Protecting Your Online Business from GDPR Privacy Complaints

The EU's General Data Protection Regulation (GDPR) has had online businesses the world over scrambling to comply before it came into full effect on May, 25th 2018, and for good reason.

The fines associated with GDPR infringement could be crippling, and end users will have the right to report such infringements directly to GDPR supervisory authorities.

Will your data processing protocols hold up to the scrutiny?

Here are a number of things you should know and do in order to first and foremost avoid complaints, and handle them successfully if you do end up receiving any.

Basic Requirements of the GDPR

For companies that process massive amounts of personal information, like international banks or large-scale social networks, complying with the GDPR will be a long and intensive process.

For the average online business, however; it can be boiled down to the following major components:

• Transparency: All of your data processing methods, including how and why you collect personal data from users, must be clearly stated in a public Privacy Policy using plain language. Changes to data processing protocols, as well as any data breach, must be communicated to those affected in a timely manner.
• Consent: No personal information, be it identifying or anonymous, may be collected from any EU resident without first obtaining the express, clear consent of the end user. This includes data collected via cookies.
• Privacy by Design: The protection and security of user data should be an integral component of any online infrastructure. The design and functionality of your data collection, processing, and recording should be centered around privacy and security.
• Accessibility: EU-based consumers must be given simple methods in which to request, access, edit, or delete the personal data that you hold about them.

Consequences of Non-compliance

Those who do not comply with the GDPR will face hefty fines. In the most extreme cases, such as a data breach that affects multiple EU users and results due to noncompliance, a fine of up to €20 million or 4% of annual global turnover could be applied. Most major governments, such as those of the United States and Canada, have expressed an intention to uphold and aid in the enforcement of these regulations.

The Complaint Process

The GDPR makes the process for consumers to file complaints about privacy issues very simple. In fact, they will even have several avenues through which to do so.

Any EU consumers who feel that their privacy has been compromised or infringed upon may take any of the following courses of action:

1. Report the complaint to the supervisory authority in their EU member state.
2. Report the complaint to the judicial court system to seek monetary compensation.
3. Both of the above methods could be used simultaneously, in which case the accused business may face both a fine for GDPR infringement and monetary compensation to the individual filing the complaint.
4. Report the complaint directly to the data protection officer of the business they are filing a complaint against.

If the complaint is filed via any of the first three methods listed above, the decision and potential penalties will be decided solely by the appropriate authorities. The affected parties would be informed of the final decision within three months time.

If the accused business is found at fault, there are several potential consequences.

For very small infractions, the business may simply be required to remedy the problem or noncompliant practices.

For large-scale infractions or major privacy breaches that could have been avoided, the business may incur enormous fines and legal fees.

How to Approach Privacy Complaints

As EU consumers become acquainted with the new laws under the GDPR, the complaints are bound to come rolling in. Not only will users become more aware of their privacy rights, but they may also recognize the potential for monetary gain if their rights are compromised.

Complaints will happen, so it's best to be prepared with a decided course of action when they do.

Contact Methods

First, it is ideal if the complaints come directly to your business before the problem should escalate to legal authorities. In this way, you will be made aware of any potential flaws in your privacy practices and can correct them immediately. Ideally, the relationship with the user can be mended and their privacy concerns allayed without the need to go through any legal litigation.

Make this process easy for your customers by laying out a simple and dedicated contact method for privacy complaints. If your business employs a Data Protection Officer (DPO), this would be the ideal person to handle such complaints. Make the contact details for this person easy to access throughout your website or mobile application.

For example, BASF offers a dedicated web form on a separate page for contacting their DPO:

If the business does not have a DPO, the same solution applies by creating a department for privacy complaints. Create a dedicated email and phone number for users to contact you regarding their privacy concerns and post it prominently throughout your platform, especially within the Privacy Policy.

Asana's Privacy Policy contains the paragraph below that provides both a mailing address and dedicated email address for privacy questions.

Addressing Complaints

Whether the complaint is made directly to your business or is submitted to a legal authority, make sure to cover all your bases with a thorough internal investigation. Even a seemingly frivolous complaint could be made much worse if it appears that your company did not make any attempt to resolve the problem.

Treat all complaints with the same process of investigation. Investigate each complaint you receive and, especially in the case of high-risk accusations that involve the data of multiple persons, record evidence.

Whether the problem occurred due to staff oversight, noncompliance with the GDPR, a system failure, or the wild imagination of an accuser, your best defense is a thorough investigation and documentation of the incident.

Next, do your best to remedy the problem as soon as possible. This may be a simple case of explaining what went wrong and mending your relationship with the consumer, or it may require a change of protocol, programming, or third-party software provider.

In the case of litigation, you'll want to show proof that you took immediate action to solve the problem.

