On May 25th, the General Data Protection Regulation (GDPR) rocked the digital world by ushering in a new age of data privacy standards. The landmark legislation set forth guidelines for the appropriate collection, handling, processing, and sharing of user data. Although the regulation is based in the European Union (EU), any business that interacts with the data of individuals who reside in or are residents of the EU are subject to comply with the lofty set of rules.

Given the increasingly globalized nature of business, almost all large companies – as well as an overwhelming number of small and medium-sized businesses – are affected by the GDPR.

Even after pouring billions of dollars into their GDPR-compliance efforts, some big businesses have already been slammed with lawsuits claiming these companies’ practices aren’t up to snuff with the standards of the regulation.  

Considering even these companies weren’t prepared for the GDPR, are you?

Let’s take a look at where the big players went wrong, and how your efforts to comply with the GDPR can help you avoid the same fate.

How Do You Obtain Consent Properly?

When it comes to landing on the wrong side of the GDPR, consent has proven to be the kicker in the early days of the regulation’s reign. Within 24 hours of its instatement, Facebook and Google were served with GDPR-citing lawsuits, which could result in roughly $8.8 billion in fines.  

So what’s the GDPR offense that could end up costing Facebook and Google billions?

Improper Consent

The lawsuit filed against Google claims that the company is unlawfully employing a system of “forced consent” by disabling users from accessing certain Android software without first relinquishing personal data.

When it comes to the complaint against Facebook, “bundled consent” is the big issue. The suit alleges that the site forced users into consenting to their policies and terms through a ‘take-it-or-leave-it’ strategy that left users who hadn’t given their consent no choice but to abandon the platform entirely.

According to Article 7 of the GDPR, this is not legitimate consent. For consent to be valid under the GDPR, it must be:

• Affirmative – the data subject must take an action to offer their consent to the data practices specified. That means that rather than presenting a default option (like a pre-checked box accepting terms or giving marketing permissions), you need to allow users to actively opt in by checking a box, or performing another affirmative action, for themselves.
• Freely given – here’s where ‘bundled consent’ comes into play. The data subject must be able to offer their consent freely without coercion, manipulation, or condition. Facebook, by making use of their platform contingent on consenting to their terms, is in violation of this GDPR guideline.
• Granular – a user needs to provide separate consents for each data collection or processing activity you’re obtaining their permission to perform. When a data subject provides their consent, they should do so in line with a particular data collection or processing activity, rather than a bundled consent that applies to multiple practices. For example, asking users to consent to your privacy policy and to receiving weekly newsletters cannot be done through a singular opt-in. They should offer consent to these separately.

If your business relies on user consent to collect personal data, avoid the pitfalls suffered by Facebook and Google by ensuring that every point at which you obtain consent fulfills the above requirements.

Decking out your forms, emails, and pages with appropriate opt-in mechanisms doesn’t need to be a strain on your time and resources either. There are plenty of compliance-centered form tools available across the web that will install consent checkboxes for you – some of which will even do it for free.

Do You Offer GDPR-Compliant Policies?

While the heart of the complaints filed against Facebook and Google was their failure to obtain proper consent, that consent revolved around their legal policies. Under the GDPR, users not only need to consent to having their data collected, but they also need to be given the opportunity to consent to the provisions laid out in a company’s privacy policy and terms.

The GDPR has both raised the bar for how businesses should get consent to their legal policies, and notably elevated the standards expected from the policies themselves – especially when it comes to privacy policies.

To satisfy this area of compliance, consider the following when crafting your GDPR-friendly privacy policy:

Make Your Policy Comprehensive

As you’ve probably noticed by now, the GDPR demands that businesses focus on details more than ever before. The regulation forces business owners and webmasters to dive into the nitty gritty of their data collection practices and spell it out for users and regulators.

For instance:

• What data do you collect?
• For what purposes do you use that data?
• On what grounds are you processing data? (GDPR Article 6 lays out six possible bases for data processing – consent, legitimate interests, vital interests, legal obligation, fulfillment of a contract, and public interests.)
• Do you share data with anyone?
• Do you transfer data outside of the EU? (If you’re an American company targeting EU citizens, your answer is already ‘yes.’ You also need to note where your servers are located and to where you may be transferring data.)
• Do you have a Data Protection Officer?
• Do you have an European Economic Area (EEA) Representative?

