Disclaimer: This article is for informational purposes only and is not a substitute for qualified legal advice. If you are concerned that you or your business may be affected by GDPR, consult your attorney.
The world of digital business has been shifted by new legislation. As of May 25th, 2018, enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR) has begun. Arguably the most sweeping and potentially punitive legislation governing the use of sensitive consumer data ever established, the GDPR is already changing how businesses worldwide use and safeguard customer information. The bar for data that is considered worthy of protection has been lowered substantially. Consumer IP addresses and even web cookies are now subject to similar standards regarding use and security as more overtly sensitive data such as Social Security numbers, physical addresses, and telephone numbers.
Regardless of where your business is located, if you do business in the EU or gather any Personally Identifiable Information (PII) from citizens of the EU through your website, your operations are subject to the GDPR. Simply put, PII is any information that on its own or combined with other relevant data can identify an individual data subject. Under GDPR, PII can mean anything from a phone number to an IP address.
Depending on your business model and the way you utilize the PII of EU citizens or “data subjects,” your exposure to the regulation may differ. In this post, we explore how the GDPR may specifically impact SaaS business owners, bloggers, and proprietors of e-commerce stores as well as online businesses as a whole. Before we do so, let’s take a brief look at how we got to this point.
Data Protection in Europe
The internet and the ways in which businesses utilize PII have changed dramatically since 1995, the year the GDPR’s immediate predecessor, the Data Protection Directive (DPD), was enacted. Despite the degree and pace of technological innovation since then, the DPD and GDPR share many fundamental principles. Both regulations are rooted in the idea of privacy as an essential human right, a concept which first became widespread in Europe after World War II, and the right to privacy was enshrined in the UN’s Universal Declaration of Human Rights in 1948.
As far back as 1984, with the UK’s Data Protection Act, the governments of European nations—both separately and collectively—have grappled with how best to protect their citizens’ right to privacy in the digital realm.
While the DPD left regulation and enforcement primarily up to the individual member nations, this led to a bureaucratic morass as businesses were faced with the prospect of dealing with at least 28 different regulatory agencies and frameworks—one or more for each country in the EU. This primary shortcoming of the DPD is one that GDPR was designed to address. The “one-stop-shop” principle was an integral part of GDPR from its very beginnings in 2012, and this simplification of the regulatory environment potentially offers the GDPR’s biggest boon to online businesses. Under GDPR, data privacy regulations are harmonized amongst EU countries. Each of the 28 member countries has a supervisory authority responsible for enforcement. Businesses located in Europe only have to interact with one supervisory authority—the one where their primary headquarters are located—regardless of how many other countries in which it performs activities subject to GDPR. Businesses without a location in the EU “will have to deal (through their representatives) with the local supervisory authorities in each EU member state where they process personal data.” While it remains uncertain how this framework will operate in practice, this move towards simplifying regulation and enforcement across the EU is seen by many as a step in the right direction for facilitating business online.
More problematic for online businesses, at least in the short-term, are the significantly more stringent regulations governing consent and the use and retention of Personally Identifiable Information. While in the short-term, many of the steps required of businesses to achieve compliance seem onerous, they directly address the overarching concern of the GDPR: From Article 1 of the declaration: “The protection of natural persons in relation to the processing of i.e.personal data is a fundamental right… everyone has the right to the protection of personal data concerning him or her.”
The protection of personal data is far from an exclusively European concern. As more and more aspects of our lives take place online, concerns about data privacy and security have never been greater. A 2016 Pew Research Center survey found that 74% of Americans declare it is “very important” to them that they are in control of who can get information about them, and 65% say it is “very important” to them to control what information is collected. Massive data breaches such as those experienced by Yahoo and Equifax seem to occur with increasing regularity. More recently, the way in which the detailed personal information we provide to social media companies is made available and utilized—i.e., Facebook and Cambridge Analytica—has come under great scrutiny in both the US and Europe. Given this level of public and governmental concern, it is not unreasonable to assume that other countries may follow the lead of GDPR in enacting more stringent privacy laws to protect their citizens.
The Penalties of GDPR Non-Compliance
Perhaps the biggest headlines of all regarding GDPR have focused on the potential repercussions for businesses found in violation. This should come as no surprise: the penalties are staggering.
There are two tiers, both of them high enough to have teeth for even the biggest multinational corporations. The maximum fines are as follows:
- Four percent of annual worldwide turnover, or €20 million (approximately $25 million), whichever is higher.
- Two percent of annual worldwide turnover, or €10 million (approximately $12.5 million), whichever is higher.
It is important to remember that these fines are the maximum permitted under the GDPR. They’re aimed at ensuring that even the world’s largest companies take the regulations seriously and abide by them. Nonetheless, these penalties serve as a clear indication that the EU intends to punish online businesses who violate the GDPR. Indeed, European regulators have shown no hesitation in imposing fines totaling in the billions of dollars against tech giants like Google in the recent past.
With all the attention devoted to these heavy fines and general confusion about compliance, much of the coverage of GDPR has had a negative slant. But many believe greater transparency between consumers and the companies that utilize their data is a good thing for both parties in the long run. Microsoft evidently agrees. On the eve of the GDPR coming into force, Microsoft announced that it would extend the GDPR’s privacy protections to customers worldwide.
While becoming GDPR-compliant may require considerable effort on your behalf as an online business owner, it is in your best interests to embrace the trend towards greater privacy protections and transparency as well as ensure adherence to the law. Below, we offer guidance on how you can achieve both.
The Road to GDPR Compliance
Owners and operators may be wondering how much of the GDPR legislation applies to them. Do all online business owners have to comply with GDPR?
