GDPR Compliance for Businesses: Step-by-Step Ultimate Guide

What Every Single Online Business Needs to Do For GDPR Compliance

No matter at what stage you are with your online business, you have to:

• Determine why you need users’ personal data
• Determine the categories of data you need
• Determine how you are going to obtain such data
• Determine for how long you’ll keep the data
• Check out the cookies your website uses already (and you may not know about them)
• Have a privacy policy
• Obtain explicit consent for collection and/or processing of data
• Keep records of consents and data processing
• Respond to data subject requests
• Ensure the legality of your data transfers
• Plan for data breach notifications

Now onto each one of these:

1. Determine why you need personal data

You have to have reasons to process users’ data. For most businesses, the reasons include:

• Marketing purposes – if you want to track users’ behavior to collect data that you can use to segment them and address them with a tailored message
• Improve the user experience on your website
• Analytics purposes – to collect data on how website visitors use the website.

Determining the why behind the data processing is the first step before proceeding with the categories of data you’ll need.

2. Determine the data you need

When you know why you need to process personal data, you must determine what data categories will help you get there.

Data categories are the types of personal data, such as names, email addresses, home addresses, SSNs, political views, biometric data, etc.

So, if you need to process users’ data for marketing purposes, you may need email addresses to send newsletters or online identifiers allowing you to retarget.

You may install Google Analytics and get their IP addresses for analytics purposes.

You need their full name, address, and ZIP code to send a product ordered from your eCommerce store. To provide customer support, you may need their phone number.

Remember that you must process the minimum amount of data for each purpose. Data minimization is one of the basic GDPR principles, and it does not allow processing more data than necessary for your ideal.

3. Determine how you are going to obtain such data

Here, you’ll determine the tools to collect and process personal data.

In general, there are two ways to collect personal data:

• Data that users give you voluntarily
• Data that you collect by cookies and other tracking technologies.

Users will give you data for executing contracts, such as goods delivery or getting a freebie.

You’ll need to use tracking mechanisms for data that does not require an exchange of something. These include cookies, pixels, fingerprinting, and other methods. Make sure you determine them all at this point.

4. Determine for long you’ll keep the data

You should keep the data as long as needed, but no longer.

Not only because it obliges you to erase personal data you don’t need but also because it brings risks without an upside. Why would you keep someone else’s data that you don’t need and can be breached? It is not wise, and it is against the law.

So, determine a retention period for each category of personal data you collect and process. It should be aligned with the purpose of processing. So, if you need not process that data anymore, get rid of it.

5. Check out the cookies your website uses

Your website may be waiting to inject cookies into users’ devices without their consent and without you knowing. Social plugins, widgets, and other tools often use cookies, but website owners are unaware of that.

If unsure about this, scan your website on a cookie scanner. 2gdpr scanner gives good results along with basic guidance on cookie compliance. Check out your website and act according to the results.

6. Have a privacy policy

The privacy policy is a document to inform users about your privacy practices.

If you have answered the questions above and determined what, why, and how you do, then drafting the privacy policy will be a breeze.

A GDPR-compliant privacy policy has the essential elements prescribed by the regulation. These elements are not explicitly defined but are sprinkled throughout the text of the GDPR and are a requirement anyway.

In all cases, you need a privacy policy with the following elements:

• Your identity. You are the data controller, and users (a.k.a. data subjects) have the right to know who controls their data. Provide your business name and at least an email address for contact. For better transparency, provide a phone number and physical address if your business has any.
• The purposes of data collection and/or processing. Tell your users why you need their data.
• How you collect and/or process personal data. You must inform users about the methods you use to collect their data. In general, there are three ways for data collection:
  • Users give you their data themselves (such as providing an email address to receive marketing promotions, discounts, free ebooks, etc.) or
  • You collect their data through cookies and tracking technologies (including Google Remarketing, Facebook Pixel, etc.).
  • You collect data from other parties, such as your subsidiary companies, etc.
• The categories of data you collect. You should name each data category you collect, such as name, email address, home address, phone number, IP address, Social Security Number, or any other personal information.
• With whom you share their data. These are the third-party tools you use for data processing. You share users’ data with them so that they will deliver you insights based on that data. For example, you share data with Google to get insights from Google Analytics.
• Data subject rights. GDPR grants you users the following rights:
  • Know about data processing
  • Get access to their data
  • Restrict and/or object to the processing of their data
  • Have their data erased
  • Correct inaccurate data
  • Transfer data to another data controller
  • Know if their data is part of automated data processing, including profiling, and object to that
• How users can exercise their rights. Users have rights, but you need to let them know how they can exercise them. As a minimum, ensure you have an email address for contacting you.
  It is even better to have a dedicated contact form for submitting data subject requests. There are SAAS solutions on the market that allow you to collect these requests, sort them out, and answer quickly.
• Data retention period. Tell your users how long you’ll keep their data.
• Children’s data. If you knowingly collect children’s data, you should inform users and obtain consent from their parents. If you do not do so, this section is your chance to put a disclaimer that you don’t do that and keep yourself from responsibility.
• Data Protection Officer (DPO) or legal representative. Some organizations are obliged to have a DPO, while those registered outside the EU should have a legal representative. Include their names and contact information in the privacy policy if you have any of these.
• Updates and the privacy policy’s effective date. Finally, end your privacy policy with the methods for informing users of any updates and the date from which the current version of the privacy policy is effective.

