GDPR Compliance for Businesses

Starting from May 25, all companies must comply with the new GDPR regulations to meet the terms of this new law in force across the EU.

Hold on a minute! What does GDPR mean?

GDPR stands for “General Data Protection Regulation” GDPR No. 679/2016 and must be mandatorily adhered to by all companies that process sensitive data of EU citizens, to protect their personal information.

DON’T WORRY, YOU’RE NOT ALONE IN THIS!

In fact, only 9% of companies are ready for this JUMP!

When does it come into effect?

The GDPR was adopted by the European Parliament in April 2016 but will become enforceable starting from May 25, 2018.

The Regulation integrates with the Cookie Law which requires websites and blogs that collect sensitive user data to obtain consent for browsing by presenting a very brief, though annoying, pop-up on EVERY PAGE of the site.

GDPR violations can result in an initial warning, targeted and periodic checks, fines up to 20 million euros or 4% of global turnover, whichever is higher. For more details, click here.

(The little yellow banner that appeared on the site, to be clear!)

What are sensitive data?

Anything that makes a user identifiable and authentic.

  • Personal data: name, physical or physiological characteristics, contact details, business name.
  • Genetic data: inherited or acquired, obtained through DNA and RNA analysis from a biological sample of the individual in question.
  • Biometric data: such as facial images, which can identify one and only one person.
  • Health data: physical and mental health, past, present or future, including information on health care services.

The principles of Privacy by Design and by Default (Article 25) require that data protection be part of the business process development for products and services.

What does GDPR require?

When requesting sensitive data through contact forms, you must provide the user with:

Informed, specific, and freely given consent:

  • Informed: The request for consent to use personal data is mandatory and must be expressly stated, informing users about the purposes of the data collection.
  • Specific and freely given: The checkbox for informed consent must have one purpose at a time.

N.B. Pre-ticked checkboxes are not valid.

  • Revocable consent: The user has the right to request the deletion of their data from the database through the “right to be forgotten.”

In these cases, the data can be:

  • Destroyed;
  • Transferred to another controller, provided it is for processing in line with the purposes for which the data was collected;
  • Retained for strictly personal use and not for systematic communication or dissemination;
  • Retained or transferred to another controller for historical, statistical, or scientific purposes, in compliance with the law, regulations, EU legislation, and ethical codes and conduct as specified in Article 12.

Documented written consent:

  • The mandatory or optional nature of data provision.
  • Cookie Law with a link to a PRIVACY POLICY (RISK CERTIFICATE) page containing a section with contact details for data holders for any inquiries regarding deletion and storage.
    • N.B. The cookie banner must also display a non-pre-selected checkbox to continue browsing. Pre-selected checkboxes for tacit consent are no longer valid!
  • HTTPS Certificate
  • Newsletter and Email Marketing:
    • With the update of the regulations, you will also have to say goodbye to a good portion of clients, perhaps the more inactive ones, gathered over time and on mailing lists. Consent for subscribing to the mailing list must also be documented.

To avoid heavy penalties, I strongly recommend sending an email to your database:

What changes? Obligations, rights, and duties:

What to do to be compliant?

First, read this document found online —> GDPR

DRAFT A RISK CERTIFICATE specifying:

  • How long it will be stored;
  • For what purposes (it’s also valid to specify: “the collected data will be retained as long as necessary to provide the requested services”);
  • By what means (paper or digital);
  • The conditions must be explicit, legitimate, adequate, and relevant (Article 5).

CREATE A COOKIE

With the GDPR update, the user must first affirm their consent/disagreement to access the site.

PURCHASE AN HTTPS CERTIFICATE (from your provider). Based on the data collected, you will then determine the security measures to adopt:

  • Encrypt the database to obscure data so it cannot be understood by unauthorized persons.
  • Create a record of processing activities, either paper or digital, where collected data, purposes, and destinations are stored.

Who is obligated to comply?

GDPR does not distinguish between individuals and companies as it refers to the controller and therefore the person responsible for the obtained information.

  • Controllers are exempt if they process data only for “legitimate interests” related to normal business communications. N.B. Commercial communications do not fall under “legitimate interests,” so the form must be compliant. (See WordPress, Wpform, and similar plugins).
  • Web Agencies, web designers, and professionals managing websites act as external processors.
  • Those offering hosting services (ServerPlan, GoDaddy, Aruba, etc.) must protect not only you, the direct client, but also the acquired data. It will be in the interest of the data controller to inquire about data management and storage.
  • For completing a purchase, data collected on e-commerce sites may be transferred:
    • To your website;
    • To the payment gateway.
  • If your website stores these personal data, you must then delete them within a reasonable time. Additionally, billing data storage requires specific and different data processing than what is already stipulated. For more information.

How to comply and protect data?

  • Blogs with commenting options:
    • Create a checkbox for data processing consent.
    • If the user wishes to be removed from the discussion, simply make them anonymous with “Anonymous user.”
  • Social network logins:
    • Links to social networks (Facebook, Instagram, Pinterest, etc.) that collect data for access to the platform must be indicated in the privacy policy, with responsibility falling on the user accessing them.
  • Email marketing for commercial purposes to third parties:
    • Create a checkbox for data processing consent.
    • Specify if it relates to the service offered by the site.
    • If data will be shared with third parties, consent must be obtained separately with another checkbox and a distinct statement.
  • AdSense, Amazon Affiliates, and banner ads:
    • They collect data for multiple purposes, inform and obtain explicit consent before activating them.
  • WordPress, WPForm, and similar plugins:

IN SUMMARY:

Note: This article is provided for informational purposes only and does not constitute legal advice. To understand the full impact of GDPR on your website, it is advisable to seek the services of a legal professional or an independent privacy expert.

Enjoyed it? Share it with your community!

Interested in more? Check out these related articles to dive deeper into the topic and expand your knowledge!