Starting on May 26th, 2018 business owners and entrepreneurs around the world with customers in Europe must be ready to fulfill GDPR requirements. Non-compliance might be painful, especially for small businesses, as fines can be as high as €20 million or 4% of annual turnover. The time left to accomplish this is extremely short, but still, many companies seem to be unsure how to comply. So let’s take a look at how we should prepare.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is the new legal framework for personal data protection across the European Union. Until now, data protection for all eCommerce businesses in the European Economic Area was based on the Data Protection Directive from 1995. Well, since that time, technology has changed many aspects of our business and the laws have had to follow suit. The GDPR updates many regulations previously set in DPD, but also introduces several new laws – including extending the jurisdiction to all companies processing the personal data of UE residents, mandatory breach notification within 72 hours and the right for data subjects to obtain information on how their data is being processed and for what purposes. The new rules of GDPR are outlined on this website.
The implementation of GDPR will be closely watched across the world, as it is the most extensive change in data privacy regulation in over 20 years. Companies and organizations have had two years to adapt to those changes.
Does the GDPR apply to your eCommerce?
It might seem that the new regulations apply only to businesses in the European Economic Area but this couldn’t be further from the truth. The nature of business based on eCommerce is that we’re trying to reach as far as possible and find customers worldwide. Let’s check if GDPR applies also to your business with this flowchart:
Flowchart by Smaato
So as you can see, even if your eCommerce is settled in the U.S., Canada or any other country in the world, but you’re handling the data of at least one European resident, the new regulations apply to your business. What’s more, GDPR is not limited to a particular size of business entity, so even small or public companies must comply with the requirements. This is associated with costs of data audits and IT upgrades – however, no business managers should hesitate. The fines for non-compliance can be as high as €20 million or 4 percent of global annual turnover – whichever is higher – or a 30-day suspension.
Where to start?
The process of adjusting to GDPR can be time-consuming and costly, depending on your current infrastructure and procedures. However, before spending money, verify the areas you need to focus on and clarify the actions you need to take. To do that you can start with GDPR Compliance Checklist for eCommerce and check step by step if you meet the new regulations in the most important areas:
- Data access
- Collected data
- Consent from users
- Data profiling and external software
- User possibility of being forgotten
- Integration and transfer of data
- Data administrator procedures
3 tips to comply GDPR at beginning
If your “to do” list of GDPR compliance in your online store seems to be extremely long – do not panic. There are a few things that we worked out along with our partners from Europe and the U.S. that you should resolve first to collect and secure personal data, record necessary login access and prepare for transparent communication with your customers.
Your online store has at least a few of them, right? Whether you ask your customers for personal data to fulfill the order, for marketing purposes, profiling or for third parties (e.g cookies) – remember to put a separate and independent checkbox for each request for consent and describe it with simple language. Also, name all third parties using your clients’ data.
Your customer must understand the requests for consent and agree to them consciously, so do not make any pre-ticked or „select all” checkboxes.
With GDPR you cannot ask customers for personal data that is not relevant to a product or service offered in your eCommerce. Collect and store customers data only when it is crucial to provide your offer. In case of inspection, you must prove that this personal data is necessary. Also, check your current databases. If you have any non-obligatory personal data you will have to delete it.
3. DATABASE ACCESS
Check your database access – since May 26th all operations on your databases must be logged. It doesn’t matter if you do it directly in the database or via the administration panel – ensure that each and every attempt to read, modify or erase records containing personal data will be registered.
These things are both on the front-end and back-end of your store and you might need a little help from your IT team. If you seek advice on specific interpretations or requirements concerning the implementation of GDPR in your business, always consult your own legal professionals.
These 3 steps are just the beginning of working towards GDPR compliance in your eCommerce, but they give you an excellent base to start with. Having access to all data, logs and customers consent will allow you meet the demands of inspectors and most clients to be forgotten, to see their data and how they were processed.
After you implement proper solutions to meet the above requirements, you should start working with the procedures in your company to react quickly and protect your clients’ rights. Remember – in case of a crisis like a data leak, you must be ready to give breach notification within 72 hours both to your clients and local inspectors. To keep the process smooth you can use the help of external GDPR Compliance Services.
The goal of GDPR is simple – to give back control over personal data to individuals. While changing your policies, processes and store solutions, remember to bring more understanding, clarity, and control of personal data processing.