7. Obtain explicit consent for collection and processing of data

Many online business owners think posting a privacy policy on their website is enough to comply with data protection laws, but that couldn’t be further from the truth.

When users give you their data, the legal basis usually is the execution of a contract between your business and the user.

But, when you collect their data using third-party tools, you must first ask them if they are OK with it. GDPR does not allow data collection without users’ explicit consent, so you need to obtain it before using tracking technologies.

The most practical way to obtain users’ consent is by showing them a cookie banner. But not any banner. Only those that follow the GDPR requirements are lawful.

The cookie banner is lawful as long as the user’s consent is:

• Freely given. This means that you have to give the user a choice between accepting and declining the cookies. In addition, accepting cookies must not be a condition for access to website content.
• Informed. The user must be informed of your data protection activities when requesting consent. That’s why cookie banners often have a link to the privacy policy. The privacy policy informs the user about the privacy practices of the company, and if the user has no problem with it, they could give their consent for data collection and processing.
• Specific. Your privacy policy contains the purposes for data processing. You have to obtain separate consent for each specific purpose. This means that if you collected consent for analytics purposes, you are not allowed to process the same data for marketing purposes. You’ll need additional consent for that activity.
• Unambiguous. The consent is lawfully obtained only if the user has taken affirmative action to give the consent, such as clicking an ACCEPT button.
  Assuming that they consent to the use of cookies simply by staying on the website or assuming that they accept the cookies by accepting your Terms of Service is against the GDPR.
  Moreover, you must not pre-check the boxes or toggles. The user has to take specific action to confirm the consent for cookies.
• Easily withdrawn. You have to provide users with an opportunity to withdraw the consent as easily as it has been given. If the user has given consent by simply clicking on an ACCEPT button, you must not request filling out a long withdrawal form to be sent to you by email. You have to make it easy for the user.

This means that you are not allowed to send cookies to your users’ devices in sneaky ways that we have covered before:

• No pre-checked boxes
• No cookie walls
• No bundling of the cookie consent with the Terms of Service
• No assumptions that the user accepts the cookies by browsing the website

8. Keep records for obtained consent and processing activities

GDPR obliges businesses to keep records of their processing activities and provide those to authorities upon request. The records should contain at least:

• Your contact details
• The purpose of data processing
• Description of data subjects
• Categories of data processed
• The recipients of personal data
• Details on data transfers, if any
• Data retention period, if any
• A general description of the data security measures, if applicable

Aside from the processing activities records, it is essential to keep records of every consent obtained by a user.

Sooner or later, you will receive a data subject request by someone who wants to know how you handle their data. You’ll also need to prove that you have obtained their consent to process the data when that time comes. You’ll get into trouble with the law if you don’t prove it.

Many online businesses opt for cheap consent management solutions that do not keep records of obtained consent. These solutions, mostly WordPress plugins, will present the user with a cookie banner and a link to the privacy policy, but that’s about it. If the user accepts your cookies, they won’t react. They record nothing, so they don’t make you compliant with the GDPR.

There are good paid tools on the market that you could use for consent management.

Some of them include OneTrust, Secure Privacy, Cookiebot, and Iubenda.

9. Respond to data subject requests

Data subjects are your website visitors in the GDPR vocabulary.

Data subject rights

GDPR grants data subjects a set of rights. They include the right to:

• Know about processing
• Access their data in your control
• Object to data processing
• Restrict the processing
• Correct the data
• Transfer their data to another controller
• Have their data erased
• Know that they have been subjected to automated decision making, including profiling

Submitting the requests

Data subjects, i.e., your users, can exercise these rights by submitting a data subject request to you. The proposal has no prescribed form. It can be anything from a simple message like: “Tell me what data you have collected from me” or “Please delete all my data” to a formal request.