We consulted several legal experts on the matter to clarify the complexities of GDPR compliance for online businesses. Susan Edwards, CEO of International Compliance Specialists for the LH Group, shares the one piece of GDPR legal advice to online businesses based anywhere in the world:
Unless you don’t ever deal with customers who are based in the EU or are EU citizens, GDPR will apply to your business. Reduce your market or embrace GDPR. Rather than concentrate on the negative aspects, use GDPR compliance to adopt and refine good business practices. Ultimately, having clear operating processes in place will ensure GDPR compliance but it will also
- increase great customer relationships as you build up trust with them and prove how much you value them and their data and this
- shows up as increased profits
The same advice applies to any business. Embrace what you can’t change and maximize the benefits. Data Privacy and protection is improving worldwide and sits at the heart of ethical companies – I see this as a great way to demonstrate transparency as a business.
Businesses of all sizes should be tuned into GDPR requirements. Should an online business with gross annual revenues of $5 million or less be concerned about GDPR compliance? Edwards further shared:
The focus on GDPR has to be there for businesses of all size – size doesn’t matter when it comes to the need for GDPR compliance. Setting aside any financial penalty for non-compliance not treating personal data properly will damage your reputation. I would go as far to say the reputation damage is worse than a fine, it’s certainly wider reaching.
Compliance, including GDPR is achieved by having clear processes in place. Creating and adapting these processes can be easier for a smaller and more agile business to achieve. In return, having those processes in place will benefit your business efficiency and general operation. There is nothing we advise clients or is relevant to GDPR which is not business protective also.
Melinda McLellan, Privacy and Data Protection Partner at Baker & Hostetler LLP echoes Edwards’ advice despite acknowledging that the risk of enforcement for online businesses of this size by EU authorities is likely low:
Depending on the company and the services it provides, yes. Although one might argue that the risk of enforcement by EU authorities is low for this type of entity, that doesn’t mean the GDPR is irrelevant to their operations. For example, to the extent the company is a vendor to businesses with their own GDPR exposure, those customers may ask the business to sign a data processing agreement (DPA) to comply with Article 28 or to accept other contractual obligations relevant to GDPR requirements. In fact, it’s fair to say a significant number of these kinds of companies were made aware of the GDPR because their clients or customers sent them DPAs to sign, many in the last few weeks preceding May 25. Whether or not a small online business in the US could be fined by an EU regulator, or if such a fine could be effectively enforced, business realities are making GDPR compliance a must for all sorts of organizations that may not themselves be directly subject to the Regulation.
There are a number of requirements for ensuring compliance that apply to most online businesses, regardless of the individual business model. In this section, we summarize these near-universal components of the GDPR. We then take an in-depth look at what you need to do to make your SaaS, blog, or e-commerce business GDPR compliant.
Are You a Data Controller or a Processor?
One of the most crucial things to determine in preparing your business for GDPR is whether you are a data controller or data processor. As “the person (or business) who determines the purposes for which, and the way in which, personal data is processed,” controllers are subject to more stringent requirements. A data processor, on the other hand, is an entity which processes data on behalf of and under instruction from the data controller. If your business retains and utilizes customers’ PII for marketing or virtually any other purpose, the GDPR classifies you as a data controller. You can find a thorough examination of the differences between data controllers and processors here.
Data Protection by Design and Default
Art.25 of the GDPR states that data protection must be “baked in” to any processing and storage of PII undertaken by data controllers. For existing businesses, this entails “implementing appropriate technical and organizational measures… designed to implement data-protection principles.” Pseudonymization of data, discussed in further detail below, and data minimization—meaning controllers retain only PII essential for processing—are two data protection techniques mentioned explicitly in Art.25.
In order to adhere to the spirit of Art.25, new businesses should incorporate adequate data protection safeguards into their product and processes right from the start.
Data Protection Officer
The GDPR stipulates that data controllers and processors which conduct processing of PII on a “large scale” must appoint a Data Protection Officer (DPO). Although the qualifications necessary to perform this duty are somewhat vague and do not currently require official licensing or certification of any kind, the DPO must have “expert knowledge of data protection law and practices.” The DPO has the responsibility of dealing with regulatory authorities on behalf of their company as well as with GDPR-related requests from the public.
Consent and GDPR Compliance
The GDPR substantially heightens the standard for what is considered consent to the use of data. Consent must be affirmed by “a statement or a clear affirmative action.” The act also introduces stricter regulations on age verification and how a child’s personal information may be obtained and used. In addition, GDPR requires more explicit consent for the use and collection of data that can reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health status, or sexual orientation.
Consent can be given and recorded by checking a box when visiting a website, but the GDPR explicitly does not regard silence, pre-checked boxes or inactivity as constituting consent.
Deliberate affirmative action on the part of the user is required to confirm consent, and the controller must maintain a record of when and how consent is given.
In addition, GDPR dispenses with unnecessarily complex, phone book length “terms and conditions” and privacy policies. What data is being retained and how it will be used must be explained in a manner that can be easily understood by consumers. Plain language must be used, and it must be as effortless for consumers to withdraw consent as it is to give it.
Cross-Border Data Transfers Under GDPR
The GDPR has complex regulations regarding the transfer of data to countries outside the EU. However, the more onerous restrictions apply only to countries that do not have adequate privacy safeguards in place. For US-based companies, the US Department of Commerce and the European Commission have developed the Privacy Shield framework to help online businesses ensure their cross-border data transfers are GDPR-compliant. There is a self-certification process available for eligible organizations.
Examples of cross-border data transfers might include:
- Emailing the PII of an EU citizen to a colleague or vendor located outside the EU
- Providing a vendor located outside of the EU with PII for data processing
- Outsourcing customer service or support to a vendor located outside the EU
Article 44 prohibits cross-border data transfers to countries deemed to have inadequate privacy protections except under strict conditions. The map below shows countries with adequate privacy protections as determined by the EU.
(Image Courtesy: MRR Media)
As an additional protection for EU citizens, the GDPR makes it unlawful to transmit personal information to a third country in response to a legal inquiry, requirement or request.
Data Profiling
The GDPR provides extensive protection against the use of data profiling, defined as the “automated processing of personal data for the purpose of making a decision.” While the legislation doesn’t explicitly prohibit profiling itself, it does protect consumers against decisions made as a result of profiling.
