Are you a business owner worried about GDPR?
Are you overwhelmed trying to figure out how to make your business compliant?
Have you spent lots of your precious time trying to set up your website legal pages, diligently researching the free privacy policy generators? Only to realise that you don't know for sure what's still missing to fully protect your business against GDPR fines and third parties' liability?
If your brain hurts like most entrepreneurs struggling to figure out what the heck this is all about, you are not alone.
Your worries are not all in vain because this recent GDPR legislation is a game-changer that affects almost every one of us. If not handled properly, it has very serious consequences.
What’s This New Nightmare All About?
I’m sure you’ve heard of this new four-letter word law called (“GDPR”) popping up all over the internet. This law entered into force on the 25th of May 2018 and is in full swing now.
GDPR applies to all businesses that deal with personal data involving citizens of the European Union (EU). If your online business collects personal information from EU citizens, then GDPR is most probably applicable to you, even if you and your business are both based outside the EU.
It’s a big deal for us corporate lawyers to witness the General Data Protection Regulation (“GDPR”) going into effect and I'm here to help you get your GDPR compliance sorted out.
We, at E-Corporate Lawyers ("ECL"), started taking GDPR seriously early on because it was an issue that worried most of our clients.
We ourselves also had to comply by adjusting our privacy and cookie policies, terms of service, disclaimers, landing pages, pop-ups, newsletters, freebies and email lists to the new regulations.
Since there aren't a lot of easy, understandable, and actionable legal resources freely available, I thought it may be helpful to document what I did and offer you some free bitesize information, guidance, and education on GDPR.
This will save you the effort of digging into the 261-page GDPR law yourself, which trust me, was a nightmare even for us corporate lawyers.
Since privacy is taken so seriously in this law, fines and sanctions are very severe (up to 20 Million Euros or 4% of annual turnover in major big data cases).
The tips I present here are meant for small businesses owners. For this reason, I’m not stressing on the severity of GDPR fines because these large figures wouldn’t be applicable to you and there is no reason for you to panic.
Just be sensible about it by taking timely steps necessary to comply with the GDPR regulations and by following these simple tips offered to you here for free.
That being said, I have to point out that this article will not be exhaustive, so don’t just solely count on me, because I can’t cover the wide reach of cases and countries that this law touches in one blog post.
You need to do your research and review your local laws or even seek professional legal advice from a privacy lawyer or GDPR specialist licensed in your state, country or jurisdiction. Alternatively, you can purchase the done for your “Website Legal Pages” at a discounted rate to save you time & money (see links below).
The important thing is, though, not to worry too much about GDPR - what you should do is to take positive action towards knowing your clients, maintaining your email list hygiene, being transparent, and respecting your stakeholders’ privacy and personal data being purposeful, mastering your craft, and doing business with integrity.
Regulators are not out there to get you, neither do they intend to run after every single freelancer, coach, entrepreneur, consultant, or small business owner to check their cookies and freebies.
This law is meant to ensure the transparency of big data processing companies that use our personal, or in some cases sensitive data, in ways we know nothing about for their marketing and other activities.
The GDPR law is meant to protect EU citizens from such companies exploiting their privacy and personal data without their prior approval or knowledge.
You can best benefit from the GDPR by thinking about it as an ongoing project, challenge, an opportunity to improve the quality of your contact or email lists, their regular maintenance, and to know your clients better.
This will, in turn, improve the quality of your work, performance, competitiveness, email deliverability rates, conversion, traction, sales, and overall profitability.
This blog post is a good place to start to understand how GDPR works. I will be posting more detailed information soon, so stay tuned for my upcoming blog and updated GDPR posts!
Having a cybersecurity insurance covering GDPR is recommended in all cases. Appointing a data representative in the EU is also good practice if you have clients in the EU Region.
My advice is that you shouldn't pay more than a couple of hundred dollars on sorting out your GDPR compliance. Don’t overspend on lawyers, IT professionals or EU representatives either. It’s a simple process that you can figure out and do yourself in most cases.
1. Why Is GDPR Important? Are there Risks & Fines?
GDPR gives EU citizens control over the privacy of their data and revolutionises how the data is processed and shared by large organizations across the world.
Breaching GDPR exposes you to large fines up to 4% of a company’s annual global revenue or €20 million (whichever is greater). There are serious legal, financial, operational, and reputational risks involved.
Sanctions are progressive. They start with a warning, to a reprimand, and a suspension of data processing, then the large fines.
2. Who On Earth Are Data Subjects? And What Should You Do About Them?
Data Subjects: means EU citizens or natural persons residing in the EU.
2-1 When the GDPR mentions data subjects, it means any EU citizens whose data you are dealing with. This applies to everybody you may deal with including your clients, vendors, affiliates, partners, employees, suppliers, contractors, subcontractors, and people on your email lists.
2-2 Make sure you take the consent of people whose data you deal with and that they know exactly how you will use their information. Then only use this data (their prior written approval) for the purposes you took consent for.
Let’s say someone signed up for your freebie. Send them your freebie only, and don’t put them on your email marketing list to send them other promotion on your activities or try to sell them your latest book, coaching, or online course. You need to have a separate consent to do that.
2-3 Design a data map for your business. A data map keeps track of the data you collected, what kind of data you have, where it comes from, for what purpose you collect it, when and for how long you will keep it, where you save it, with whom you share it, how you secure it and where you save the documents and files that relate to it.
You’ll find a template for how to make your own data map in the resources list below.
2-4 It’s good practice to keep those records for 7 to 10 years depending on the tax and data protection laws of your country. You should identify in your records on which basis you got the data (law, contract, consent, etc.)
2-5 Your data subjects have the right to know what data you have that relates to them, they should have the ability to be forgotten, to correct their data or update it, to be completely deleted from your system, or just unsubscribe from your lists, products or services if they so wish.
Make sure that you have a system to automatically deal with these situations in a timely and efficient way.
3. How DO You Lawfully Process Data of EU Subjects?
Small businesses can lawfully process EU Data Subjects based on these main principles:
3.1 Written Consent:
Data subjects have to consent to the processing of their personal data. Consent must be freely given, specific, informed and unambiguous. It must be given voluntarily, which implies a real choice by the data subject or person.
3.2 Legitimate Interests:
Businesses can process personal data of EU data subjects when it's necessary for the legitimate interests pursued by the controller or by a third party within the limits of the law.
3.3 Contract Fulfillment & Legal Obligations:
Businesses can process personal data of EU data subjects when processing is necessary for the performance of a contract or when it's necessary for performing legal obligations.
4. What’s The Difference Between Personal and Sensitive Data?
4.1 Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4.2 Sensitive Data: means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
5. Who are Data Controllers and Processors?
5.1 Data Controller: means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data.
5.2 Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
6. Where's the Territorial Scope of GDPR?
6.1 Controllers and processors established within the EU.
6.2 Controller or processor not established in the Union but processing of personal data of residents in the EU, where the processing activities are related to:
- 6.2.1 Offering goods or services (paid or free) to EU data subjects.
- 6.2.2 Monitoring of their behaviour as far as their behaviour takes place within the EU.
7. What are the Data Collection Principals?
Article 5 of the GDPR requires these main principles for personal data collection:
7.1 Lawfully, Fairly & Transparently:
This principle requires that personal data must be processed lawfully, fairly and in a transparent manner in relation to individuals.
7.2 Purpose Limitation:
Personal data should be collected for specified, explicit and legitimate purposes such as: public interest, scientific or historical research or statistical purposes.
7.3 Data Minimisation, Accuracy & Storage Limitation:
Personal data must be relevant, kept adequately, and limited to what is necessary in relation to the purposes for which it is processed and, where necessary, kept up to date.
7.4 Integrity & Confidentiality:
Personal data must be processed with appropriate security, which includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
7.5 Controler Accountability:
The personal data controller is responsible and must comply with all GDPR requirements.
