How To Make Your Site GDPR Compliant Part 1

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation made by the EU to protect individual rights to privacy, consent, and control over personal data.

The GDPR only allows personal data to be gathered under strict conditions, and it is the responsibility of the website owner to respect the rights of the individual to have their personal data protected.

What is personal data under the GDPR?

This includes anything that can be linked to an individual, such as name, address, and photos. It even includes IP addresses and any sort of genetic or biometric data that could be used to identify an individual.

Who does the GDPR apply to?

The GDPR applies to anyone operating inside the EU AND anyone operating outside the EU if you offer goods or services inside the EU. So, basically, the only way to avoid the GDPR is to not own or do any business within the EU.

The regulation specifically refers to controllors and processors. Controllors have a lot more pressure on them than processors under the GDPR.

Amongst other things, controllors are the ones who collect any personal data, have a relationship with the individuals whose data they collect, and are able to decide what they do with that data.

A processor follows instructions from someone else (a controllor) on how to process personal data. They don’t collect the data or decide how long to keep it.

An example of data controllers vs data processors is if a business uses another company, such as MailChimp to manage their email subscriptions. Customers provide the business with their email, and then the business uses MailChimp to manage those subscriptions. The business is seen as the data controllor and is therefore responsible for making sure the rights of the customers are met. MailChimp is the data processor in this instance.

The GDPR requires data controllors to only do business with data processors that meet GDPR requirements.

Data rights listed under the GDPR

The GDPR is pushing for businesses to build in privacy measures from the beginning, and not just add them as an afterthought. Every process of your business should have customer privacy at the forefront.

There are a number of rights that each individual has under the GDPR, so I’m going to try and explain them here. These things largely apply to controllers, as I’m assuming most of us fall under that category.

The right to transparent communication

Basically, you need to explain clearly to your customers/clients exactly how any personal data will be used. This needs to be written plainly so that anyone can understand it.

The right to know what personal data is being collected and by whom.

Businesses are required to clearly tell customers how their personal data will be used and who will have access to it. Below are some details you need to provide to your customers when collecting personal data:

  • Your identity and contact details
  • Contact details of your data protection officer if you have one
  • The reason and legal basis for collecting and processing personal data
  • Who is processing the data
  • Who is receiving the personal data
  • Whether or not you will be providing the personal data to any third-parties, countries, or international organizations
  • The period the data will be stored for (or the criteria used to determine that time length)
  • The customer’s right to request access, rectification, or erasure of their personal data from you
  • The right to lodge a complaint with a supervisory authority
  • Whether or not it is necessary for the individual to give you their personal data
  • If you have automatic profiling, the logic behind that and the significance and consequences of this process for the individual
  • The consequences of not providing their personal data to you
  • If you intend to use the data for any other purpose, you need to provide further information on that also.

And there’s a clause in the GDPR stating that you have to provide this information to customers even if you’re getting the personal data from another source and not directly from them.

The right to access personal data

Individuals have the right to know exactly what personal data you have about them on file. If they request this information, you must provide it to whem within one month.

This period can be extended to two months IF you have a good reason, such as numerous requests for data or complex accounts. However, you still need to contact the individual concerned within the first month and explain why and how long the delay will be, and inform them that they have the right to contact a supervisory body and try to get a remedy that way.

Customers have the right to know the following:

  • The categories of personal data collected
  • The purpose of processing that data
  • Who is receiving the data
  • The likely period the data will be stored for
  • The source of the personal data if you did not get it from the data subject
  • If you have automatic profiling, the logic behind that and the significance and consequences of this process for the individual

You are not allowed to charge fees for anything to do with this, unless the requests are excessive. In this case, you may charge an administration fee, but you have to prove that the request was excessive.

Individuals have a right to be provided with a copy of all personal data you have on file free of charge. If they want additional copies, you can charge admin fees for this.

Right of rectification: having data corrected

Individuals have the right to have their personal data on file corrected without undue delay.

Right to be forgotten

Individuals have the right to have their data erased without undue delay if ANY of the following are true:

  • The data is no longer necessary for the original purpose it was collected
  • The user has withdrawn their consent and there are no legal grounds for the processing of the data
  • The data is not being processed lawfully
  • The data has to be erased for compliance in the user’s country

These rules don’t apply if processing of the data is necessary for the following reasons:

  • Exercising the right of freedom of expression and information
  • Where you are legally obliged by your country to process the data
  • If it’s a public health issue and is in the interests of the public
  • For archiving in public interest for science, history, or statistics
  • For establishing or defending legal claims

Right to restriction of processing

Individuals have the right to restrict the use of their data if they believe the data is not accurate, the processing is not lawful, or the controller has no need for the personal data.

Right to know when the data has been erased or changed

You’re also required to tell your customers if you have changed or erased their personal data, if it is possible. Obviously you can’t do this if you’ve deleted their email address, but if they contact you asking if you have done it, then you’re required to tell them.

Right to object

Individuals have the right to say they don’t want their data to be processed and you as the controller must comply unless you have a legitimate legal reason for not doing so.

The right to know when data has been hacked

According to GDPR regulations, individuals have the right to know when their personal data has been compromised so they can protect themselves.

This means that businesses have to notify the national bodies and the individuals concerned immediately following a data breach that could put their personal freedoms at risk, including the right to confidentiality.

Basically, you need to tell the individual and the regulatory bodies if any personal data about individuals is breached. It is not enough to put out a media announcement. You need to send specific notifications to the individuals involved.

What’s the time limit on reporting this breach? You must report a data breach to the relevant supervisory bodies within 72 hours from when you first become aware of it. If you take longer than 72 hours, you have to provide a good reason. You also must inform the individuals concerned without undue delay.

What needs to be included in a breach notification?

  • The type of information that has been compromised e.g., names, addresses, bank information
  • Number of individuals whose data has been compromised
  • Potential consequences of the breach e.g., theft or identify fraud
  • What you’re doing to deal with the breach and protect the individuals involved

Other things to note

You have the right to request information

If you doubt that a person is actually who they say they are, you have the right to request information from them to prove who they are. This is important because you could easily get in trouble by providing sensitive data to someone who isn’t actually who they say they are. So, remember, you have the right to confirm identity!

Avatar photo

I help eCommerce store owners to run their stores smoothly and get more sales. Let's discuss optimizing your store! Hit me up via the support page or on Twitter @morganhvidt

Leave a Reply

Your email address will not be published. Required fields are marked *