You can designate a method for submitting data subject requests, such as an email address or a form on your website. However, data subjects are not obliged to send the recommendations that way. They can do it in any way, and you’ll be obliged to respond.

Having a quick request management solution to handle these requests. It is an excellent practice. Many consent management providers also provide data subject requests management solutions, which are a good starting point. They usually come with a dashboard with all the requests, reminders to respond, and other features.

Responding the request

You have to respond to subject data requests within 30 days of receiving the request. You can delay the delivery for additional 30 days in the case of a complex request that requires a lot of work on your side. Just let the user know about it.

Ensuring you respond to the right person

Sometimes you may need to verify the person’s identity who submits the request. You can’t send a file with personal information to anyone who requests it over the internet because it may be abused by some people who request data for other people.

If you doubt that it may be the case, you’ll need to verify the identity of the person who submits the request. So, if an email subscriber wants to access their data, you may want to prove they own the email address by sending a code by email. Or, in the case of data processing of website members, you could verify their identity by 2-factor identification or a similar way.

Failure to respond

You may fail to respond appropriately or fail to respond at all. In both cases, the data subject won’t be happy and may submit additional requests or go straight to the data protection authority and initiate a procedure against you.

You want to avoid legal headaches, so ensure you respond to the user in time and in a way that satisfies them.

10. Plan for Data Breach Notifications

Data breaches are not an everyday occurrence, but there is no online business that can avoid hacks. Microsoft, Facebook, and Twitter are just a few names that have been hacked and have had data breaches.

There are two ways in which you may suffer from data breaches:

• Your website is breached, or
• Any of your data processors is breached.

Do not forget that you are responsible for the data you control, even if processed by a third party. Your processors are accountable to you, but you are liable to the users. It is you who is liable to your users.

In both cases, you have duties to your data subjects. GDPR obliges you to:

• Inform the relevant data protection authority no later than 72 hours from knowing about the breach (if you delay this, you need a good explanation about it and are under the risk of penalties).
• If the breach threatens the data subjects’ rights, inform them as well. A threat would be leaking personal information such as social security numbers, health data, sexual orientation, and other data that could pose any risk in the current set of circumstances.

You can inform the data protection authority and the users in any way you find fit, as long as it is a piece of communication dedicated to the breach. For example, you can’t tell users about the breach in a regular newsletter full of coupons and other marketing materials.

So, you can make a phone call to the authority and tell them what happened. Then they will guide you through the process that follows.

Some of them have data breach forms on their websites, which you can use. The template of the UK ICO is available on this link, just to give you an idea how it may look like.

It is essential to note that the worst thing to do is try to hide it in the case of a breach. Remember that not all breaches occur due to website owners’ fault, so in the end, you may avoid a penalty. But if you remain silent about the breach, you won’t avoid penalties. The GDPR fines may be higher because of that.

For effortless compliance, ensure that you have taken you won’t avoid penalties precautions to avoid data breaches in case it happens.

11. Ensure the legality of your data transfers

The EU and the GDPR want all the data processed inside the EU or a third safe country. That’s why the data transfers abroad are as tricky as they can be.

You can transfer data outside the EU based on the legal instruments in Chapter V of the GDPR, which means based on:

• Adequacy decision. The European Commission has a list of countries that offer adequate data protection according to the GDPR. For each of these countries, the EU has a good decision. Based on that decision, you can transfer data to these countries freely, without asking anyone, as if you move the data around the EU.
• Standard contract clauses (SCCs). The SCCs are clauses that are part of the data processing agreement. The data controller and the data processor agree on the security measures for protecting the data. This is the most common legal basis for data transfers in the absence of an adequacy decision.
• Binding corporate rules (BCRs). Similar to the SCCs, but rarely used in practice. These are rules that apply to groups of companies – joint controllers about data transfers.
• Consent by the data subject. Self-explanatory. You are good to go if the data subject agrees explicitly to the transfer; if you are a non-EU company, you can include this in the privacy policy and get the consent along with the consent for data processing.
• Performance of contract. If the data transfer is necessary to provide the services and products you offer, you can transfer the data. However, this is a slippery slope, so better opt for another basis. Use this one as a last resort.
• Public interest or data subject interest or the transfer is necessary for the establishment, exercise, or defence of legal claims. Self-explanatory.

Most international data transfers would involve transferring data to US companies. After all, the world’s best tech companies operate from the US. However, transfers to the US are subject to additional security measures due to the US surveillance laws.

We have another long-form article on that subject. You can read it here.