8. What’s Data Processing?
Data Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. Warning! Don’t Fool Around With Data Carelessly
GDPR applies to you if you’re processing (dealing with) data of EU citizens. This includes storing names, emails, cookies or IP addresses, either at rest (in files on your computer, database, cloud server, on a list of your email provider, etc.) or on the move (meaning sending it by courier, fax or email, for example).
Here’s what you should consider:
9-1 Have a Privacy Policy on your website including the GDPR required wording that clearly explains your policy on how you use data and secure it. The privacy policy should include whether you transfer data to third parties or other countries outside the EU. Create Terms of Use that are GDPR compliant in a snap using this template.
9-2 Take prior Written Consent of the concerned people whose data you’re dealing with:. It’s good practice to have separate consents for each purpose of use. Do not combine consents or use already checked boxes. Keep a file for those consents.
9-3 Data Minimization. Acquire data only when it is necessary. Give access only to people who are required to have this specific information. Don’t take excess data than needed to perform your job. And don’t keep the data on your system for longer than required.
9-4 Secure data and especially sensitive data. Sensitive data is more important data about a person such as financial, religious, and political information etc. It’s good practice to use encryption, pseudonyms, project codes, passwords, vaults, authentication or other security tools reasonable to your situation.
10. Hedge Legal Risk By Raising Awareness
10-1 It’s good practice to raise your employees’ awareness about privacy & data protection: The issue affects more than just businesses.
Hacking has become a major concern for all businesses, so make sure you and your employees are well educated about cybersecurity and privacy issues.
It’s recommended to know how to deal with these issues, how to react in a timely and positive way if necessary, whom to report to in case your data is compromised, and what to do about it in a proactive way that doesn’t negatively affect your reputation, finances, or entire business.
10-2 It’s good practice to use data protection self-assessment tools, templates & checklists to make sure you’re in good standing. Attending conferences, awareness raising events, and workshops would also keep you updated on the latest developments.
Check these EU guidelines on self-assessment to know more.
11. How To Practically Comply With GDPR?
There are 3 ways of doing this:
Option 1: You can do the research and write up the legal pages for your website yourself (cheapest route - no financial cost to you, but takes quite some time and effort);
Option 2: You can use an online template (preferably not a free generator because those will probably not be specific enough). Here’s an example of a website legal pages bestseller you can use (coupon code: 20offnow) for a discount.
Option 3: Hire a lawyer to set up your website legal pages. (Most expensive route - I could set up your legal pages for you, if you like. Book An Appointment Now.)
For Option 1, you’d need to review the GDPR, your local Data Protection Laws, authorities published best practices to know what wording or legal requirements are necessary to include in each of the following legally required sections on your website:
These are the 4 legal pages all websites need to comply with GDPR:
11.1 Terms of Use
The Terms of Use is the agreement between you and your website audience, readers, and clients. It sets out what your rights and obligations are vis a vis such audience, the terms and conditions of consuming your content or buying your products and services.
Create Terms of Use that are GDPR compliant in a snap using this template.
11.2 Privacy Policy
Your privacy policy tells the people who visit your site, consume your content or buy your product or services how you collect their information. Including how you use it, secure it, save it, share it, or transfer it.
11.3 Cookies
Cookies are files stored on your computer that tells your browser your preferences and your behaviour on websites. Cookies can also be used for marketing and advertising. There are session, persistent, necessary, functional, and performance cookies. Each of which does a slightly different job. Cookies are used by most websites.
11.4 Disclaimer
Your website Disclaimer limits your liability to lawsuits and fines. It tells your audience, visitors and clients what you don’t assume liability for and how you limit your responsibility.
Bonus 1 reveals the crucial visitor rights policy to instantly protect your business against GDPR fines, regardless of where you're based...
Bonus 9 reveals veteran trial lawyers' unique insights into using mandatory arbitration to limit your risk of legal liability & costly lawsuits...
Apply these bonuses to your website to avoid the recent legal loopholes as per the latest federal & state court judgements...
12. Who's A REP Vs DPO?
12.1 REP Is A Representative:
A natural or legal person established in the European Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regards to their respective obligations under this Regulation.
