Although the online presence of many organizations has become mandatory for business, not only through sites, but also with sales, thanks to eCommerce, Apps and MarketPlace, it is also true that there are still many that are not compliant with the requirements of the GDPR (General Data Protection Regulation).
ThisEU legislation was created to protect the privacy and personal data of European citizens and provides for fines according to the severity of the violation, with sanctions ranging from 2 to 4 percent of total annual turnover.
.No messing around! The Privacy Guarantor fined two policy comparison sites for 120,000 euros because they had registered thousands of consents for marketing purposes, but due to a bug they failed to prove the real will of the users and that the consent had really been given.
The GDPR requirements are as important as the cash register or employee contributions, but they are still underestimated. We know that legal requirements drag with them quite a few technicalities that risk slowing down the process, especially if there is no dedicated consultant in the company.
In this article, we'll discuss the penalties you face if you violate the GDPR and help you respond to the Privacy Guarantor's requests to adapt your site, App or eCommerce as quickly and inexpensively as possible.
We talk a lot about GDPR, but to whom does it apply?
This applies to you if you are part of organizations, businesses, individuals, corporations, public and other entities -- including small businesses, voluntary associations, and nonprofit organizations -- that are based in the EU and offer goods or services (including free of charge) to EU citizens, or monitor the behavior of people residing in the EU, either directly or on behalf of others.
The GDPR may not be the only regulatory reference to which you need to adapt your site, App or eCommerce. Different countries have different rules, even if they are very close to each other geographically::
If you operate within the European Union, it is almost certain that your business must comply with GDPR. Read on to learn more.
How can the GDPR be violated and when can you incur the penalties, which, depending on the severity of the violation, range from 2 to 4 percent of the total annual turnover?
Let's start by saying that violations can cover several areas, including:
In detail here are some practical examples of GDPR violations:
The list clearly goes on, but there are several solutions!
Next we come to the main countermeasures you can take to improve your online compliance:
It is important to have up-to-date Privacy Policy and Cookie Policy. To be valid, your privacy policy must describe the personal data collected, the purposes of processing, and list any third-party services with which that data is shared.
What is a cookie banner? It is a notice that is displayed on many sites and Apps on the first visit of the user to inform them of the presence of any Cookies, their rights, asking for consent to the installation especially for those of third parties dedicated to marketing and advertising activities.
Having a cookie banner (along with a Cookie Policy) and blocking Cookies before obtaining user consent are all requirements under the ePrivacy Directive (Cookie Law) and GDPR.
When you browse online and carelessly click "Accept" in each Banner Cookie, there where it is present, be aware that companies store your data and also use it for commercial purposes. In some cases they may also give it to third parties, which is why when it comes to data processing, you need to remember that the organization must obtain unequivocal consent from users, right from the beginning of your relationship.
Consent may be given limited to Technical Cookies, which are necessary to operate the site, as well as optional ones related to other purposes, first or third party.
To obtain consent for data processing from its users, the organization cannot use overly complicated or indecipherable terms. Users must be aware of what they are consenting to and the consequences of their choices.
For the Privacy Guarantor, it is the responsibility of the owner of the site, App or eCommerceto prepare unequivocal proof of consent that contains:
In the case of minor users, the organization is required to obtain verifiable consent from a parent or guardian of the minor, unless the service offered is prevention or counseling.
The organization must also make reasonable efforts (using any available technology) to verify that the person giving consent actually holds parental responsibility for the child.
Also for these reasons, all Policies must be written in a readable manner, using language and clauses that are understandable without using unnecessary or overly technical jargon.
Evidence of consents (e.g., for re-contact for marketing purposes) must contain several key elements; consents must not only be collected but also well documented. It is important to know on what day and at what time the user consented to a specific policy and through which form/application. The Registry must not be manipulable by the data collector and must be available for any consultation in case of request by the Privacy Guarantor or Law Enforcement.
