This article has been written by Deekhit Bhattacharya, pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
What is GDPR?
GDPR is a legal framework that aims to protect the privacy and personal data of users in the digital space. It provides regulations which put down compliances and best practices for firms that interact with EU users. Its key elements include transparency, consent, and relevance in online interactions. It replaces the Data Protection Directive of 1998, and is widely considered to be a landmark regulation on the issue of digital rights.
Who does it apply to?
It is a common misconception that GDPR applies only to businesses based in the EU. The GDPR accounts for the global nature of the internet by imposing extraterritoriality of jurisdiction- i.e. it applies to all firms (including websites) which offer goods or services to citizens of the EU, and in the process collects personal data.
The term “personal data” as defined in Article 4 of GDPR is broad, and can be described as any information or data which is related to an identified or identifiable natural person. Therefore, it includes names, addresses, contact details, and any data pertaining to their social, cultural, physical, physiological, mental, etc identities.
Failure to comply can invite hefty fines- up to 20 million Euro or 4% of revenues, whichever higher. Furthermore, supervisory authorities are competent to carry out data protection audits and suspend the ability of a firm from processing personal data for 30 days.
Rights of a User under GDPR
The following are some important aspects of the drafting process, which aim to “bake-in” privacy compliances according to GDPR in a policy. For an e-commerce business, the European market is far too essential to forego, and unlike the daunting perception around GDPR, compliance is not overly burdensome. With some cardinal points in mind, one can be fully GDPR compliant at little extra cost or effort.
Write in plain English to describe rights and responsibilities
Take consent from visitors and customers before collecting data
GDPR aims to give users a substantial amount of control over their data. This makes consent management essential at every step of data collection. All consent must be freely given, specific, and informed. Thus, the policy would include all necessary details, such as the collection, processing, storage and usage of customer data. The collection of data via forms, sign-ups, email collections and popups is a part of the same compliance, and needs to give the user means of withdrawing their consent, also known as opting out. Similarly, if the personal data of children is collected, their age must be verified and consent must be obtained from legal guardians.
Tell users how their data will be processed
Ecommerce companies must be absolutely clear in their description of the Data Retention Process. These processes include the categories of data, timelines, and verification of deleted data. Simultaneously, security measures put in place to protect personal data have to be described. Similarly, users will have to be given choices to opt out of data processing, or explained why such data processing is essential to the website or service. The two most important ramifications of GDPR under this head are data portability, and subject access rights:
- Users have been granted a right by GDPR to transfer personal data from one organisation to another in a structured, commonly used, machine-readable format. This also applies to data concerning automated processing. The transfer will not vary the controller’s (i.e. firm’s) liabilities, and the controller can place no hindrance upon the user after such transfer.
- Users can ask for a copy of their personal data, which the controller must comply with and respond to within 30 days.
These processes should ideally be backed up with information audits, which audit the flow and processing of information across the firm and its associated third-party companies.
Show your users “privacy by design”
- Users have given their consent for a specific purpose; This automatically implies the right of the user to withdraw his/her consent anytime, as also the right to delete their data on request;
- Data processing is required to maintain or enter a contract in which the user is a participant;
- Data processing is required for fulfilling a legal obligation of which the controller of the data is a subject;
- Data processing is required for the protection of users’ interest (for upholding their rights, as set out in Chapter 3);
- Data processing is required for an activity done in the public interest;
- Data processing is done in the legitimate interest of the controller of the data or some other person; Processing their personal data is absolutely necessary for the lawful carrying out of the firm’s business, and has been discerned so by a Legitimate Interests Assessment; These legitimate interests have to be specified clearly.
It is good practice to have a dedicated Data Processing Officer to overview the functioning of GDPR’s compliance within the organization, apart from being nodal to contact in case of user complaints. In case DPOs are not appointed, a dedicated contact must be provided nonetheless for user grievance redressal regarding privacy and data security. Most importantly, any data breaches must be reported to data protection authorities within 72 hours of detection.
Be aware of and clearly disclose international data transfers
Articles 40 to 49 of the GDPR cover a range of data transfer restrictions. These transfers are deemed acceptable only after data processing itself is held legal, i.e. when it fulfils one of the legal basis mentioned above. Once that happens, the following distinctions come to play for data transfers:
- “Secure Third Country”: Some jurisdictions have been considered “secure” by the EU, as their data protection frameworks are comparable to the GDPR, and offer “adequate protection”. Data can be freely transmitted and stored between these countries and the EU. One can access the list here.
- One can transfer data within a multinational company, or a group of companies’ assets, provided binding corporate rules in accordance with GDPR are followed.
- As a last resort of sorts, free consent of the user can partially override these restrictions. Due care must be taken here, whereby the user is explained in no unclear terms that their data would be transferred to a country not considered “secure” by the EU.
The GDPR is a sine qua non for business not just in Europe, but for business on the internet in the future. Countries have been modeling their data protection laws based on the GDPR, and compliance is a good way of future-proofing one’s business. Drafting a GDPR policy is much less about legalese than about consent and transparency- two values that the modern consumer increasingly respects. In this regard, GDPR compliance is as much an ethical value point as much as mere compliance.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: