You’ve probably heard about the General Data Protection Regulation (GDPR), and you might be wondering how it impacts you and your business. This article is a summary of what we think you need to know and do about the European Data Protection laws. It’s quite lenghty, because we aim to give you a good sense of how these regulations may affect your website (& business).
We’ve carried out some in depth research on this, and in this article we share our views on what we think you need to do to comply with the new regulation. Please note that we are not lawyers, so this is not legal advice, and this article is for informative purposes only and may not give you the full picture. Implementing our suggestions is at your own risk.
Introduction to the EU privacy regulations
This regulation is a European Regulation, but also affects business and individuals elsewhere, because if you regularly have dealings with EU citizens, you’ll need to make sure you comply with the regulation too. The GDPR applies to all companies worldwide who work with personal data of EU citizens.
There are two European Union regulations that are relevant here, the GDPR (General Data Protection Regulation) and the PECR (Privacy and Electronic Communications Regulations). There’s a lot of information about all this online, and we feel that it’s easy to get lost in it all. So for a good base, we started by reading both the GDPR Regulation, and also the PECR Regulation legal texts.
Purpose of the EU privacy regulations
The purpose of the new law is to provide a set of standardised data protection laws across all the member countries – to protect the rights and freedoms of individuals to decide what happens with their data, and to give them a choice.
Data you collect as a business through your website can be for example, names and email addresses, for newsletter list building; address details when registering for an online community or buying something in a shop; cookies when people browse your website; google analytics data; data collected through a facebook pixel, etc.
An important concept is the concept of consent. Companies have to clearly communicate what they intend to use any collected personal data for, and they need to receive clear consent, asking for it in clear and plain language. And it must be as easy to withdraw consent as it is to give it.
Privacy rights for EU citizens
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
A lawful basis for collection of personal data
The new regulation says that anyone collecting personal data must have a lawful basis for processing personal data and they need to include information about the lawful basis (or bases) and their intended purposes for processing the personal data in their privacy notice.
From the ICO website, the UK regulatory body on the EDPR and PERC:
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. [our note: consent must be very specific, it can’t be silent, or implied consent. We will share more about consent a bit further along]
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. [our note; example: having to have their contact details to send something to them they have bought, or supplying someone’s contact details to a courier company to allow delivery – we won’t go into this legal basis any further because it speaks for itself)]
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) [our note: legitimate interest includes commercial benefit for your company]
You can read more about each lawful basis here on the ICO website. They also have an interactive guidance tool that helps you determine your lawful basis.
Consent: a relevant lawful basis for small business owners in the case of marketing
One of the most relevant lawful bases for most small business owners is consent. At lot has been written on this. The regulation says:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
The ICO have published further guidance on consent:
Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
Explicit consent must be expressly confirmed in words, rather than by any other positive action.
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.
The EU have published more guidelines on consent, and you can download them here if you’d like to know more.
Legitimate interest: another lawful basis for small businesses
Legitimate interests include the commercial interest of a company, so it is also relevant.
From the ICO website on legitimate interests:
Legitimate interest is the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your processing.
If you choose to rely on legitimate interests, you take on extra responsibility for ensuring people’s rights and interests are fully considered and protected.
Legitimate interest is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Where there is an impact on individuals, it may still apply if you can show there is an even more compelling benefit to the processing and the impact is justified.
You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR. [our note: An individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies. This is regulated in the PECR regulation, but as far as we understand consent under PERC is less stringent. For sure you always need to provide an opt out. Also see our post on EU Privacy Laws, Freebies and newsletter list Building ]
Recapping everything: How does this affect you running your website and marketing?
Reading through a lot of info and regulations available online, we feel there are a number of key points for small business owners who run a website. We already shared the types of data you may be collecting: names and email addresses, for newsletter list building; address details when registering for an online community or buying something in a shop; cookies when people browse your website; Google analytics data; data collected through a Facebook pixel, etc.
A practical example: collecting email addresses
In our article EU Privacy Laws, Freebies and newsletter list Building we build on what we shared here and explain how we think all the info above affects something very common like an optin for newsletter list building with a freebie.
We have also writtten a post with Steps to take for your website – EU privacy Laws (GDPR).
More info & Free GDPR Checklist
We hope the info here has given you a good overview of the new EU privacy laws and how they relate to your website. There is more to GDPR than just your website:
Checklist for all GDPR related things you need to do for your biz
Please note that we earn a small commission if you decide to buy the legal pack from Suzanne through our referral here :)
For further reading & learning, also see these guides:
Closing thoughts on privacy legislation for small businesses – should you be worried?
There’s a lot of info out there about privacy legislation. And it can easily become overwhelming, especially for a small business. But having delved into this quite deeply, we don’t feel the EU privacy laws have to keep you awake at night. We’ve gone through all the texts in the actual laws and we feel these new regulations are a good thing. From reading the law, we also feel it’s very much aimed at large data-processors with a potentially serious impact on people’s privacy.
This becomes clear for example when you read through paragraph 75, where it talks about some particular cases where privacy would be a big concern (emphasis added by us):
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
So practical examples of the above would maybe be banks and credit unions profiling you before giving you a mortgage or loan; Insurance companies making a risk assessment before they decide to insure you or not; A potential employer doing a background check on you; A supermarket or online retailer analysing your shopping behaviour; A social media site profiling you based on your personal data and interests. You can imagine such organisations making quite a detailed picture of you, and you might object to that. Quite different from someone visiting your website and for example signing up for your newsletter in return for a freebie.
Also, you might have heard of very big financial penalties for not complying. Again, we believe that as a small business owner you wouldn’t be at a serious risk of these. For example the ICO, the UK governing body of these regulations, have given out some hefty fines in the past, but these were for very serious cases of privacy violations. And even in those cases they gave warnings first.
We feel it’s good to do the right thing, to be ethical, and to adhere to the law as best as you can. But we also feel you shouldn’t let any of this hold you back from simply running your business and (hopefully) through that just serving and helping your (potential) clients.