Audits of entire registries by regulators can also take place thanks to some user's report. If the organization does not meet GDPR compliance the entire registry is called into question and thus the consents you will have collected up to that point!
You will understand that managing these aspects manually, without the use of dedicated software, is incredibly time-consuming and resource-intensive, as well as risky.
Iubenda's Consent Solution allows you to adjust your forms and store a proof of consent as required by the GDPR:
With Terms and Conditions, also known as Terms of Service or Terms of Use, you can define the terms of use of a site, App or service in a legally binding manner.
This document governs the contractual relationship between the service provider and the user and in fact constitute a contract in which the conditions of use of the products and services provided are clarified in black and white.
Copying or manipulating documents from activities similar to yours does not protect you from penalties and does not allow you to defend yourself in case of user abuse, especially in relation to applicable regulations.
The Terms and Conditions are needed by bloggers, eCommerce, SaaS and large companies.
If you deal with online sales in addition to explaining how you deal with users' personal data, you must specify to users:
You must not forget that the support of a DPO or specialized legal counsel is really important for your Company's GDPR compliance.
Every enterprise in fact processes different data, in varying ways, through many technologies, for more different purposes. Only ad-hoc consulting, paired with the essential right technology tools (such as iubenda), can help you sleep soundly.
How much does iubenda cost? How much do I have to pay to make my site, App or eCommerce compliant? iubenda offers subscription plans,with an annual/monthly licensing fee, this allows you to take advantage of low costs, while still equipping customers with the highest quality service.
The cost varies based on the sites and app to be made compliant and starts at a few hundred euros per year. Certainly more complex scenarios require the use of more sophisticated and advanced solutions that iubenda also offers to its customers on a pay-as-you-go basis (you pay for how much you consume the service).
iubenda is not a substitute for legal advice, but it complements such advice: any legal counsel or DPO in fact needs an infrastructure to lend a hand in managing policy and consent collection, in an appropriate and timely manner.
The costs then are to be considered an investment: both toward its users, toward whom transparency always pays off in terms of relationship and trust; and in thinking about the possible very high penalties that will be avoided with a few hundred euros a year.
Legal compliance can often go unnoticed within organizations, but when it comes to penalties the attention of decision-makers in a Company is always very high. Protecting turnover is a priority!
The key aspects related to sanctions are summarized in Article 83 of the GDPR and the general conditions for imposing administrative fines. Each supervisory authority shall ensure that the administrative pecuniary sanctions imposed are effective, proportionate, and dissuasive in each and every case.
Administrative pecuniary sanctions are imposed according to the circumstances of each individual case, in fact, due consideration is given to the following:
(a)the nature, severity, and duration of the breach, taking into account the nature, scope, or purpose of the processing in question, as well as the number of data subjects concerned and the level of harm suffered by them;
(b) the wilful or negligent character of the violation;
(c) any action taken by the data controller or processor to mitigate the harm suffered by data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures implemented by them in accordance with Articles 25 and 32;
(e) any previous relevant violations by the data controller or processor;
(f) the degree of cooperation with the supervisory authority in order to remedy the violation and mitigate the possible negative effects of the violation;
(g) the categories of personal data affected by the breach;
(h) the manner in which the breach came to the attention of the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the breach;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in respect of the same subject matter, compliance with such measures;
j) adherence to codes of conduct approved under Article 40 or certification mechanisms approved under Article 42;
(k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, by the violation.
If the controller or processor intentionally or negligently violates more than one provision of this Regulation for identical or related processing, the total amount of the administrative fine shall not exceed the amount provided for the most serious violation.
In short, as you may have guessed, it is crucial to have the best tools on the market, certified technicians to install those tools, and a legal partner who can validate your entire privacy dashboard: only in this way can you prove in front of the regulators that you have done everything you can to collect properly and protect your users' privacy to the maximum extent.
Do you want to adjust your website, eCommerce and App? Let's talk about it!