12.2 Data Protection Officer (“DPO”):
Data Controller and Processor who shall appoint a DPO if:
- 12.2.1 They perform regular and systematic monitoring of data subjects on a large scale.
- 12.2.2 The core activities consist of processing on a large scale of special categories of data.
- 12.2.3 The data protection officer may be a staff member, or a third party who fulfils the tasks on the basis of a service contract.
- 12.2.3 The contact details of the data protection officer shall be published and communicated with the supervisory authority.
A Final Note…
Your overwhelm can easily be overcome by adopting good information handling. Doing this makes good sense, will make you feel ahead of the majority of your competition, and is a good business practice that will make you feel well accomplished.
Compliance, privacy, data protection, and cybersecurity are considered as competitive advantages that enhance your business’ reputation, increase customer and employee loyalty, as well as reduce your business operating and legal risk.
Following these legal tips I just mentioned ensures your client data and information is accurate, relevant, and secure. This saves you both time and money in the long run.
The best you can do right now is to make sure you comply with data protection laws in your country. Find out what you need to do to ensure you are keeping people’s personal data secure.
Look for resources, tools, and support to help you improve your data protection compliance.
Trust me, if you’re like most of my clients who went through this process and became GDPR compliant, you’ll feel really good putting this GDPR issue to bed.
It’ll feel awesome when you rest assured that you’ve got your back covered by minimizing your business risks.
Remember, the law only respects those who respect it!
N.B. Check the legal and IT resources below for more in-depth information (Some references may include affiliate links).
Disclaimer: This article, the enclosed legal and IT resources, websites, and links are not construed or shall be interpreted by you as legal advice, recommendation, consultancy, advice, or service, but rather my personal views, information, and educational guidance to help you digest the new GDPR law and present you with tools to put it into practice.
Updated on 22.11.2019, Biel/Bienne, Switzerland.
M. Shahin
Attorney-at-Law
admin@ecorporate.lawyer
As a corporate lawyer and certified cybersecurity professional, I manage https://eCorporate.Lawyer (“ECL”), an online legal platform that helps entrepreneurs, business owners and investors start, secure, scale or sell their businesses or investments.
ECL offers its magic circle clients legal, marketing and management consultancy to grow their businesses, investments and online presence.
Contact me now for a free consultation to see how we can work together or hire me now if you need customized guidance with GDPR.
If you need a further legal assistance I can personally help you through my regulated law firm.
RESOURCES
Here are some further free resources that you might find helpful if you’re keen to learn more about GDPR:
1- Legal Resources
- EUR-LEX GDPR Law in English
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG
- EUR-LEX GDPR Law in French
https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX:32016R0679
- 12 steps to prepare for GDPR
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- Swiss Data Protection Law
https://www.admin.ch/opc/en/classified-compilation/19920153/index.html
- Cantonal Data Protection Authorities in Switzerland
https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection—switzerland.html
- International Data Protection Authorities
https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection—international.html
2- Cybersecurity Resources and IT Tools
3- GDPR IT Tools and Implementation Resources
- GDPR-Ready Saas Vendors
https://track.siftery.com/gdpr-checker
- Cookie and Privacy Policy
- Data Map Template
https://medium.com/@Ideea/gdpr-data-map-template-31da34ca39d0
- Email List Cleaning and Maintenance Tools
https://www.formget.com/email-list-cleaning-service/
- GDPR Compliance Statements
https://track.siftery.com/gdpr-checker
- Enable GDPR
https://support.hellobar.com/how-to-enable-gdpr-with-hello-bar/
- Infusionsoft GDPR Webinar
https://partners1-223187.pages.infusionsoft.net/
- MailChimp GDPR Frequently Asked Questions
- How To Add A Check-Box To A Convertkit Form For GDPR
- WordPress GDPR Plugin
https://www.redsandmarketing.com/blog/wordpress-anti-spam-plugin-gdpr-compliant/
- Data Protection Representative
- Google Cloud GDPR
https://cloud.google.com/security/gdpr/
- OECD Privacy Statement Generator
http://www.oecd.org/internet/ieconomy/oecdprivacystatementgenerator.htm
4- WordPress Plugins