The advent of General Data Protection Regulation (GDPR) has substantially transformed the way online businesses collect, store, and use customer data. GDPR entered into force on 25 May 2018, with the motive to protect the online data security and privacy rights of each individual residing in the European Union member states.
Does GDPR impact your business?
The GDPR standards certainly apply to you if you sell any kind of products or services to the EU nationals, regardless of whether your business is physically located in the EU or not. Even if you do not target the European markets, you’re likely to have EU visitors to your website. So your online business must comply with the GDPR requirements.
You have to adhere to the GDPR, no matter whether you are;
- A data controller — who determines the purpose and means of personal data processing or,
- A data processor — who processes personal data on behalf of the data controller.
The cost of GDPR non-compliance
The serious violators of the GDPR could be fined up to €20 million or 4% of your organization’s annual global turnover of the previous financial year. And any less severe violations may cost up to €10 million or 2% of your annual revenue.
Your data collection and GDPR compliance must go hand-in-hand!
Here’re the most important reasons why you should rethink your data collection practices and become GDPR-compliant.
- To enhance the prestige of your business by staying ahead of the competition.
- To safeguard your customers’ personal information from hackers and cyber thieves.
- To streamline the data-gathering process and thus save costs.
- To get rid of hefty fines for outbidding the government regulations.
The ultimate aim of the GDPR is to give EU citizens more security and control over their sensitive personal data. So before collecting any kind of personal data of an individual, always make sure you allow them to make an informed decision about sharing their data with your organization.
The 7 principles of personal data protection under GDPR
The 7 basic principles for the protection of personal data can be summarized as follows. Make sure you comply with these regulations when you process the personal data of your customers.
1. Lawfulness, fairness, and transparency — The processing of personal data must be performed lawfully, fairly and transparently. If you have a thorough understanding of the GDPR, you could easily ensure your data collection practices remain lawful.
Fairness implies that you must handle your consumers’ personal data in a sensible manner, satisfying their reasonable expectations about how their data will be processed.
You should maintain transparency in data processing by informing your customers about the details like what type of data is gathered, the reason for collecting it etc. Make sure you don’t hide any of your data collection practices from them.
2. Purpose limitation — Data must be collected from the individuals only for definite and lawful purposes.
3. Data minimization — Be sure to gather only the data that is required to meet your business goals.
4. Accuracy — The personal data collected must be accurate and the data subject (the person whose data is being collected) must be allowed to request for the erasure of any incorrect or incomplete data.
5. Storage limitation — The data must not be retained for a longer period unless it is genuinely required. Also, it has to be removed securely if it is no longer needed.
6. Integrity and confidentiality — The process of data collection must not compromise the integrity and confidentiality of personal data.
7. Accountability — The data controller shall be responsible for complying with the GDPR and must be able to demonstrate its compliance with the GDPR legislation.
Under GDPR, the collection, processing, and storage of the personal data of EU-based individuals must be carried out only on the basis of the consent/permission obtained from the data subjects. The data controllers must ensure they maintain data transparency throughout all the activities involved in the entire data collection lifecycle.
How should you be collecting data to comply with the GDPR?
Here’re the key factors to consider when you collect personal data from individuals.
- The objective for data collection.
- The types of data gathered.
- With whom the data will be shared.
- How long the data will be retained.
- Contact information.
2. Be transparent
Make the data owners thoroughly understand about your data collection practices. Never try to withhold any information from them.
3. Obtain explicit consent
If you want to collect user data for a specific purpose, you should get their consent beforehand. The details included in the request for consent must be straightforward and easy to understand. Help the data subjects know what type of information you need and why you want to collect it. Ensure the users make an affirmative action when giving their consent.
When you create consent requests, you shouldn’t be using pre-checked boxes, as they do not constitute valid consent under the GDPR. Always provide data subjects with the freedom to decide whether or not they want to give consent.
4. Collect only relevant data
As an online entrepreneur or a digital marketer, you’d probably know what type of data is important for your business/marketing. So you must gather only the required data from your customers.
If the customers’ surname, race, age, or gender has nothing to do with your business, make sure you never ever ask for it. Collecting any irrelevant data or obtaining data for an unspecified purpose is strictly against the terms of GDPR.
According to the GDPR standards, processing of any “special categories of data” that exposes the personality of an individual is strictly prohibited, unless you need it for a legal purpose or the data subject has given an explicit consent to the processing of these data.
Under the GDPR law enforcement, the “special categories of data” can be any of the following.
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Processing of genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Sex life or sexual orientation.
5. Right of access by the data subject (Art. 15 GDPR)
Under the GDPR, the data subjects have the right to receive the confirmation of whether their personal data is being processed, and know the objectives of processing their data, where their data is being processed, with whom the data will be shared, etc.
6. Right to rectification (Art. 16 GDPR)
You are liable to rectify the inaccurate or incomplete personal data of individuals at the earliest, upon their request.
7. Right to erasure/Right to be forgotten (Art. 17 GDPR)
The data subjects have the right to withdraw their consent at any time. Also, if they request for data erasure, you are obligated to erase the requested data and stop any third party from processing it without delay.
8. Right to restriction of processing (Art. 18 GDPR)
Data subjects must be allowed to request for stopping or restricting the processing of their personal data whenever they want to.
9. Notification obligation regarding rectification or erasure of personal data or restriction of processing (Art. 19 GDPR)
You are required to notify the data subjects about the data rectification (Article 16), erasure (Article 17), and restricted processing (Article 18).
10. Right to data portability (Art. 20 GDPR)
An individual must be given the right to receive, download, and export their personal data that they have given to a data controller. The data must be presented in a structured, commonly-used, and computer-readable format. And you should not deny the data subjects from sharing those data to another controller (organization).
11. Automated individual decision-making, including profiling (Art. 22 GDPR)
The data subjects have the right not to be subject to a decision solely taken by the data controllers or data processors.
12. Transfers of personal data outside the European Economic Area
According to the GDPR, transferring of personal data to the regions outside the European Economic Area (EEA) is forbidden. However, the GDPR law enforcement provides an exception to transfer personal data to the non-EU countries, given that the rights of the individuals with regard to their personal data is sufficiently protected in a legal way.
13. Notify personal data breaches
If any kind of data breach occurs, you must report it to the data subject and the Information Commissioner’s Office (ICO) within 72 hours after having become aware of the breach.
14. Assign a Data Protection Officer if required
Not all organizations are required to have a Data Protection Officer (DPO). However, if your business or marketing strategies require you to collect or have to deal with a large amount of personal data, must you appoint a DPO, who will oversee your data collection practices, provide legal guidance, and make sure your organization operates in compliance with the GDPR.
Would you think the GDPR impedes your business operations? But I’d say that you’re mistaken! In fact, GDPR offers a window of opportunity. To comply with the GDPR standards, you might keep redefining your data collection practices—be it your data collection forms, cookie banners, or newsletters, in order to protect all the data security rights of individuals.
By maintaining the data collection practices of your business within a legal ecosystem, you could show your customers that you value their data and are constantly working to keep it safe and secure against potential data breaches. And therefore the GDPR helps you gain customer trust and long-term loyalty right away.
This article is intended to be used for informational purposes only and does not constitute any form of legal advice. You shall seek a subject matter expert or your own attorney for any legal advice on how to change your data collection practices to become fully GDPR-compliant.