as IP addresses or geolocation data.
If you cannot provide a valid record of consent, you will either need to repermission the user (provided they have not unsubscribed from receiving your communications), or delete them from your database.
Another GDPR statute directs that no business should hold information about a consumer that is not strictly necessary to providing services. If you have collected data that was unnecessary to your services, such as browser tracking data or unnecessary geolocation information, it may be in your best interest to delete it.
Although most online businesses are already maintaining tight security with user data by default, it's not a bad idea to perform a security assessment with the GDPR in mind.
Here are a few things to double-check:
Review which staff members access and process the personal data of end users.
You'll need to consider the following:
Are your user consent methods compliant with the GDPR?
Review how your system collects user data for the following:
If any of the above methods are not compliant with the GDPR - that is to say, if the data you hold was not collected using clear, unambiguous, freely-given consent practices - then the information you hold will not be considered legal.
This cookies banner from Evidon includes a summary of how cookies are used, as well as links to the Cookies Policy and an opt-out tool. Aside from that, the "Accept" button assures an action of unambiguous and clear consent.:
For marketing communications, the consent request should be clear and easily distinguishable from the elements around it.
Take this example from Burberry:
It's important to note is that the checkbox is not pre-ticked. In order to provide consent, the visitor must make the express decision to manually tick the checkbox.
As for personalized internet advertising, since this technology requires cookies or tracking technology to function, it will need to be addressed within the GDPR or cookies banner.
Here's how ITTrust has incorporated this into their cookies notice by mentioning advertising:
Once you have completed an assessment of your consent practices, you can correct any noncompliant methods that are still in use.
In addition, any personal information that you have gathered from EU consumers using noncompliant practices will need to be repermissioned or deleted.
Here's an example of a repermission campaign email sent out by World Nomads in order to get definite and clear opt-in consent. If you can't prove that GDPR-compliant consent was given for each email address from an EU user, you will need to do something similar or delete the data as noted above.
Remember, you must be able to prove a clear record of valid consent for any information you hold on EU consumers.
Under the GDPR, EU consumers are granted various unequivocal rights in regard to their own personal information.
These rights are as follows:
Make sure your business is prepared to meet these requirements and comply with the requests of consumers according to their respective rights. You also need to inform users of these rights and how you honor them.
Here, Twitter has separate clauses in a section called "Managing Your Personal Information With Us." Each of the clauses include instructions for how users can manage their information along with links to other relevant pages and instructions.
In this way, users will be able to know their rights and be able to exercise them easily.
Although these requirements will not apply to all businesses, it's a good idea to check in order to ensure full compliance:
Here are a few tips:
MailChimp provides a dedicated contact form, postal mailing addresses and email addresses for consumers to address their privacy concerns. Contact information is provided for both EEA residents and non-EEA residents:
Some companies even list their privacy contacts in the footer of every web page, just to make sure users will see them.
Don't leave anything out. This will be a point of reference for any future investigations into your use of user data.
A few other things you must be sure to cover in the policy to minimize risk of privacy complaints include:
The GDPR reiterates that Privacy Policies should be easy to understand and written in clear, simple language.
This does not mean that you should oversimplify, however. Be as detailed as possible when it comes to listing out every type of data you collect, but there are ways to keep it concise and easy-to-follow.
First, Google provides an informative yet short video that helps describe the types of information that it collects.
Facebook achieves the same purpose using a technique called layering.
In the above example, a visitor can click on any of the sections to expand it, like so:
Some websites request consent upon navigation to their website within the initial GDPR or cookies banner.
Note that all of the above consent practices require the visitor to click a button or tick a checkbox. The user must take a clear, decisive action to give consent. No pre-ticked checkboxes or assumed consent methods will be considered valid under the GDPR.
By following all of the above recommendations, your business can reduce and hopefully prevent risks of privacy complaints and litigation in the future. The nature of privacy and data usage on the internet are changing. It's crucially important for your business to stay ahead of the game and stay compliant.