This is only a sampling of the kind of information you need to pack into your privacy policy to meet the level of detail compelled by the GDPR. Ideally, every interaction you have with user data will be specified in your privacy policy.

Make Your Policy Transparent

Privacy policies weren’t necessarily made for the public prior to the GDPR. While their purpose has always been to disclose the ways businesses handle the personal information of their customers, they haven’t been written with easy reading in mind – until now.

Article 12 of the GDPR is attempting to make privacy policies more readable and understandable for users without a law degree or a background in business. This section of the regulation promotes the use of “plain and clear language” and “transparent information and communication” in companies’ privacy policies.

When looking at your own policy, ask yourself: Can my customers read this and actually understand how we interact with their data?

Hint: If you’re looking at a document riddled with legalese, hidden meanings, and convoluted wording – the answer is ‘no.’

Make Your Policy Easily Available

Revisiting the previous matter of getting user consent to your legal policies, the time and effort you put into perfecting your privacy policy for GDPR compliance is rendered moot if you fail to make the policy itself accessible to your users.

Not only should links to your policies be included in pages, forms, popups, and/or emails that seek consent to those policies, but you should also maintain menu or footer links on your site where users can navigate to your privacy policies, terms of service, and other legal agreements.

Are You Advertising Your Privacy Efforts the Right Way?

The fails we’ve seen so far haven’t been limited to multi-billion dollar lawsuits, like those served up to Facebook and Google. In fact, some of the GDPR failures garnering the most unwanted attention through outlets like Twitter are those stemming from companies’ attempting to regain permission from their customers or announcing their GDPR compliance efforts via email.

If you’re planning on emailing customers to get consent or notifying them of changes to your policies, keep the following in mind in order to avoid the landmines encountered by other companies:

1. Walk the Talk

When WeBuyAnyCar emailed users about consenting to their new terms of service and opting in to receiving emails from the company in the future, consumers who chose to opt-out were met with a dead link. Providing users control over their data, and then failing to give them the proper outlet to exercise that control is certainly counter-productive to GDPR compliance efforts.

2. Honor Your Customers’ Preferences

Last year, in an attempt to get ahead of the GDPR, Flybe and Honda sent emails to their customers asking them to opt in to email marketing. Although this effort was carried out for the sake of compliance, the companies failed epically in achieving such, as they sent mass emails to their unsubscribe lists.

While the ordeal cost them a combined total of £83,000, the penalty was issued before the release of the GDPR, and would likely have been significantly higher had it been under the regulation. There’s an easy lesson to be learned from these offenses – honor your customers’ wishes and cease contacting them once they’ve unsubscribed.  

3. Don’t Do More Harm Than Good

Some of the most egregious GDPR fails have been from companies shooting themselves in the foot when it comes to upholding their users’ privacy. Take the failures of Ghostery and VITL for example. Both companies sent emails meant to boast their compliance efforts and give users preference controls. However, they neglected to hide the contacts of others on the mailing list – effectively sharing thousands of email addresses without permission.

The obvious lesson here is to always remember to BCC your mailing lists. The less obvious, but equally important lesson, is to be careful and take GDPR compliance seriously. No one will be compliant overnight – and no one should try to be. Businesses should take time and care to implement measures and move forward with their data practices to match the standards beckoned by the GDPR.

Conclusion

The GDPR is a groundbreaking regulation, and far from the only of its breed. While the legislation is the first to raise the bar for user privacy to this level, more and more regulations will soon come out to match its standards.

To avoid the detrimental fines and reputational damage suffered by others at the hands of the GDPR, take cautious steps to refine your data practices, and offer your customers greater transparency and control over their information.

About the Author

KJ Dearie is a product specialist and privacy consultant for Termly. She advises small business owners on the best practices for navigating the digital privacy sphere and staying compliant with the latest data protection laws.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.