An example of this might include making a decision on creditworthiness based on the results of data profiling. The GDPR renders this type of decision illegal and subject to punitive action. For example, “automatic refusal of an online credit application or e-recruiting practices without any human intervention” is prohibited under the GDPR. Use of profiling to direct market to natural persons or price discriminate is also prohibited. These restrictions place strict new limits on the use of “big data” to inform marketing decisions.
In addition, the GDPR enshrines EU citizens with extensive rights to object against data profiling. Any data subject can protest against profiling conducted using their data, at which point the profiling must cease.
Data Breach Notifications Under GDPR
In the event of a data breach, notification both to the regulatory authority and any natural person whose personal data has been compromised is mandatory. US regulations typically only require notification when information that creates the risk of identity theft or fraud—such as Social Security numbers or billing address information—is lost.
The speed of reporting burden for data breaches is considerable. The appropriate supervisory authority must be notified of any breach within 72 hours of discovery. With few exceptions, it is the responsibility of the data controller to notify data subjects of any breach that “is likely to result in a high risk to the rights and freedoms of individuals.”
The Right of Erasure, the Right to Be Forgotten, and Data Portability Under GDPR
Article 17 of the GDPR affords EU data subjects broad powers to have personal data retained by data controllers erased upon request. The goal is to give EU citizens the “right to be forgotten.” Article 17 is based upon a 2014 European Court of Justice ruling which required search engines to remove links to web pages retrieved when searching for a person’s name, upon their request. In theory, this enables EU citizens to erase any digital footprint they may have left over time. This is one of the most powerful rights the GDPR confers upon EU citizens and is a cornerstone of the individual’s right to privacy online. While the right to be forgotten theoretically grants data subjects much greater control over what information about them is available online, it is not without controversy. Detractors fear it will have a chilling effect on free speech and negatively impact the historical record.
In addition to the right of erasure, GDPR Article 20 gives EU citizens the right to data portability. This means that, upon request, a data controller must transfer personal data to another controller, regardless of whether or not the other controller is a competitor.
This further underlines the principle that personal data remains the property of individual citizens, not controllers. All businesses that control or process the PII of EU citizens need to ensure that they have the ability to erase that PII at the individual’s request. Additionally, controllers have a responsibility, with notable exceptions, to provide individuals with a copy of their PII in a structured, commonly used and machine-readable format, or to transmit it in said format to a third-party at the data subject’s request.
Pseudonymization and Anonymization
One of the data protection measures endorsed by the GDPR is pseudonymization. Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be linked to a specific data subject without the use of additional information. The additional information must be held separately to help ensure personal data cannot be attributed to an identifiable natural person.
In practical terms, this entails replacing most personally identifiable data in a form with false information. The goal is to prevent bad actors from being able to determine a person’s identity from published data, or data lost in a breach.
Anonymization goes one step further. While pseudonymized data can still be identified by the data controller using additional information stored separately, anonymized data is no longer personally identifiable even by the controller of the data.
While pseudonymization and anonymization hold promise as techniques to both safeguard PII and put it to further use than initially consented to, they’re not magic bullets. There is no specific definition to guide controllers as to when data is sufficiently anonymized to be exempt from GDPR restrictions. Thus, data controllers and processors who employ pseudonymization and anonymization as tactics to avoid severe restrictions on processing personal information run the risk of incurring huge fines if their methods are found insufficient in court.
You can read more about the pros and cons of pseudonymization and anonymization here.
The Upcoming ePrivacy Regulation and Its Impact
As if GDPR wasn’t enough for online businesses to contend with, further privacy restrictions loom on the horizon in the form of the complementary ePrivacy regulation. It makes sense to be aware of the proposed legislation and incorporate any necessary changes to operations while you’re implementing GDPR compliance. This could help prevent any duplication of labor and inconvenience to your customers when the ePrivacy regulation comes into effect.
Narrower in scope than the GDPR, the ePrivacy regulation is sometimes known as “the cookie law.” It provides clear rules as to how cookies can be used for behavioral marketing and other purposes.
Like the GDPR, one of the primary goals of the ePrivacy regulation is to standardize laws across the EU, rather than having 28 different sets of rules and regulations enforced by individual nations.
Here are some highlights of the proposed regulation:
- Current ePrivacy regulations have led to the proliferation of cookie acceptance banners such as this one:
(Source: Author’s Screenshot of Barclay’s site)
Such banners have become commonplace since the current ePrivacy directive came into force in 2012.
- Under the new legislation, the burden of gathering consent to accept cookies shifts from individual websites to the setting of browser preferences. In theory, individuals could give blanket consent to accept or reject cookies altogether. Alternatively, users could elect to accept first-party cookies but reject third-party cookies. This would have a significant impact on marketers who rely on third-party cookies for retargeting and other forms of behavioral advertising.
Advertising, marketing, and media advocacy groups have lobbied hard against this change. They argue that it robs them of both the opportunity to directly seek consent from users and to sell consumers on how that consent can be of value to them.
Media entities, in particular, are increasingly reliant on revenue derived from data-driven marketing made possible by third-party cookies. These lobbying efforts have as yet had little effect.
- Unsolicited marketing email (i.e., spam) is prohibited.
- The ability for marketers to make unsolicited marketing calls is either severely curtailed or prohibited altogether.
- Fines for violation of the ePrivacy regulation will be similar to those under GDPR, and the same regulatory body will be handling enforcement.
Unlike the GDPR, the ePrivacy regulation is yet to be finalized and is not expected to be until “sometime in 2019” (as of December 2019 there has still been no update). Thus, the implementation date is even further off. Regardless, the intent of the regulation is well-known.
While media and marketing advocacy groups continue lobbying fiercely against the regulations governing cookies, a relaxation of the regulation is by no means a sure thing.
Now that we have provided a high-level summary of the key elements of the GDPR applicable to all online businesses, we will delve into the steps that SaaS, content-based, and e-commerce businesses can take to ensure GDPR compliance.
