The entry into force of the European Union General Data Protection Regulation (the “GDPR”) is almost here. This means that within the next year, every online business, regardless of whether it owns a website, an e-commerce shop, a mobile application or some other form of electronic business will have to make its processes in conformity with the new European personal data protection rules.
The upcoming GDPR puts a wide range of, not only amended, but also new obligations onto businesses that process personal data.
Before getting into the essence of the obligations of website and mobile application owners, one has to not that from May 2018, every business, regardless of whether it is based in the EU or not, will have to comply with the 99 Articles of the new GDPR if it holds or processes the personal data even of one European citizen.
This means that the EU General Data Protection Regulation will apply to you even if you are a US, Singapore, Israel or an Australian business.
NEW GENERAL PERSONAL DATA PROTECTION OBLIGATIONS
Almost every website has a contact form. If you own such a website, this means that you process personal data (name, e-mail, etc. that is input through that contact form) and that you are a controller within the meaning of the GDPR.
A data controller must be able to demonstrate that the processing it performs or has been performing is compliant with the GDPR. This means that if your business is subject to an audit, you need to prove that your processing is in line with the new rules (principle of accountability). To do that, every business needs to implement a code of conduct or another kind of certification mechanism.
Another important obligations of controllers are the “privacy by design” and “privacy by default” concepts. What “privacy by design” requires is that the purposes, means and aims of the processing need to be established and outlined prior to commencement of the processing (in the planning phase of processing activities).
In addition, “privacy by default” requires that that controllers implements “appropriate technical and organizational measures” in order to guarantee that, by default, only personal data which is necessary for a specific purpose is processed. In other words, data collected and processed should not be excessive and should not be stored for longer than is necessary for the given purposes.
As mentioned, companies established outside the EU, to whom the GDPR is applicable, would have the obligation, as controllers, to appoint a representative established within the EU.
Controllers would also have to keep a detailed record of their data processing operations. It must be made available to the supervisory Data Protection Authorities (DPAs) upon request.
Online businesses will also have to appoint a data protection officer (DPO) if their data processing involves “regular and systematic monitoring of data subjects on a large scale” or where the business conducts large-scale processing of “special categories of personal data”.
In case you are not sure whether this applies to you, we will be happy to consult you on the need to appoint a DPO for your business.
NEW SPECIFIC OBLIGATIONS
As already mentioned, every business needs to set up appropriate technical and organizational measures in order to secure the personal data of their clients, users and customers. This may include different types of pseduonymisation or data encryption.
Another duty imposed on controllers is the “personal data breach” notification obligation. Businesses need to send a notification to the “competent” supervisory authority in case of a security breach (meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed). Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
There are also a number of obligations related to “high risk” data processing. Those will not be looked in depth, as rarely online businesses are involved in such types of data processing. We are nevertheless prepared to advise you on whether your processing activities include such kinds of data.
PENALTIES AND FINES
As previously discussed, non-compliance with the GDPR may be disastrous. Fines for business can reach €20,000,000 or 4 % of the annual worldwide turnover for the preceding financial year of the entire undertaking (including mother- and related companies).
Because of that, online business need to consider bringing their operations in line with the GDPR an important project and not leave this for the last moment, as it will call for considerable effort.
HOW TO COMPLY WITH THE GDPR
The first step towards GDPR compliance is determining whether you deal with the data of EU citizens.
If your online platform, whether it is a website, mobile app or desktop application, collects the personal information of even a single EU citizen, you need to comply with the General Data Protection Regulation.
The most notable step towards GDPR compliance is having a proper Privacy Policy. You can use our online Privacy Policy Generator to obtain a GDPR compliant Privacy Policy in less than 5 minutes.
Once you have obtained a GDPR compliant Privacy Policy, you need to makes sure that your users are properly giving their consent to it. You need to use the clickwrap method, which essentially means that users need to click on a not pre-clicked box that they consent to your Privacy Policy. Users basically need to click on an “I Agree” button.
Have a look at Facebook’s home page, and how they have done it.
And here is an example of a GDPR compliant mobile app. Netlix summarizes it perfectly.
Furthermore, you need to makes sure that you have a Data Protection Officer, that is, the person within your organisation, responsible for GDPR and data protection compliance. The DPO will be responsible for enacting measures and policies ensuring your compliance with the General Data Protection Regulation.
Lege Nova is prepared to help you during the entire process of bringing your business in compliance with of the new personal data protection obligations. This will include everything – from drafting an EU GDPR compliant Privacy Policy, through implementing codes of conduct or certification mechanisms to advising and educating you on how to conform with the GDPR and avoid disputes, fines and penalties.