Preventative Risk Management

When it comes to legal matters, prevention is always the best policy. Performing a GDPR risk assessment could go a long way to prevent privacy complaints before they ever happen.

Here are a few procedures that can save you quite a few headaches later on:

Data Assessment

Perform a full data inventory to confirm the legality of the personal data you have on file.

Identify any EU users and assure that you can provide a valid record of their express consent for all the information you hold about them. This includes information that you collected via cookies, such as IP addresses or geolocation data.

If you cannot provide a valid record of consent, you will either need to repermission the user (provided they have not unsubscribed from receiving your communications), or delete them from your database.

Another GDPR statute directs that no business should hold information about a consumer that is not strictly necessary to providing services. If you have collected data that was unnecessary to your services, such as browser tracking data or unnecessary geolocation information, it may be in your best interest to delete it.

Security Assessment

Although most online businesses are already maintaining tight security with user data by default, it's not a bad idea to perform a security assessment with the GDPR in mind.

Here are a few things to double-check:

• Is consumer personal data well protected, encrypted, and anonymonized?
• Do you have a system in place to maintain all security software with the latest technology and updates?
• Do you have a protocol for dealing with data breaches or hacks? Remember, a data breach that concerns the personal data of EU residents must be reported within 72 hours of discovery.

Staff Assessment

Review which staff members access and process the personal data of end users.

You'll need to consider the following:

• Is every employee with access to user data trained in GDPR regulation and protocols regarding the collection, processing, and recording of personal information?
• Is each staff member well-versed in security protocols and safeguards with regard to personal data?
• Is there a potential to reduce the number of people who process the personal data of end users within your organization?

Consent Assessment

Are your user consent methods compliant with the GDPR?

Review how your system collects user data for the following:

• Usage and placement of cookies
• Consent for Privacy Policy
• Marketing communications
• Personalized ads

If any of the above methods are not compliant with the GDPR - that is to say, if the data you hold was not collected using clear, unambiguous, freely-given consent practices - then the information you hold will not be considered legal.

For example, a compliant cookies banner will need to include an explanation for your use of cookies as well as a button or checkbox that allows users to click to accept cookies. Otherwise, any information collected via cookies will not be considered valid.

This cookies banner from Evidon includes a summary of how cookies are used, as well as links to the Cookies Policy and an opt-out tool. Aside from that, the "Accept" button assures an action of unambiguous and clear consent.:

Consent for your Privacy Policy should be obtained as soon as possible after a visitor accesses your website or mobile application. This may be achieved within the cookies or GDPR banner, or within any initial registration forms.

Slack's mobile app requests consent for the Privacy Policy before a user may register for the service:

For marketing communications, the consent request should be clear and easily distinguishable from the elements around it.

Take this example from Burberry:

It's important to note is that the checkbox is not pre-ticked. In order to provide consent, the visitor must make the express decision to manually tick the checkbox.

As for personalized internet advertising, since this technology requires cookies or tracking technology to function, it will need to be addressed within the GDPR or cookies banner.

Here's how ITTrust has incorporated this into their cookies notice by mentioning advertising:

Once you have completed an assessment of your consent practices, you can correct any noncompliant methods that are still in use.

In addition, any personal information that you have gathered from EU consumers using noncompliant practices will need to be repermissioned or deleted.

Here's an example of a repermission campaign email sent out by World Nomads in order to get definite and clear opt-in consent. If you can't prove that GDPR-compliant consent was given for each email address from an EU user, you will need to do something similar or delete the data as noted above.

Remember, you must be able to prove a clear record of valid consent for any information you hold on EU consumers.

Consumer Rights Assessment

Under the GDPR, EU consumers are granted various unequivocal rights in regard to their own personal information.

These rights are as follows:

• The right to request a detailed digital copy of all personal information that is held about them by any company
• The right for users to easily access and change their personal information
• The right to be completely erased from record at the user's request

Make sure your business is prepared to meet these requirements and comply with the requests of consumers according to their respective rights. You also need to inform users of these rights and how you honor them.

In general, you can take care of these requirements with clauses in your Privacy Policy, such as these from Twitter:

Here, Twitter has separate clauses in a section called "Managing Your Personal Information With Us." Each of the clauses include instructions for how users can manage their information along with links to other relevant pages and instructions.

In this way, users will be able to know their rights and be able to exercise them easily.

Assessing Other Potential Risks

Although these requirements will not apply to all businesses, it's a good idea to check in order to ensure full compliance:

• Cross-Border Processing - If for any reason you need to transfer EU user data across international borders, you'll need to make sure the process follows a strict set of protocols laid out by the GDPR. For example, an international data transfer must abide by standard contractual clauses or binding corporate rules (BCRs).
• Data Protection Officers (DPOs) - Some companies will be required to employ a Data Protection Officer to oversee privacy and GDPR compliance. Read these guidelines to find out if your business needs a dedicated DPO.
• Data Protection Impact Assessments (DPIA) - When a business proposes a new venture that could put large amounts of EU user personal data at risk, a DPIA will be required before the venture takes place. Read more here.