GDPR Compliance for SaaS Businesses
Depending on the specifics of how your SaaS utilizes the PII of EU data subjects, you may be considered either a data processor or controller. Many SaaS companies are likely to be both. Given that this remains somewhat of a grey area—there are as yet no precedents under case law to rely on—the safest course of action is to assume that your SaaS is subject to the more stringent requirements placed on data controllers. If you retain PII from your customers and decide how it is processed, you are a controller. You can read extensively about the difference between data processors and controllers here.
Here are the steps you can take to help ensure GDPR compliance for your SaaS.
Retain Only the Data You Need
This simple rule of thumb may seem self-evident, but many companies retain much more customer data than is necessary for the performance of their business functions. While it may be tempting to collect and retain as much data as possible from your customers, the more data you hoard, the greater your potential liability.
Appoint a Data Protection Officer
Under GDPR, any organization whose core activities require regular and systematic processing and monitoring of data subjects on a large scale is required to appoint a Data Protection Officer (DPO). For many SaaS businesses, the above definition might serve as a precise description of their business activities.
While “large scale” has yet to be clearly defined, the most prudent course of action for SaaS businesses is to assume that the provision applies to them and to appoint either an internal or external DPO. Companies have already emerged that allow you to outsource this role. Demand from businesses filling the role internally is estimated to create at least 75,000 DPO positions worldwide.
Fortunately, there is no obligation under the legislation for businesses to hire a new employee to act as DPO. This would be an unrealistic burden, especially for smaller businesses. An existing member of your term or a contracted third-party can serve in the role of DPO.
Key responsibilities of the data protection officer include:
- Ensuring all PII is processed in accordance with the GDPR
- Acting as liaison to the appropriate regulatory bodies (e.g., reporting of a data breach)
- Responding to GDPR-related queries and complaints from the public
- Promotion of a “data protection culture” within the organization
- Determining whether a Data Protection Impact Assessment (DPIA) is necessary
While no official certification currently exists for DPOs, they are expected to be well versed in the requirements of the GDPR and other laws governing the safeguarding of sensitive data, the data processing operations of the business, and cybersecurity and privacy concerns.
One important thing to note is that although the DPO may be an employee who performs other duties for the business, they cannot be the person responsible for deciding the means and purposes for the processing of PII. This is designed to give the DPO sufficient independence to effectively ensure GDPR compliance with “no conflict of interest with possible other tasks and duties.” This requirement presents a definite challenge for owner-operated SaaS businesses or those with small teams. In this event, outsourcing the role of DPO to a third-party is likely the best option.
Here is a helpful checklist for ensuring your SaaS complies with the DPO requirement.
Perform a Data Audit
Conducting a thorough PII data audit is one of the most important steps your SaaS business can take to ensure GDPR compliance. Here are some of the key questions you should be asking:
- What PII does your business currently retain and process?
- Do you have GDPR compliant consent from your customers as to what data you retain and how it is processed?
- Is the consent adequately documented?
- If consent is withdrawn, do you have a mechanism in place that allows you to expunge a data subject’s PII swiftly?
The Information Commissioner’s Office in the UK, the national body responsible for GDPR enforcement, has produced a series of checklists to help your business assess its data protection readiness.
Ensure Your Third-Party Vendors Are GDPR-Compliant
An essential component of your data audit is ensuring that any third-party applications, plugins or service providers that process your customers’ PII at your behest are themselves GDPR compliant. CRM software like Salesforce and email delivery services such as Sendgrid are two prime examples of third-party vendors SaaS businesses might use that would have access to PII. Fortunately, reputable data controllers and processors are highly likely to have taken their own measures to ensure GDPR compliance. Nevertheless, it is crucial for you to ensure that any third-party vendor whom you entrust with your customer’s data is GDPR-compliant.
Data Processing Agreements With Third-Party Vendors.
The GDPR requires data controllers to have a binding written contract, or data processing agreement (DPA), with any third-party vendor that processes PII on their behalf. It is the duty of the data controller to ensure that any third-party processor warrants that they employ GDPR-compliant safeguards to protect PII. This requirement can be met either through an amendment to an existing written contract (or terms and conditions), or a separate DPA. For a closer look at the specifics of DPAs, UK legal firm BPE provides detailed guidance here.
Obtaining GDPR-Compliant Consent and “Repermissioning”
As stated in the introduction, consent to the use of PII is only considered valid under GDPR if confirmed with “a clear, affirmative action.” While checking a box on a website is sufficient to affirm consent, opt-out consent is forbidden under GDPR. Using pre-checked boxes, silence or inactivity as a substitute for explicit consent is now obsolete.
The language used when seeking consent is also crucial. Where “Terms and Conditions” are often lengthy and highly technical, the GDPR specifies that any communication regarding the processing of PII is in “a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
While obtaining consent from new customers by following the above guidelines should be relatively straightforward, what about existing customer data? Unless you have documented proof that GDPR compliant-consent was given to the processing of an individual’s PII, that data is technically now obsolete—it cannot be grandfathered in.
For many businesses, the invalidation of existing consent and customer data has been the most disruptive consequence of the GDPR. In the UK, for example, one study found that 75% of customer data in marketing databases was made obsolete by the legislation. This led to a flurry of emails from businesses both large and small in the runup to GDPR’s start date, beseeching customers to give GDPR-compliant consent. This practice became known as “repermissioning.” Like so many elements of the GDPR, repermissioning is fraught with controversy with some experts arguing that it is unnecessary and even that sending repermissioning emails may in itself constitute a violation of the GDPR. However, the intent of the GDPR is not to persecute businesses that are doing their utmost to comply with it. Many businesses worldwide have made the judgment that gaining GDPR-compliant consent through repermissioning campaigns is the best way to both comply with the legislation and retain existing customers and subscribers.
If you elect to embark on an email campaign to repermission your customers, it is best to take the opportunity to explain to your readers the advantages of continuing to receive communications from you and the potential benefits of allowing you to process their PII for purposes of behavioral marketing and any other uses required by your SaaS business. Selling points might include personalized offers and content. You may also find your customers and readers appreciate the transparency that comes with a clear explanation of what PII you retain and how it is being used.
Legitimate Interest
Consent is not the only legal ground for processing PII. In fact, it is but one of six. For most SaaS businesses, the only other grounds that may be applicable is “legitimate interest.” While experts agree that legitimate interest does not apply to the processing of PII for purposes of marketing—and Recital 70 appears to affirm that—its applicability as a legal grounds for processing of sensitive data by SaaS businesses is the subject of much debate. Recital 47 of the GDPR states that legitimate interest “may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.” Note that legitimate interest only may provide a legal basis for processing. The broad language used in this Recital has led to much confusion. Although it may give the impression that processing of PII by many SaaS businesses is legally permitted, what constitutes legitimate interest remains a grey area and is likely to do so until a precedent is set in court.
Edwards weighs in on whether legitimate interest is ever a grounds for businesses to send marketing emails to EU citizens without first obtaining GDPR compliant consent:
Potentially, yes it could be. However, when you are considering marketing to EU citizens, you have to consider other legislation alongside GDPR.
For example, PECR (the Privacy and Electronic Communications Regulations) restricts the sending of marketing emails (and other electronic communications) to individuals. However, there is a soft-opt-in which would enable you to send marketing emails to EU citizens to an individual who has given their details to you recently when they bought something you and has not opted out of receiving your marketing messages. This is PROVIDED you have given them the opportunity to opt out both when you first collected their details and in every message you have sent to them.
Given this uncertainty, many experts recommend that legitimate interest not be used as a basis for processing PII without GDPR-compliant consent.
Prepare For a Breach
If recent history has taught us anything about cybersecurity, it’s that any organization, regardless of size, is at risk of a breach of sensitive data. Data protection by design and default is one of the core tenets of the GDPR and should be practiced by any reputable business. However, even the most secure technologies remain vulnerable to attack. As noted above, the reporting burden placed on businesses that experience a breach of PII is substantial. In most cases, you must notify the appropriate authorities within 72 hours of discovering a breach. It is likely that you are also responsible for promptly notifying EU citizens whose PII was compromised by the breach. While every possible step should be taken to prevent a breach of PII from occurring, it is imperative that there is a plan in place in the event that a breach occurs in spite of your best efforts. This checklist can help ensure you are well prepared in the event of a breach.
Create a Privacy Notice
Any business that processes or retains PII must display a GDPR-compliant privacy notice when collecting the data. According to UK-based data protection consultancy, ITGovernance, a privacy policy should address the following:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
ITGovernance also offers a downloadable GDPR privacy notice template that you can customize for your business.
Update Your Terms and Conditions
Many SaaS companies—particularly those in the B2B space that act as data processors for third-parties—will need to update their terms and conditions to stipulate that their SaaS is only used in accordance with the provisions of the GDPR. In other words, the data controller must confirm in writing that any PII transmitted to the processor has been collected and is to be processed under legal grounds such as consent or legitimate interest. It is a good practice to include language indemnifying your SaaS from any damages that may occur should the data controller fail to live up to its GDPR-related obligations under the terms and conditions.
Lead Magnets and the GDPR
One of the most popular ways of capturing the email addresses of visitors to your site just became more difficult. Capturing the email addresses of EU subjects by offering them an e-book, whitepaper, or other gated resource and then using that email address for marketing or any other purpose is considered a kind of “bait and switch” tactic and is forbidden under GDPR. You need to obtain GDPR-compliant consent at the time you capture the email address to send the recipient anything other than the resource you promised. Take the opportunity to explain the benefits of receiving further communications from your SaaS business.
Implementing the GDPR’s Right to Be Forgotten and Right to Erasure.
Article 17 of the GDPR gives EU citizens the right to be forgotten, also known as the right to erasure. This means just what it sounds like. Upon verbal, written, or electronic request, all PII from an individual data subject must be erased. It is your responsibility as a data controller to ensure a request to be forgotten is executed “without undue delay and within one month of receipt.”
The right to be forgotten may present a challenge to SaaS business owners who need to build the functionality to completely erase an individual’s PII into their software. Given that the GDPR only allows you to deny an individual’s right to be forgotten under very stringent conditions, incorporating this functionality into your product is not optional.
Perform a Data Audit
Conducting a thorough PII data audit is one of the most important steps your SaaS business can take to ensure GDPR compliance. Here are some of the key questions to ask of your business:
- What PII does your business currently retain and process?
- Do you have GDPR compliant consent from your customers as to what data you retain and how it is processed?
- Is the consent adequately documented?
- If consent is withdrawn, do you have a mechanism in place that allows you to expunge a data subject’s PII swiftly?
The Information Commissioner’s Office in the UK, the national body responsible for GDPR enforcement, has produced a series of checklists to help your business assess its data protection readiness.
For a high-level actionable checklist of steps you can take to make your SaaS business GDPR-compliant, please click here.
GDPR Compliance for Bloggers
For bloggers and other content-based businesses, the journey towards GDPR compliance is likely to be more straightforward than for other online business models. However, there are still important steps you need to take in order to ensure GDPR compliance. This is particularly true if you use and retain customer data—such as email addresses—to market to visitors and subscribers to your blog or website. This applies not just to new subscribers, but to existing ones as well.
If you are not operating your blog for commercial purposes, you are exempt from the GDPR. Article 4 (18) defines commercial activity as “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.”
If you monetize your blog through advertising, affiliate programs or other means and you use or retain PII from EU citizens, you are subject to the GDPR.
Here are the actions you can take to put your blog on track for GDPR compliance. You will find that many of the steps we suggest are similar to those for SaaS businesses. You can read in more detail about those overlapping areas above.
Should You Appoint a Data Protection Officer?