Additional Things You May Need

Depending on the specifics of your business, you may need to do more for full compliance with the GDPR. Here is what you may also need:

1. Data processing agreement (DPA)

Data controllers can use the services of third-party data processors to process the data they control, but only based on written instructions. Those written instructions often come in a Data Processing Agreement or as a Data Processing Addendum to the Terms of Service or the Master Agreement.

The content of this contract is prescribed with the GDPR. It must contain at least:

• The categories of data to be processed
• The purpose of processing
• The duration of processing
• The categories of data subjects
• The rights and the duties of the controller
• That the data processor will process data only upon the written instruction, i.e., the DPA
• Provisions on the confidentiality of the processed data
• The security measures for the processing
• Provisions on the sub-processors, if any
• That the processor would help the controller to comply with the law if needed
• That at the choice of the controller, the processor would return or delete all the controller’s data
• The processor will make all information necessary for compliance to the controller, including audits and inspections.

When you engage with a third-party data processor, such as Facebook, Quora, Google, Convertkit, or the likes, ensure that they process data based on your written instructions. Otherwise, the data processing is unlawful, and you may be fined.

The companies mentioned above are significant and severe data processors with their DPAs. In most cases, the SAAS companies that process data on behalf of other companies would have these agreements ready, either as a separate document or as a supplement to the Terms of Service or the Master Agreement.

However, some small companies that do not bother too much about data protection compliance may not have such agreements in place. That way, they may involve you in legal trouble. So, whenever you intend to engage with a new data processor, read their DPA first.

Some companies have DPAs as a good practice for streamlining their businesses, but no legal obligation whatsoever. You can secure one as a data controller if they do not have any. After all, you must provide them with written instructions for the processing.

2. Appoint a DPO or legal representative

Not all businesses must have a data protection officer (DPO) or a legal representative. But, if you are needed and don’t appoint one, you risk being fined.

A DPO is required for businesses that:

• Process large amounts of sensitive personal data
• Processing personal data that requires regular, systematic monitoring of many data subjects (think of companies like Google and Facebook)

A legal representative in the Union is required for non-EU businesses that regularly process large amounts of EU users’ data.

If you must have a DPO and a legal representative, make sure you have one if you don’t consider having one good practice to take care of users’ data.

3. Data protection impact assessment

Data protection impact assessment (DPIA) is a process for assessing data processing risks. It is taking a proactive approach to the data processing to mitigate its risks.

A DPIA is obligatory for businesses that:

• Process data likely to result in a high risk to the rights and freedoms of persons
• Conduct automated processing, including profiling
• Process large scale of sensitive personal data, or
• Systematically monitor public areas.

A DPIA is not obligatory for everyone else but is a good practice.

A DPIA will help your business map out the data flow from when it comes to your hands to when you hand it down to the data processors and delete the data. It will help you understand how other people’s data goes through your hands and let you know about any compliance gaps you need to address.

It is not obligatory, but you understand how useful it is for any online business.

4. Security measures

As a data controller, you are responsible for taking care of data subjects’ data safety. That also includes data security measures.

You must consider implementing data security measures if you store or process data on your servers.

For most small and medium businesses, that’s out of reach due to the prices, and there are many affordable alternatives on the market.

That means that your data processors will store and process your data. They have to implement the best possible security measures to protect your data.

Companies like AWS, Google, Facebook, and others implement state-of-art security measures. They provide the best there is. Yes, they get hacked sometimes, but no security system is impenetrable.

However, take nothing for granted. Check out the security measures your processors and sub-processors use whatever tools you use. After all, it concerns your users’ data safety and compliance with the GDPR.

5. Privacy by design

Privacy by design is a concept that the GDPR has introduced. It means implementing appropriate technical and organizational measures aimed at data protection, i.e., taking data protection into account in whatever you do.

In practice, this would mean thinking about data privacy when:

• Determining your privacy practices
• Designing new services
• Designing new apps or other products, and so on.

You get the idea. The possibilities for privacy by design are endless. As long as you implement the basic GDPR principles for data protection, you’ll likely be implementing privacy by design.

Final Words

GDPR compliance requires work, but it is not hard to achieve.

It is essential to take a proactive approach. GDPR doesn’t require remedies but preventive measures. They are not hard to implement nor expensive for small businesses.

SAAS solutions on the market could make you compliant for less than a couple of hundred dollars annually. That’s not a lot to protect users’ data, nor will it hurt your business’ budget.

Otherwise, you may violate the law and get into trouble – your finances and reputation.

Now that you know how to comply, go ahead and do what needs to be done.