Data Protection: What is the GDPR and how does it affect my online business?
The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of personal data across all EU markets. After four years of preparation and debate the GDPR was approved by the EU Parliament on 14 April 2016.
All businesses, large and small, will have an obligation to ensure they are compliant with this new law when it comes into effect on May 25th 2018.
The GDPR replaces current national data protection laws and the existing EU data protection framework. The law is designed to give consumers more control of their personal information and applies across all EU states. The GDPR introduces increased sanctions whereby organizations can be fined up to €20m or 4% of annual turnover (whichever is greater) if they breach the law.
The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Data Protection – Personal Data
Consumers’ personal data is at the core of the GDPR and the classification of personal data is broadened from existing definitions under the GDPR. This means data that is not currently considered personal data, including but not limited to cookie IDs, customer numbers, IP addresses, device IDs, etc, may now be classified as such under the GDPR.
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
GDPR key changes which will impact online businesses.
Legal Basis for Processing Personal Data.
Under the GDPR, businesses require a legal basis to process personal data. There are six legal bases available under Article 6(1). These conditions the must be met for the processing of personal data to be lawful. They are:
“(a) the data subject has given consent to the processing of their personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
These conditions are all equally valid and businesses should assess which of these grounds are most appropriate for different processing activities and then fulfill any further requirements the GDPR sets out for these conditions (GDPR Article 5).”
‘Legitimate Interest’ (f) is distinct from ‘Consent’ (a). A useful definition of legitimate interest can be read on the Information Commissioner’s Office where it is stated, “It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing”.
This means if your business states that the purpose of collection of personal data is due to a ‘legitimate interest’ in such collection, then you should be confident that you can demonstrate this legally.
Regarding consent, the Information Commissioner’s Office https://ico.org.uk/ states,“Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation”.
“Contract”, as in (b) above, is also be a legal basis for the collection of personal data. Here a specific contract would need be in place between your business and your customers which allows for the collection and processing of the customer’s personal data.
The ePrivacy Directive.
Under the existing ePrivacy Directive, consent is necessary for “cookies and similar technologies”. Thus, regardless of which legal basis is used for processing personal data under GDPR rules, the ePrivacy Directive remains in place meaning that unambiguous consent is required for the use of many cookies because the GDPR only considers consent sufficient if it is “unambiguous”.
This means you should review cookie consent mechanisms on your site. There are a variety of options and tools available online and we advise that solutions should be assessed to ensure they can be implemented to comply with the regulations.
Next Steps for Online Sites.
• Assess how the GDPR impacts your business and update your site where necessary to comply with the new rules. This includes privacy policies, cookie notices and consent capturing.
• Make sure there is adequate transparency of how and what data you are collecting or processing on your site.
• Decide the most appropriate legal basis for collecting and processing personal data from site visitors and customers.
• NOTE: You should seek your own legal advice. This post should not be read as legal advice.
The GDPR will impact on your online business, but these impacts can be mitigated with demonstrable understanding, effort and measures to comply with the rules. Whilst the new law does not take effect until the 25th May 2018 it is important that you understand your obligations as a business and make any necessary amendments to be compliant.
Zazsi Media is a digital media agency offering our clients a full scale consultancy and a range of professional services to grow their online business. Web Design & Development, E-Commerce, Mobile Apps, Online Marketing, PPC, SEO, Social Media Marketing, Inbound Sales Tools, Lead Generation, Affiliate Marketing, Video & Animation and more.