Do you need to appoint a Data Protection Officer if you operate a blog or other content-based business? The original draft of the GDPR specified that only businesses with over 250 employees or those that processed over 5,000 data records were required to appoint a DPO. Unfortunately, the final version of the GDPR doesn’t include this stipulation. Rather, it specifies that a DPO must be appointed when processing and monitoring of data subjects take place on a large scale. As what constitutes “large scale” processing has yet to determined, it is certainly possible to argue, as many have done, that a small content-based business does not require a DPO. However, this is far from a certainty. Peter Brown of the UK’s Information Commissioner’s Office, the regulatory body responsible for the GDPR, has gone so far as to say, “I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.”
Additionally, the EU stipulates that “monitoring the behavior of data subjects includes all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising.” If your content-based business makes use of PII such as customer IP addresses to target visitors in any way, this is considered monitoring and is subject to the GDPR.
Edwards discussed whether owner-operated content-based businesses need to appoint a data protection officer, sharing that, “This depends on a number of factors and so needs to be considered on a business-by-business basis. There are some businesses where having a DPO (Data Protection Officer) is mandatory such as, for example, a business which undertakes large scale, regular and systematic monitoring of individuals. Whilst many owner-operated content-based businesses won’t need a DPO, they will still need to know and understand GDPR.”
As noted above in the SaaS business section, in the absence of further guidance from the EU or the courts, it may be best to err on the side of caution and appoint a DPO. Many content-based businesses are owner-operated and do not have additional employees. If that is the case for your business, the most expedient course of action is likely to be outsourcing this role.
Obtaining GDPR-Compliant Consent and Repermissioning
One form of marketing reliant on the processing of PII that most content-based businesses utilize is email marketing. As with almost any other form of processing under GDPR, the most reliable basis for sending marketing emails is to have the recipient’s GDPR-compliant consent. You can read about this in more detail in the SaaS section above, but in essence, for consent to be GDPR-compliant, it must be confirmed with a “clear affirmative action.” This can include checking a box on a website, but opt-out consent, such as requiring a user to uncheck a box to withdraw consent, is expressly forbidden. Consent must be as easy for a data subject to withdraw as it was to give. The ways in which a data subject’s PII, such as an email address, is to be utilized must be explained in “clear and plain language.” Additionally, when and how the consent was given must be documented for each data subject.
Unfortunately for many businesses, the GDPR’s guidelines for what constitutes consent apply retroactively. This means that unless the contacts in your existing email marketing database gave GDPR-compliant consent and you can prove it, you are most likely no longer able to send them marketing emails without violating the GDPR. Many businesses have chosen to solve this conundrum by conducting “repermissioning” campaigns with their existing contacts. Some businesses have elected to send emails requiring opt-in consent and notifying the recipient that failure to consent will result in their removal from your email list.
The good news is that this is a problem for virtually everyone that conducts email marketing. This has led to many email marketing providers, e.g., Mailchimp and ConvertKit building tools into their platforms to facilitate GDPR compliance.
Segment Your E-Mail List
If your content-based business covers a wide range of interests, you may want to consider segmenting your email list. The New York Times offers an excellent example of offering a wide variety of email newsletters segmented by interest. You may find that your readers and subscribers are more likely to grant you GDPR-compliant consent to receive only emails relevant to their interests, rather than granting blanket consent.
Create a Privacy Notice
Any business that processes or retains PII must display a GDPR-compliant privacy notice when collecting the data. According to UK based data protection consultancy, ITGovernance, a privacy policy should address the following:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
ITGovernance also offers a downloadable GDPR privacy notice template that you can customize for your business.
Retain Only The Data You Need
The less PII you retain, the less liability you may face in the event of a breach. For many content-based businesses, a name and email address are the only sensitive customer data they need to retain to perform their business functions. Ensure you are only collecting and retaining PII that is essential for conducting your business.
Ensure Your Third-Party Vendors Are GDPR Compliant
If you gather PII, such as email addresses, from visitors to your blog and then use a third-party vendor to process the information, for example, an email marketing platform, you are responsible, as the controller of the PII, for ensuring the vendor is GDPR-compliant. If you use plugins that process the IP addresses of visitors to your site, you also need to confirm they are following the GDPR. If they are not, you could be held liable for any processing of PII performed on your behalf that is not GDPR compliant.
Data Processing Agreements With Third-Party Vendors
The GDPR requires that data controllers have a binding written contract, or data processing agreement (DPA), with any third-party vendor that processes PII on their behalf. It is the duty of the data controller to ensure that any third-party processor warrants that they employ GDPR-compliant safeguards to protect PII. This requirement can be met either through an amendment to an existing written contract (or terms and conditions) or through a separate DPA. For a closer look at the specifics of DPAs, UK legal firm BPE provides detailed guidance here.
Utilize Plugins to Assist With Compliance
Unsurprisingly, developers have been quick to address pain points created by the GDPR. For example, here are five WordPress plugins that can help assure compliance.
Prepare For a Breach
No matter what measures you take to safeguard sensitive data, a breach is always a possibility. As noted above, the reporting burden placed on businesses that experience a breach of PII is substantial. In most cases, you must notify the appropriate authorities within 72 hours of discovering a breach. It is likely that you will also be responsible for promptly notifying EU citizens whose PII was compromised by the breach. While every possible step should be taken to prevent a breach of PII from occurring, it is imperative that you have a plan in place in the event that a breach occurs in spite of your best efforts. This checklist can help ensure you are well prepared in the event of a breach.
Implementing the GDPR’s Right to Be Forgotten and Right to Erasure
As noted above, Article 17 of the GDPR gives EU citizens the right to be forgotten, also known as the right to erasure. This means just what it sounds like. Upon verbal, written, or electronic request, all PII from an individual data subject must be erased. It is your responsibility as a data controller to ensure a request to be forgotten is executed “without undue delay and within one month of receipt.” Given that the GDPR allows you to deny an individual’s right to be forgotten only under stringent conditions, you should be prepared to comply promptly with any such requests.
Fortunately for bloggers who only retain customer names and email addresses, many of the popular email marketing platforms now have the functionality to delete PII covered by the GDPR built into their products. Mailchimp and Hubspot provide two examples.
