Get 4 FREE months of Conformio to implement ISO 27001

How to comply with the GDPR as an online company

In conducting their everyday business, online companies deal with personal data all the time. Contact names, email addresses, credit cards used to purchase a product or a service – all this information used during web browsing demands the right to privacy of visitors, users and customers. Regardless of whether online companies are established in the EU or not, if they collect European citizens’ data, they must comply with the GDPR.

Since the day of its implementation, many online companies considered the GDPR overwhelming, and, as a matter of fact, some considered it to be merely a new cost item to be included in financial reports. Despite this, the GDPR remains something online companies must deal with if they intend to keep doing business in the EU. Let’s see how the GDPR impacts online companies, and how they can make their websites compliant.

How does the GDPR apply to online companies?

Online companies are subject to the GDPR to the same extent as any other company processing personal data, even if they are not established in the European Union (as settled in Article 3, “Territorial scope,” of the Regulation), but they handle processing activities while offering services physically located in the EU. This means it’s essential for online companies to know what personal data they collect and hold, where this data is held, how and the reason why it is being processed.

Learn more about conditions in which companies operating in different fields could fall within the scope of the GDPR from this article: Is the GDPR applicable to our company?

Data subjects must be given the opportunity to exercise their rights (including the right to withdraw their consent, any time they wish), even in the case of third parties allowed to access this data according to a specific service provided to online companies (e.g.: analytics, remarketing, retargeting, profiling). To learn more, read this article: 8 data subject rights according to GDPR.

The aim of all this information to be given is to ensure that people’s personal data is not misused, and to protect data subjects against data breaches that may occur during online companies’ daily business. This is particularly true if we consider that, regarding data breach, online companies must report serious breaches of information to the Supervisory Authority (and, in some cases, to data subjects themselves) within 72 hours after having become aware of it. Not notifying could lead to an administrative fine of up to €20 million or 4% of the total worldwide turnover of the company.

How to comply with the GDPR as an online company - Advisera

What does the GDPR mean for my website?

Every website has users and visitors searching for an article to read, information about a topic, or a product to buy. If you have a website, even in the case of a personal blog whose main topic is your passion for cooking, you could have visitors from every part of the world coming to read your articles and leave comments about what you write.

Perhaps you are using a service that tracks every visitor and informs you if he or she is reading from Europe or Asia, if he or she has found your website by searching in a social network or using a particular web browser. That means you, and other third parties you have allowed, are collecting data, so you must inform your visitors about how you are going to use their data, where you intend to store it, and for how long. Therefore, every person or association or company that has a website should put in place a privacy policy that is easily accessible. At the same time, an email (or a system) should be created and reserved for visitors who wish to exercise their rights regarding the use of their personal data.

To learn more, read this article: Everything you need to know about the GDPR Privacy Notice.

What does the GDPR mean for online stores?

The main activity of an online store is to sell products to its customers. In doing this, an online store could collect different kinds of data, the most common of which is name, surname, an address for products to be delivered, and cardholder data, if the online store allows customers to buy products with a credit card. But there are other types of personal data. There are several other types of data the online store could collect, which could include the place from where the customer is buying and the preferences of the customer himself (the kind of shoes he prefers, the colour, the brand and so on).

Moreover, there could be a case in which the online store gives access to data it collected to third-party services, including, for example, Google Analytics, Google AdWords, or social networks used as platforms for advertising. Even data collected in this way needs to be managed in order to comply with the GDPR.

Just like website owners, as discussed in the previous section, online stores are required to inform their customers about the purposes of data collection and processing, including references to the fact that this data could be profiled to get information about customers’ preferences. Moreover, as GDPR Article 32 establishes, whenever a business could represent a high risk to the freedom and rights of data subjects, technical and organisational measures should be implemented to ensure a level of security appropriate to the risk. In the case of online stores, on the basis of the way in which data is used, the requirement of the GDPR mentioned above could turn into the use of an https certificate for the website and a secure connection implemented (SSL) for the payments requested.

Learn more here: How cybersecurity solutions can help with GDPR compliance.

GDPR compliance checklist

Here’s a GDPR checklist that online companies that are subject to the GDPR must abide by, in order for them and their websites to be compliant. It includes web tools to be used, information to be given and technical measures to be implemented:

GDPR for online companies: How to become compliant

 

  1. Prepare a GDPR project: Have a clear vision of what kind of data is going to be processed, who the data subjects are, and the purposes of collection.
  2. Define a personal data policy: Create a policy covering data protection, make it visible in every part of the corporate website, and ensure that every employee is aware of its importance. If necessary, a DPO should be assigned.
  3. Create an inventory of processing activities: Define a list with all current processing activities, each one clearly referring to a specific lawful purpose set by the GDPR.
  4. Implement appropriate measures to manage data subjects’ rights: Provide the customers/visitors with the opportunity to withdraw their consent, exercise their rights or update their preferences anytime they wish and in the easiest way.
  5. Implement a data protection impact assessment (DPIA): Conduct a DPIA before starting any new project or implementing any change in information services.
  6. Secure personal data transfers: Analyse which data is being transferred outside of the company and where, in order for appropriate security measures to be taken when transfer is necessary.
  7. Review third-party contracts: Review third-party contracts, including processing of data, in order for them to be compliant with the GDPR.
  8. Ensure the security of personal and sensitive data: Apply appropriate technical and organisational measures in corporate website designs, in order for data protection to be ensured and customers’ rights to privacy exercised easily.
  9. Define how to manage data breaches: Define a process to handle data breach, including how to identify the breach, protect personal data, and detect and fix the vulnerabilities that could have caused the breach. Finally, set an appropriate system to notify the Supervisory Authority of the breach and, if necessary, to notify other affected parties.

If you’d like to learn more about how to correctly implement the GDPR in your company, you can read this article: 9 steps for implementing GDPR.

The positive side of GDPR compliance

If you are an online company, abiding by the requirements of the GDPR is good for your business, showing that you take data protection seriously and protect your users’ and customers’ rights to privacy while offering services and goods. Being compliant means being more vigilant, respectful and trustful, striving for an objective that is just as essential as the income you bring in: your reputation.

To make the EU GDPR implementation easier for your online business, download this free Project checklist for EU GDPR implementation.

Advisera Francesca Lucarini

Francesca Lucarini

Francesca Lucarini is a cybersecurity advisor, ISO 27001 qualified auditor, and expert in communicating GDPR and information security themes, as well as the suggestion of tools to help people and companies increase their awareness of the risks that can occur with the use of technology.
Read more articles by Francesca Lucarini