This article has been written by Deekhit Bhattacharya, pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.

Introduction

The General Data Protection Regulation (GDPR), for many businesses, remains a threatening mystery. In the digital world, as business rapidly moves online, GDPR compliance can either be an opportunity or a threat, depending on whether the firm in question has complied with it or not. In this regard, this article intends to quickly review the essentials of a GDPR compliant privacy policy for eCommerce businesses. While it is focussed on eCommerce, the information contained herein is beneficial for all those interested in drafting or reviewing their GDPR compliant privacy policy.

What is GDPR?

GDPR is a legal framework that aims to protect the privacy and personal data of users in the digital space. It provides regulations which put down compliances and best practices for firms that interact with EU users. Its key elements include transparency, consent, and relevance in online interactions. It replaces the Data Protection Directive of 1998, and is widely considered to be a landmark regulation on the issue of digital rights.

Who does it apply to?

It is a common misconception that GDPR applies only to businesses based in the EU. The GDPR accounts for the global nature of the internet by imposing extraterritoriality of jurisdiction- i.e. it applies to all firms (including websites) which offer goods or services to citizens of the EU, and in the process collects personal data.

The term “personal data” as defined in Article 4 of GDPR is broad, and can be described as any information or data which is related to an identified or identifiable natural person. Therefore, it includes names, addresses, contact details, and any data pertaining to their social, cultural, physical, physiological, mental, etc identities.

Failure to comply can invite hefty fines- up to 20 million Euro or 4% of revenues, whichever higher. Furthermore, supervisory authorities are competent to carry out data protection audits and suspend the ability of a firm from processing personal data for 30 days. 

Rights of a User under GDPR

Chapter 3 of the GDPR Act has instituted 8 rights for users which guide us in the drafting of policies. These rights represent a rudimentary checklist of sorts, where no provision of the policy should be violative of these, while all 8 are included in no uncertain terms. The user has to be actively intimated that s/he has access to these rights under your privacy policy. These rights are:

• The right to be informed;

• The right of access;

• The right to rectification;

• The right to erasure;

• The right to restrict processing;

• The right to data portability;

• The right to object;

• Rights related to automated decision making and profiling.

Drafting a GDPR Compliant Privacy Policy

The following are some important aspects of the drafting process, which aim to “bake-in” privacy compliances according to GDPR in a policy. For an e-commerce business, the European market is far too essential to forego, and unlike the daunting perception around GDPR, compliance is not overly burdensome. With some cardinal points in mind, one can be fully GDPR compliant at little extra cost or effort.

Write in plain English to describe rights and responsibilities

A privacy policy is not to be excessively jargon infested but is meant to be a public document that aims to instill trust and comfort in the user. Article 12 of the GDPR categorically asks for “clear and accessible language”. It should be concise, transparent, and should provide the user a clear picture of your application of data protection and privacy to our business. It has to include how you use a user’s data, with who is such data shared, and what are the rights of users. Three options have to be kept at the centre stage, and controls for these have to be provided- consent, individual rights, and subject access requests.

Take consent from visitors and customers before collecting data

GDPR aims to give users a substantial amount of control over their data. This makes consent management essential at every step of data collection. All consent must be freely given, specific, and informed. Thus, the policy would include all necessary details, such as the collection, processing, storage and usage of customer data. The collection of data via forms, sign-ups, email collections and popups is a part of the same compliance, and needs to give the user means of withdrawing their consent, also known as opting out. Similarly, if the personal data of children is collected, their age must be verified and consent must be obtained from legal guardians.

As personal data would include all kinds of data which is transmitted as a user interacts with the site (such as the user’s IP address), classifying all such data clearly, how the user’s consent is respected, and why their collection is required by the site. Many companies break this part of their Privacy Policy down into sub-sections, such as “data you provide to us,” “data collected by our website,” etc., Further subdividing them as per need.

Tell users how their data will be processed

Ecommerce companies must be absolutely clear in their description of the Data Retention Process. These processes include the categories of data, timelines, and verification of deleted data. Simultaneously, security measures put in place to protect personal data have to be described. Similarly, users will have to be given choices to opt out of data processing, or explained why such data processing is essential to the website or service. The two most important ramifications of GDPR under this head are data portability, and subject access rights:

1. Users have been granted a right by GDPR to transfer personal data from one organisation to another in a structured, commonly used, machine-readable format. This also applies to data concerning automated processing. The transfer will not vary the controller’s (i.e. firm’s) liabilities, and the controller can place no hindrance upon the user after such transfer.
2. Users can ask for a copy of their personal data, which the controller must comply with and respond to within 30 days.