For a high-level actionable checklist of steps you can take to make your blog or content-based business GDPR-compliant, please click here.
GDPR Compliance for E-Commerce Businesses
Without taking action, e-commerce businesses are perhaps the most at risk of non-compliance with the GDPR. More so than blogs and SaaS companies, e-commerce businesses, almost by definition, must retain and process a great deal of sensitive customer data as an essential business function. Not only must they retain customer emails and physical addresses for the sake of fulfilling orders, but e-commerce businesses are also more likely to utilize behavioral and email marketing to target their customers. Some e-commerce business owners have gone so far as to seek protection from GDPR by discontinuing sales to Europe altogether. However, even that may not offer an exemption from the regulation. It has been speculated that even if an EU citizen resides in the United States, for example, they remain entitled to GDPR protections.
While compliance with GDPR may appear daunting at first, closing the door on over 500 million potential customers isn’t the best of course of action, especially as it may not ensure compliance.
These 11 actions will help ensure that your e-commerce business stays on the right side of the GDPR. As is to be expected, there are many areas where GDPR related concerns overlap with SaaS and content-based businesses. We will refer to previous sections where there is a substantial crossover between areas covered in-depth earlier in this article.
Ensure Your E-Commerce Platform Is GDPR Compliant
While it should go without saying that major e-commerce platforms will have done their due diligence to ensure GDPR compliance, it remains the responsibility of the e-commerce business owner to confirm that this is the case. Platforms such as Shopify and Magento have written extensively about the steps they have taken to be GDPR-compliant.
Ensure Your Third-Party Vendors Are Compliant
Just as it is your responsibility to ensure your e-commerce platform is GDPR compliant, it is your duty as a data controller to make certain that any third-party vendors you use to process sensitive data at your behest are also compliant with the regulation. Examples applicable to e-commerce businesses include apps, email marketing platforms, and payment gateways. It is crucial to keep in mind that even customer IP addresses are considered PII under GDPR, let alone obvious data points like email addresses, telephone numbers, and physical addresses. Most reputable third-party vendors will have ensured their compliance and are very likely to have posted details of this on their websites. Examples include Drip for email marketing automation and Hubspot for inbound marketing. You may find that many of your third-party vendors have already sent you revised terms and conditions related to GDPR. If not, the onus is on you to request revised service agreements ensuring that any processing of customer data done on your behalf is GDPR-compliant.
Data Processing Agreements With Third-Party Vendors
The GDPR requires data controllers to have a binding written contract, or data processing agreement (DPA), with any third-party vendor that processes PII on their behalf. It is the duty of the data controller to ensure that any third-party processor warrants that they employ GDPR-compliant safeguards to protect PII. This requirement can be met either through an amendment to an existing written contract (or terms and conditions), or a separate DPA. For a closer look at the specifics of DPAs, UK legal firm BPE provides detailed guidance here.
Obtaining GDPR-Compliant Consent and Repermissioning
As noted in detail above in the SaaS section, no matter what your online business model, obtaining GDPR-consent from your customers is perhaps the most crucial step you can take to ensure your business adheres to both the spirit and the letter of the GDPR. To ensure you have GDPR-compliant consent, ask yourself the following questions:
- Was consent to process your customer’s PII given with a clear, affirmative action such as checking a box on your website?
- Do you have a verifiable record of when and how consent was given?
- Were any terms and conditions or privacy notices your customer agreed to written in an “easily accessible form, using clear and plain language?”
If, as is the case for many online businesses, the answer to any of the above questions is no, you do not have GDPR-compliant consent. Note that consent given through omission, such as not unchecking a pre-ticked box, is expressly forbidden under GDPR. Unfortunately, these requirements apply not only to new customers but all of your existing data. If like many other individuals, you received a deluge of emails in the lead-up to GDPR becoming enforceable on May 25th, you were the target of a “repermissioning campaign. Many online businesses took the informed decision that the best way to comply with GDPR’s new standards for consent was to reach out to their existing customer base and obtain GDPR-compliant consent. Although the GDPR itself does not endorse this approach, it has emerged as a popular tactic for online businesses to protect themselves.
If you do make the decision to embark on a repermissioning campaign, be sure to sell your customers on the benefits of giving you consent to use their PII for email and behavioral marketing. As an e-commerce business owner, there are many incentives you can offer: personalized content, targeted special offers, discounts, etc. Also, take the opportunity to build trust by showing your customers that you take their privacy seriously.
Legitimate Interest
Legitimate interest is one of six legal grounds for processing PII under GDPR. Other than consent, it is the only one likely to apply to e-commerce businesses. Legitimate interest of a data controller may “ exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. “ Furthermore, Recital 47 states that this legitimate interest “may provide a legal basis for processing” of PII. Note that legitimate interest only “may” constitute legal grounds for processing PII. As noted in detail above in the SaaS business section, the consensus among experts is that legitimate interest is no substitute for GDPR-compliant consent.
Create a GDPR-Compliant Privacy Policy
It is incumbent upon any controller of PII to create and display a privacy policy that details how any PII collected will be processed. According to UK based data protection consultancy, ITGovernance, a privacy policy should address the following:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
ITGovernance also offers a downloadable GDPR privacy notice template that you can customize for your business.
Optimize Your Transactional Emails
Unlike unsolicited marketing emails, many experts agree transactional emails do not require additional consent from your customers as they serve as notice that you are fulfilling a “contract,” between yourself and the data subject to which they have already consented by placing an order. To be on the safe side, you should offer recipients the option to opt-out of transactional emails or any other email communications from your company. You should also take this opportunity to ask your customers for consent to send them marketing emails in addition to transactional ones.
We asked Edwards whether Recital 44 in the GDPR legislation constitutes grounds for sending transactional emails such as invoices and order confirmations:
Personal data can only be processed if you have a lawful basis to do so. One of the six available lawful bases is contract. So, you can lawfully process personal data to
- fulfill your contractual obligations to someone or
- when they have asked you to do something before you enter into a contract with them, such as sending them a purchase order or quotation
Recital 44 clarifies that using personal data to send transactional emails such as invoices and order confirmations would enable processing of personal data based on contract as a lawful basis. Recitals are guides to the main articles.