Using Your Privacy Policy as a Risk Mitigation Tool

When it comes to risk mitigation for privacy matters, your Privacy Policy will become both your best form of prevention and line of defense. It will also be the first thing a supervisory authority looks at in the case of a privacy complaint, so try to make your Privacy Policy as transparent and compliant as possible.

Here are a few tips:

Make Open Communication a Priority

You'll want privacy complaints to come to you first, so make it easy for users to get in contact. If you employ a DPO, list this individual's contact details within your Privacy Policy. If you don't have a DPO, make sure you still have an easy-to-find contact method in place for privacy questions and concerns.

MailChimp provides a dedicated contact form, postal mailing addresses and email addresses for consumers to address their privacy concerns. Contact information is provided for both EEA residents and non-EEA residents:

Some companies even list their privacy contacts in the footer of every web page, just to make sure users will see them.

Be Detailed

As you know, every Privacy Policy should include an "Information We Collect" clause that lays out every single type of information that you collect from visitors, how you collect that information, and how you use it.

Don't leave anything out. This will be a point of reference for any future investigations into your use of user data.

A few other things you must be sure to cover in the policy to minimize risk of privacy complaints include:

• A cookies section that lists out what kinds of cookies you use and why
• Third-party sharing information that specifies why you share user information and with whom
• User rights section that explains the rights each user has regarding their own personal data, how to access their personal data, and how to edit or delete it
• An "opt-out" clause that lists the different ways you implement user data for marketing purposes - such as personalized online advertising or marketing emails - as well as how to opt-out of each one. Depending on your business, you may need to provide interfaces or links for users to opt-out of cookies, personalized ads, and marketing communications.

Keep it Simple and Transparent

The GDPR reiterates that Privacy Policies should be easy to understand and written in clear, simple language.

This does not mean that you should oversimplify, however. Be as detailed as possible when it comes to listing out every type of data you collect, but there are ways to keep it concise and easy-to-follow.

Here are a few examples from Google's Privacy Policy.

First, Google provides an informative yet short video that helps describe the types of information that it collects.

The heading of this section reads, "We want you to understand the types of information we collect as you use our services." This shows Google's efforts at making a simple, understandable Privacy Policy:

Google has linked some phrases and terms throughout the text that, when clicked, open small pop-up notices that offer alternative or illustrative explanations of each section of the Privacy Policy:

Facebook achieves the same purpose using a technique called layering.

Layering is a way of summarizing the Privacy Policy into short, easy-to-understand sections that may be expanded upon click if a visitor wants to find out more about any one topic. In this way, you can layer a great many details into a smaller, more presentable package:

In the above example, a visitor can click on any of the sections to expand it, like so:

By building a thorough, detailed Privacy Policy in a clear, understandable package, it is less likely that users will accuse you of compromising their privacy. Even if they do, a court official or supervisory authority that assesses your Privacy Policy will see that you have maintained honesty and transparency with your consumers.

Access and Consent to Privacy Policy

Once your Privacy Policy is iron-clad, make sure visitors are seeing and consenting to it.

First, it should be highly visible on your website or mobile application. Links to the Privacy Policy should appear on every page of a website, on several if not all interfaces of a mobile app, and within any type of webform.

PayPal, like most websites, includes a link to the Privacy Policy within the footer of every page.

The Paypal mobile app contains links to the Privacy Policy from within its settings menu.

You'll also find legal agreement links in the registration form.The registration form includes both a link to the Privacy Policy as well as a checkbox for users to click to consent to it.

Consent to the Privacy Policy is paramount.

Once users have actively consented to your Privacy Policy, they would be hard-pressed to successfully lodge a legal complaint about its contents.

Some websites request consent upon navigation to their website within the initial GDPR or cookies banner.

Once again, Google provides a great example. Their ultra-thorough GDPR notice pops up upon navigation to the homepage, prompting EU visitors to actively agree to Google's Privacy Policy and data usage before continuing.

It is also absolutely necessary to request consent to the Privacy Policy within any type of registration or contact form, as well as any other interface that is used to collect personal data from consumers.

Adobe asks users to consent to the Privacy Policy before registering to use their services.

Note that all of the above consent practices require the visitor to click a button or tick a checkbox. The user must take a clear, decisive action to give consent. No pre-ticked checkboxes or assumed consent methods will be considered valid under the GDPR.

By following all of the above recommendations, your business can reduce and hopefully prevent risks of privacy complaints and litigation in the future. The nature of privacy and data usage on the internet are changing. It's crucially important for your business to stay ahead of the game and stay compliant.