Protecting Your Online Business from GDPR Privacy Complaints
The General Data Protection Regulation (GDPR) addresses data protection and privacy laws that work to protect individuals located in the European Union. As an online business owner, if you fail to comply with the regulation you could face privacy complaints filed by your consumers or supervisory authorities.
What is the GDPR and What Does it Require?
The General Data Protection Regulation (GDPR) is a law in the European Union (EU) that addresses data protection and privacy for all individuals in the EU. The GDPR is directly applicable to each of the member states of the EU. It aims to give EU residents control over their personal data, and to make it simpler for international companies to conduct business within the EU.
The GDPR was adopted in April of 2016 and went into effect on May 25, 2018. It replaced the Data Protection Directive of 1995. There are a number of key changes to the regulation that affect how commercial entities communicate with their end users and how they handle and process personal data.
The GDPR applies to both data controllers and data processors.
One of the biggest changes posed by the GDPR is the extended jurisdiction. According to the regulation, if your business processes the personal data of EU residents, then you are required to comply with the GDPR, regardless of whether the data processing takes place within the EU.
In addition to this, if your business is based outside of the EU, you are required to comply with the GDPR if you:
- Offer goods or services to EU-based residents, or
- Monitor online consumer behavior within the EU member nations
If your business breaches the terms of the GDPR, you will be fined the greater of four percent of annual global turnover or €20 million.
Finally, the GDPR strengthens the conditions for user consent. You are required to acquire user consent through an intelligible and easily accessible form. Additionally, you must state in your consent notice why you need to process that data.
The regulation also requires you to use easy to understand language when communicating your terms and conditions, not legalese.
Finally, withdrawing consent for your end users must be as easy as giving it.
Allowing Customer Inquiries
According to Article 57 of the GDPR, supervisory authorities are responsible for handling consumer complaints.
It states that the supervisory authority should investigate the issue brought up by the consumer and let them know about the progress of the investigation and its outcome within a reasonable period of time. In addition to this, it also states that if further investigation by another supervisory authority is necessary, then the complainant should be informed of that as well.
GDPR Complaint Process
The GDPR empowers and encourages individuals to seek judicial relief for damages that may have been caused by a breach. Consumers can file formal administrative complaints with supervisory authorities against your business if they suspect a breach.
According to the GDPR, a complaint can be initiated by the data subject (the consumer) or by a supervisory authority. This is illustrated in the GDPR Complaint-Process Map.
Data subjects can file complaints with the courts of the EU member state where they reside, where they work, or where the alleged infringement occurred.
Consumers are also given the option to file a complaint against a supervisory authority if the supervisory authority fails to handle the complaint in accordance with the GDPR or fails to inform them about the status of their complaint for three months.
It's important to understand that the GDPR requires you to communicate how your business collects and processes user data in a way that is concise, intelligible, in easy to understand language (not legalese), transparent and easily accessible.
The GDPR also recommends that you post privacy notices on your website at the points where you collect personal data from your end users and, when necessary, obtain their consent.
For example, uSwitch displays simple, easy to understand notices on its energy comparison forms. The privacy notice for the email address field, for instance, briefly explains why you are required to enter your email address. It says that the website requires the email address in order to send you a copy of your comparison results.
You can even go as far as implementing a Privacy Center on your website to help users learn about your privacy practices and take action from your interface.
If you're running an online business that is based in the EU or collects personal information from EU residents, then you're required to comply with the GDPR. You should be aware that a consumer can file a complaint against your online business if there's a breach of GDPR or if the rights granted to them by the GDPR aren't met.
By taking these steps, you are mitigating your liability risks and ensuring your compliance with privacy laws.