Segment Your E-Mail List
If your e-commerce business sends out email of many different types (for example, newsletters, product recommendations, special offers or discounts, notifications of new content such as podcasts or livestreams), you may want to consider giving your customers the option to opt-in to receive only certain categories of email. Offering your customers control over what emails they receive from your business is very much in keeping with the spirit of the GDPR, and may encourage customers to selectively opt-in who might otherwise be reluctant to consent to grant a blanket consent for receiving all marketing and transactional emails from your business.
Retain Only The Data You Need
E-commerce businesses that sell physical product must collect vast amounts of PII, such as physical addresses and phone numbers, out of necessity. It is worth keeping in mind, however, that the more PII your business retains, the bigger the potential liability in the event of a breach. Weigh the benefits of retaining the PII, for instance, of customers who haven’t made a purchase for a number of months, or even years, against the potential risks. Forcing a customer to register with your site again after a long absence is also a good way to ensure that you obtain GDPR-compliant consent for future communications.
Appoint A Data Protection Officer
While the requirement to appoint a Data Protection Officer (DPO) is contingent upon your e-commerce business processing PII on “a large-scale,” this is likely less of a grey area for e-commerce than for content-based businesses like blogs. The core functions of e-commerce require the large scale processing of PII.
As noted above in the SaaS business section, there is no obligation under the legislation for businesses to hire a new employee to act as DPO. This would be an unrealistic burden, especially for smaller businesses. An existing member of your term or a contracted third-party can serve in the role of DPO.
Key responsibilities of the data protection officer include:
- Ensuring all PII is processed in accordance with the GDPR.
- Acting as liaison to the appropriate regulatory bodies (e.g., reporting of a data breach)
- Responding to GDPR-related queries and complaints from the public.
- Promotion of a “data protection culture” within the organization.
- Determining whether a Data Protection Impact Assessment (DPIA) is necessary.
While no official certification currently exists for DPOs, they are expected to be well versed in the requirements of the GDPR and other laws governing the safeguarding of sensitive data, the data processing operations of the business, and cybersecurity and privacy concerns.
One important thing to note is that although the DPO may be an employee who performs other duties for the business, they cannot be the person responsible for deciding the means and purposes for the processing of PII. This is designed to give the DPO sufficient independence to effectively ensure GDPR compliance with “no conflict of interest with possible other tasks and duties.” This requirement presents a definite challenge for owner-operated e-commerce businesses or those with small teams. In this event, outsourcing the role of DPO to a third-party is likely the best option.
Here is a helpful checklist for ensuring your e-commerce business complies with the DPO requirement.
Perform a Data Audit
Conducting a thorough PII data audit is one of the most important steps your e-commerce business can take to ensure GDPR compliance. Here are some of the key questions you should be asking:
- What PII does your business currently retain and process?
- Do you have GDPR compliant consent from your customers as to what data you retain and how it is processed?
- Is the consent adequately documented?
- If consent is withdrawn, do you have a mechanism in place that allows you to expunge a data subject’s PII swiftly?
The Information Commissioner’s Office in the UK, the national body responsible for GDPR enforcement, has produced a series of checklists to help your business assess its data protection readiness.
Prepare for a Breach
If the recent past is any guide, for many businesses it’s not a matter of if a breach of customer data will occur, but a matter of when. It should go without saying that your e-commerce business needs to do its utmost to ensure a breach doesn’t happen, but it’s wise to have a plan in place in case it does. This checklist can help you be prepared in the event of a breach.
Implementing the GDPR’s Right to Be Forgotten and Right to Erasure.
Article 17 of the GDPR gives EU citizens the right to be forgotten, also known as the right to erasure. This means just what it sounds like. Upon verbal, written, or electronic request, all PII from an individual data subject must be erased. It is your responsibility as a data controller to ensure a request to be forgotten is executed “without undue delay and within one month of receipt.”
The GDPR only allows you to deny an individual’s right to be forgotten under stringent conditions that will not apply to most e-commerce businesses. Fortunately, depending on which e-commerce platform you use, there are apps and extensions available to help you comply with Article 17 and other aspects of the GDPR. Here are two examples, one for Magento and one for Shopify.
For a high-level actionable checklist of steps you can take to make your e-commerce business GDPR-compliant, please click here.
Final Thoughts
While there is little doubt that the road to GDPR compliance can seem an arduous one, in the long run, it should prove beneficial to both businesses and their customers. Forcing commercial enterprises to be fully transparent with how a data subject’s sensitive personal information is being used and giving EU citizens the right to control how it is processed should help build trust between the public and online businesses.
It is crucial to remember that any business, regardless of where it is based, which collects or processes any PII from EU citizens—including an email or IP address—needs to be GDPR compliant.
While we have outlined many of the critical aspects involved in ensuring your online business is GDPR compliant, the GDPR is an incredibly complex piece of legislation, and the penalties for violating it are severe. Not only that, understanding the full ramifications of the regulation is an ever-evolving process and will continue to be, even for the experts. If you have questions or concerns about whether your business is GDPR compliant, it’s always best to seek the advice of a qualified attorney.
2020 Update
The new powers given to national data protection authorities by the GDPR regulations have prooved effective so far, but there is still work to be done in 2020. By June 2019, 516 cross-border cases had been managed by the European Data Protection Board, and in 2020 The Commission will conduct a review of the progress over the two years since the regulation’s implementation.
It is also worth noting that California brought in its own data privacy law in 2018, which comes into effect in early 2020. The CCPA (California Consumer Privacy Act) will allow all consumers to view any data that a firm has saved on them, and information on any third parties this information has been shared with. This could radically change the ways that California-based companies go about collecting and storing consumer data. Consumers will be able to sue businesses that have mishandled their data.