These processes should ideally be backed up with information audits, which audit the flow and processing of information across the firm and its associated third-party companies. 

Show your users “privacy by design”

Article 25 of the GDPR outlines obligations concerning data protection by design and default. In a nutshell, it mandates data minimization and restricting access to personal data to protect the users’ privacy. Here, the user has to be sufficiently assured that all classes of data collected is not only by his/her consent but also is used for express purposes which are laid out. Similarly, data sharing with other firms, where the firm stores data, and how the firm secures said data is essential. In data sharing disclosures within the privacy policy, the GDPR does not force the firm to disclose names of firms, but only their broad type (mail, payment processors, etc). Any updates to the privacy policy must be adequately notified.

The GDPR provides the following legal bases for processing a person’s data. Any data collected for processing must fulfill at least one of the following legal bases. These must be shown corresponding to the classes of data collected in the privacy policy:

1. Users have given their consent for a specific purpose; This automatically implies the right of the user to withdraw his/her consent anytime, as also the right to delete their data on request;
2. Data processing is required to maintain or enter a contract in which the user is a participant;
3. Data processing is required for fulfilling a legal obligation of which the controller of the data is a subject;
4. Data processing is required for the protection of users’ interest (for upholding their rights, as set out in Chapter 3);
5. Data processing is required for an activity done in the public interest;
6. Data processing is done in the legitimate interest of the controller of the data or some other person; Processing their personal data is absolutely necessary for the lawful carrying out of the firm’s business, and has been discerned so by a Legitimate Interests Assessment; These legitimate interests have to be specified clearly.

Another important facet is storage limitation, whereby the firm does not store personal data longer than it would be required. The privacy policy must specify the duration for which the firm shall hold personal data in their systems. If different durations exist for different classes of data, they need to be specified.

It is good practice to have a dedicated Data Processing Officer to overview the functioning of GDPR’s compliance within the organization, apart from being nodal to contact in case of user complaints. In case DPOs are not appointed, a dedicated contact must be provided nonetheless for user grievance redressal regarding privacy and data security. Most importantly, any data breaches must be reported to data protection authorities within 72 hours of detection.

Be aware of and clearly disclose international data transfers

Articles 40 to 49 of the GDPR cover a range of data transfer restrictions. These transfers are deemed acceptable only after data processing itself is held legal, i.e. when it fulfils one of the legal basis mentioned above. Once that happens, the following distinctions come to play for data transfers:

1. “Secure Third Country”: Some jurisdictions have been considered “secure” by the EU, as their data protection frameworks are comparable to the GDPR, and offer “adequate protection”. Data can be freely transmitted and stored between these countries and the EU. One can access the list here.
2. For countries that do not fall in the aforementioned category, data transfers are still possible. This is achievable through the inclusion of “Standard Contractual Clauses” in the privacy policy. One can access these clauses here.
3. One can transfer data within a multinational company, or a group of companies’ assets, provided binding corporate rules in accordance with GDPR are followed.
4. As a last resort of sorts, free consent of the user can partially override these restrictions. Due care must be taken here, whereby the user is explained in no unclear terms that their data would be transferred to a country not considered “secure” by the EU.

Conclusion

The GDPR is a sine qua non for business not just in Europe, but for business on the internet in the future. Countries have been modeling their data protection laws based on the GDPR, and compliance is a good way of future-proofing one’s business. Drafting a GDPR policy is much less about legalese than about consent and transparency- two values that the modern consumer increasingly respects. In this regard, GDPR compliance is as much an ethical value point as much as mere compliance.

References

• https://www.humcommerce.com/blog/gdpr-ecommerce-checklist/
• https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/
• https://www.indez.com/blog/gdpr-checklist-eommerce-businesses
• https://www.flycart.org/blog/ecommerce/ecommerce-gdpr-checklist-and-guide
• https://www.space48.com/wp-content/uploads/2018/02/Ultimate-GDPR-checklist-for-ecommerce.pdf
• https://divante.com/blog/gdpr-practical-checklist-ecommerce/
• https://rubygarage.org/blog/gdpr-compliance-for-ecommerce-websites
• https://gdpr-info.eu/chapter-3/
• https://gdpr-info.eu/issues/personal-data/

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: