GDPR compliance guide for online businesses outside of the European Union (Part 5 of 5)

A simple approach to make the most of your GDPR compliance tasks and improve your business in the process.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that applies to all organizations within the EU as well as those that offer goods and services to or monitor the behavior of EU residents. We conclude our five-part series with this article covering how you can make the best of your GDPR compliance checklists to improve your online business. If any questions remain, you can write to me or schedule time to discuss your specific situation in more detail.

This article is Part 5 of 5 in our series to provide a comprehensive guide for online businesses outside of the European Union to comply with the GDPR.

Click here to subscribe to our newsletter and receive new articles directly in your inbox.


Overview

In this final part of our series, we will go through a simple approach to check the boxes on your GDPR tasks while using this compliance exercise as an opportunity to evaluate your data processes and where they fit within your business.

There are reasons why companies incorporate where they do, choose one type of legal entity over another, and obtain various licenses and certifications. You may overlook these fundamental decisions you've made about your business because you considered them to be table stakes at the time to get started. It's no different when it comes to GDPR and other privacy regulations.

Data protection is now table stakes, especially for online businesses, because all of your business processes are essentially data processes. Advances in technology have made it easier to collect and process personal data. The fact that most processing now happens behind the scenes may mislead you into thinking you're not responsible for what is done with this data. Whether it's your CRM, mailing list, or a custom application, you are responsible for how individuals' data are handled by your processors, and you should plan these processes accordingly to serve your business needs with as little compliance overhead as possible.

In the next three sections, we will go through steps you should take starting with the simplest, most explicit, and customer-facing of your obligations to work up to the more complex tasks, which will demand more time and effort from you.

Appoint your EU representative

For online businesses outside of the EU that are required to appoint an EU representative per the GDPR, securing your representative should be one of the first steps in your compliance plan. Why? It's a very explicit requirement, and it's very easy for regulators and customers to detect whether or not you're compliant.

When it comes to more subjective components of the GDPR, such as the legal basis for your data processing, there is room for interpretation. This isn't the case with the EU representative requirement. Article 27 outlines the requirement for appointment, and Article 13 requires the disclosure of your EU representative's contact information (generally in your privacy policy). For this reason, it makes sense for your EU representative appointment to be early in your journey towards compliance to reduce your overall risk of fines.

Additional details of this requirement are covered in part two of this series, and we offer an instant solution to appoint your EU representative to get you started.

Update your privacy policy

A GDPR-compliant privacy policy that reflects your data processing activities is a more involved task but well-defined nonetheless. Your privacy policy is vital for two reasons. First, it's a customer-facing representation of your data processing activities and how you will treat their data. Secondly, it sets the tone for the rest of the GDPR compliance work you will undertake internally.

In reviewing thousands of privacy policies, we noticed a tendency on the part of most online businesses to rely on templates without necessarily understanding the purposes for which the templates were intended. Your privacy policy doesn't need to be a 20-page document with legal jargon. In fact, the GDPR requires you to use clear and simple language in your privacy policy. Furthermore, many templates omit sections unique to the requirements for businesses outside of the EU.

For these reasons, we used the guidance provided by regulators in the EU to create a template that is specific to businesses outside of the EU, which you can freely use to adapt to your business.

Implement data protection principles

After you've appointed your EU representative and updated your privacy policy, it's time to get your house in order in terms of implementing the policy you publicly outlined. The more processes and processors you have before undertaking this exercise, the more time you're going to spend upfront to evaluate and document them for your GDPR compliance.

Article 30 of the GDPR requires you to document your processing activities and share a copy of this document with your EU representative. We covered the details of this requirement and templates you can use to satisfy this requirement in part three of this series.

The benefit of going through an exercise to document your records of processing activities (ROPA) is that you will end up evaluating each process and processor that handles your customers' personal data. If, after creating your ROPA based on our previous article, you will know what you need to do to address any gaps in your compliance with the GDPR. In some instances, the way to resolve your discrepancies may require you to change a particular tool or process so you can demonstrate compliance when requested. The ROPA is a document that needs to be made available to regulators upon request, and it's prudent to handle any gaps you have before that time comes.

Once complete, you should also establish a practice of updating your ROPA every time you add a new data process. It will save you time to get a process right the first time, and you will have the added benefit of having an up-to-date ROPA at all times. If a processing activity is going to be challenging for your GDPR compliance, you will be able to eliminate the potential of establishing that process before becoming too reliant on it. At this point, you should also update the copy of the ROPA that is shared with your EU representative.

Lastly, if you are introducing a process that is GDPR-compliant but outside of the policy you had outlined, you will need to update your privacy policy accordingly and avoid a mismatch between what you've disclosed and your actual practices.

Final words

Your compliance with the GDPR doesn't have to be complicated. There are a lot of steps to take into account, and undoubtedly, it's particularly burdensome for smaller businesses to dedicate the time needed to achieve compliance. With the top-down approach outlined in this article, you can take the necessary steps and stay on top of your processing activities as your business evolves.

Disclaimer

While I've written this article to be as helpful as possible, it cannot and does not contain legal advice. The legal information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.

If you require legal assistance, I am happy to refer you to an attorney specializing in privacy laws and regulations. You can write to me or schedule time to discuss your specific situation in more detail.