They're made to protect the privacy of your users & customers - and if you're selling sound effects, running a newsletter or other initiatives to promote your sounds, the rules will likely affect you, whether you're based in the EU or not. The question is how.
That's something I'd like to help clarify - and to do that, I've reached out to Kasper Mai Jørgensen, co-founder of ComplyTo, a company that helps anyone doing business online to ensure they're complying with the GDPR rules.
Please note: I hope the following helps you get a better idea of the implications of GDPR. However, as I'm not a lawyer, I can't make any guarantees as to the legal accuracy of the information below.
Hi Kasper, could you please introduce yourself?
Hi Asbjørn, I am co-founder and CEO of ComplyTo. I come from a finance and compliance background, and found that as a small or medium size business there is no easy and cost effective way to work with compliance in general and GDPR specifically. Therefore we started ComplyTo.
What do the new rules mean for a webshop owner – and what are the consequences of not being compliant with the rules?
The consequences are obviously fines. I am sure a lot have heard that they can be up to €20 million EUR. For a webshop this is probably a bit irrelevant, at least in the beginning. However to me, the biggest risk is that customers expect that a webshop has this under control, and if not, they will take their business elsewhere.
What are the steps that need to be taken to prepare for GDPR?
Documentation, documentation and documentation. The most important step is to start by documenting that you know what data you have, where – and which companies you have contracted with to store these (Google, Microsoft, Mailchimp and many others). Smaller companies in particular usually use many cloud solutions. You are responsible for the privacy data that you store in those systems.
What agreements do you need to have in place, what sort of documentation are you required to have – and are there certain items that need to be featured on the site itself?
Additionally to manage your suppliers that store your privacy data, you need what is called “data processor agreements”. If you use the larger cloud solutions they might have sent you such an agreement already. It is your responsibility to ensure that these agreements are aligned with your requirements. When you sign or accept such an agreement, the fine for breach of personal data will be forwarded to you and not the supplier. So you need to be a bit critical on these, as, at the end of the day, the supplier has interests that are in opposition to yours.
Many webshops run on WordPress / Woocommerce, and there’s a lot of effort being put into automating many of the processes needed to comply with the rules. Here’s an overview on what’s happening with Woocommerce and GDPR, and here’s an overview of what’s happening in WordPress.
As a shop owner, what are some of the things you can’t do going forward?
As long as you were following the law before you can continue with most activities. Most countries have had data protection rules for many years. The main difference now is that you need to document that you are in control of the privacy data.
As long as you were following the law before you can continue with most activities
You can still send emails to your customers, you can still send newsletters (if the person has subscribed – which was also the rule before GDPR). You cannot do ‘cold emailing’ – but this wasn’t allowed in most countries before anyway.
If someone wants their data removed from your records, how do you go about that in practical terms? An often-heard term in relation to GDPR is ‘The Right To Be Forgotten’ – what does that mean exactly?
I use to say “forget the right to be forgotten” 😀. The right to be forgotten is not an absolute right. If you have a legitimate reason to keep the data, you do not have to delete data if a customer asks to be forgotten. The right to be forgotten is mostly relevant if you get consent to use privacy data, but contact details, purchase history etc you can collect and process without consent and you can keep these data as long as you have a valid purpose – e.g. to comply with bookkeeping rules.
You should be more concerned by the right to insight. Under this you have to send the privacy data on a person to this person if they request it – so you need to know where you store all this data, and how to get the data out.
What happens if you only sell via a 3rd party marketplace, such as A Sound Effect?
If you sell through a 3rd party it makes it easier to manage the privacy data for the persons buying the product – since the 3rd party marketplace manages the contact to the end-customers. However you may still have privacy data from your suppliers, other customers, and you probably have Asbjoern’s contact details ;-) Nevertheless it makes your documentation much simpler, as the privacy data you have access to is much more limited.
How does ComplyTo’s solution work – and if shop owners uses ComplyTo, are they guaranteed to be in compliance?
ComplyTo makes a tool to ensure that you document your work with GDPR. The system assists you in mapping what privacy data you have. Based on that, we generate the privacy policies and data processor agreements needed. Additionally we have a risk and task management system that you use for ensuring that you stay in compliance. If there is a mismatch with the data mapping and the rules we will notify you, by creating a risk and task list with specific guidance on what to do.
We do not claim to guarantee compliance, as that would require us to audit your data input and would not make it possible to deliver our product for a fair price. But we get you at least 80% of the way. For most small and medium size companies we have all you need. And you can always get an auditor or lawyer to review the result – just like you can get an auditor to review your accounts if you want additional assurance.
The data protection rules changes all the time, and new rules and practices will impact what can be considered compliance. We are continuing to update our system to manage these developments to ensure you are up to date.
And by using a system to map your data it is also easy to update all documents, tasks and agreement when you decide to put privacy data in a new system or in another ways change your use of privacy data.
How do you demonstrate / document that customers and visitors have accepted the GDPR compliant rules on your site? Does continued use of your site after they’ve seen the rules equal consent?
You do not need to get consent from users that they have read and understand the rules. Nor in other ways get acceptance from the users. You just need to inform the user. Only in a case where you are processing privacy data, basic consent would be relevant – that would be the case for newsletters. for example. If you get consent you only need consent for the specific data and specific use thereoff – e.g. names and emails for sending newsletters.
If you’ve got more questions about GDPR, please leave a comment in the comments section, and Kasper Mai Jørgensen will do his best to answer them as soon as possible.
Do you have to notify all your existing customers about the new GDPR rules?
To sum up, can you offer a quick checklist of actionable GDPR steps for webshop owners?
1. Know what privacy data you have and where
2. Document what you do with privacy data
3. Ensure that your users, employees etc are properly informed about how privacy data is processed in the company – through privacy policies.
4. Ensure that you have data processing agreements in place where you are having 3rd parties managing this
5. Ensure that you can document you work with this continuously. Ensure that you follow processes, review the data, remember to delete data when no longer in use etc. GDPR is not a one-time effort. It is a continuous process.
If in doubt, put yourself in the place of the user – if you would be satisfied with the information and use of data as a customer or user?
Please share this:
+ free sounds with every issue: