GDPR and internet businesses

GDPR and internet businesses

The world of Internet business now occupies huge market space. But even this kind of business cannot avoid laws or rules, even new ones. On 25 May 2018, a new European Union regulation came into force which clatifies the protection of personal data and extend the powers of natural persons.

The new regulation will have to be governed by any entity processing personal data in any way. Of course, institutions or intermediaries such as accountants or lawyers will also be subject to these rules.

What is personal data?

Simply, it is any data that allows the identification of the person concerned. It is a natural person that can be identified using the data. It is also information within the framework of economic, cultural, social or mental identity. Typical data are first name, surname, date of birth, social security number, address or IP address, or cookies.

How to start implementing GDPR in practice?

Everything must have a certain sequence, without which it could happen that even a small detail can be neglected, which can be a big problem after all. Until now, the protection of personal data has been regulated by Act no. 122/2013 Coll. - Personal Data Protection Act. It remains valid and it is therefore necessary to fulfill all its requirements. And then all the GDPR amendments as well.

You need to know:

• what data the company works with,
• how archives them,
• who is responsible for them.

First, it is necessary to modify the terms and conditions of the website, to give access to the employees, or it is advisable to consult with an IT professional to set up all processes on the web. Equally, it is essential that proper and comprehensible consent is given to users of online websites to demonstrate to the entity that the user has authorized the processing of the data.

Consent requires:

• entity identification,
• the reason and purpose of the collection of personal data,
• informing the user of his or her rights,
• information whether the data will be further manipulated.

ATTENTION! Consent may not form part of the terms and conditions. It must be clearly separated, for example, as a separate checkbox.

Does GDPR also apply to email marketing?

The use of the emails of data subjects must be reconciled again in accordance with GDPR, as email is also defined as personal data. The sending of an offer or newsletter must therefore be conditional on the person's consent.

Interestingly, GDPR also thinks about content. By this, we mean that if a customer buys electronics and agrees to receive emails as part of their purchase, the entity does not have the right to send them a newsletter containing an offer of sports equipment.

I have collected addresses, what to do with them?

Of course, from the point of view of GDPR rules, the entity needs to obtain re-approval from the clients / users concerned. In this way, the company finds out how many of the contacts are current. Indeed, GDPR allows the processing of data only those actually used by the company. Therefore, it is necessary to justify what data the company uses for. If it has data that is not used for its activity, it is obliged to delete it.

Use of advertising magnets

The best way to explain this is by way of example. For example, a competition that belongs to the so-called “lead magnets”. The first and obligatory consent is the consent informing the winner of the competition. The second, optional consent is the consent to receive newsletters.

The same is true of unlocking content on the web. If the content is charged correctly, but only at the cost of providing the email, the user has the right to view the content without entering it.

What about programs used to process personal data?

Again, it's a good idea to look at an example. MailChimp is one of the most widespread e-mail collection systems. Currently, the software is unable to meet GDPR. However, the announced developer updates should ensure proper functioning within the legal standards before the GDPR becomes effective.

What about sanctions?

EUR 20 million or a financial penalty of up to 4% of the company's annual turnover. It sounds threatening and for many companies it is almost liquidative. However, sanctions are intended to make impression and be a guardian in keeping with GDPR.

Conclusion

Obviously, a number of concrete cases where GDPR becomes valid could be analyzed. But there is no need to worry or stress yourself. GDPR is not a turning point, on the contrary, reducing the risk of misuse of personal data is a priority and a necessity today.