What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a new law passed by the European Union (EU) that sets guidelines on the gathering and processing of personal information. The regulation seeks to protect private data by giving control of it to individuals within the EU. An entity or enterprise has to engage in economic activity, as defined by European Union competition law, in order for GDPR to apply.
The regulation refers to companies and organizations as “data controllers,” meaning any institution that collects data for its purposes. Individuals are called “data subjects.” The other party mentioned is the “data processor,” which refers to third-party suppliers like Shopify, MailChimp, or any internal teams that do similar work.
GDPR came into effect on May 25, 2018, but was adopted by the European Parliament back in April 2016. It applies to all companies that collect data in the EU – even if you’re an American-based eCommerce website, you’re required to comply with GDPR.
While it only applies to individuals within the EU, most companies have decided to go ahead and apply it to their customers everywhere. Their hope is by doing so, they will build loyalty by showing they care about individual privacy.
How Does It Affect E-Commerce Businesses?
The GDPR applies to any kind of database of information, including those involved with sales, accounting, human resources, and marketing.
There are seven key requirements businesses must comply with: consent, right to access, right to be forgotten, data portability, privacy by design, breach notification, and Data Protection Officers.
The regulation requires businesses to obtain explicit consent from users to collect and use personal data. You might have noticed some pop-ups or banners on your favorite websites saying you understand they’re collecting personal data.
Data subjects have to give their clear consent for any marketing activities. Gone are the days of pre-checked boxes or automatically being opted into market activities. Also, companies must list the third parties that may have access to users’ data.
Right to be Forgotten
Companies should only collect data they need to fulfill a specific set of purposes relevant to their usage. They also can’t keep the data longer than necessary; once the data is irrelevant for its original purpose, individuals can request the data controller erase the person’s data and stop it from being distributed further.
This also refers to the process of account deletion, which some companies have made extremely difficult. Now, the steps must be easy to follow and advertised for those wanting to remove their personal data.
Right to Access
Individuals are given the right to obtain confirmation from any data controller of how and if their personal data is being used. Data controllers must give that data without undue delay
They also have the right of access to a copy of their personal data. The copy must be free and made available in an electronic format that’s accessible for the person.
Data subjects are able to obtain and reuse their personal data however they want. They can take data collected by one agency and transmit it to another controller, so long as it doesn’t negatively affect the rights and freedoms of others.
Privacy By Design
Organizations must design systems that include data protection from their onset. They must apply suitable technical and infrastructural measures. These include ensuring that the only data being processed is specific to the purpose it’s being used for.
Companies will also have to notify all EU citizens of a hack or breach. They are required to conduct privacy risk-impact assessments where privacy breach risks are high. This is to analyze any risk of data breaches and to come up with a way to minimize its damage.
Data controllers are required to report a data breach to their data protection authority within 72 hours of becoming aware of the problem. If a breach is unlikely to infringe on the rights and freedoms of data subjects, they are not required to report it.
Data Protection Officer
Organizations must also appoint a Data Protection Officer (DPO) who oversees data security. However, this is only required for companies that store large amounts of personal data for employees and/or consumers. The DPO must have real expertise on current laws surrounding data privacy.
More specifically, those required to appoint DPOs are a public authority or body and any organization with more than 250 employees whose core activities “consist of processing operations which … require regular and systematic monitoring of data subjects on a large scale.”
If you’re a company based outside of the EU, the GDPR is a great opportunity to build trust in your consumer base. A 2017 survey by Gigya found that 68% of consumers don’t trust brands to handle their personal information appropriately. Emailing your base and posting on your social media that you’ll comply with GDPR for all customers can alleviate these concerns, especially for those users outside of the EU who aren’t protected by GDPR.
What Are The Consequences?
Not upholding the GDPR can lead to a fine of up to €20 million Euro (currently about $23.5 million USD) or 4% of a data controller’s global turnover. Note that the fine can be a company’s turnover, not its profit. Whichever amount is greater will be fine.
Many proponents see this fine as a good thing. According to a 2016 study on data breach, the average cost of a data breach is $4 million. Adding another large fine of over $20 million ensures companies are more careful and honest.
What Do I Need To Do As An E-Commerce Site?
Now that it’s in effect, there are at least four things any business can do to comply with GDPR.
1. Be Selective
Be able to answer why you’re collecting every piece of data, how it’s stored, and how you’re protecting it. If you are collecting any data that isn’t pertinent to serving customers, you’ll want to consider discontinuing collecting it.
2. Protect Data
GDPR explicitly encourages the “pseudonymization” of Personally Identifiable Information (PII) to make data anonymous. Pseudonymization is the process of replacing identifying fields in personal data records with one or more pseudonyms. The GDPR defines it as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”
In addition, use encryption methods like purchasing and install an SSL certificate, which can be as cheap as $8.99 annually. To guarantee a safe transmission and storing of data, use other technologies like Triple DES and RSA Encryption.
3. Update Your Policies
4. Develop a Response Plan
Often, security breaches are the result of human error, and no security system is without flaws. Creating a plan that is able to react fast and effectively will show your customers you care and are an authoritative figure capable of handling their data.
You’ll have to notify a supervisory authority within 72 hours of a breach. You’ll also have to notify any data subject whose unencrypted data was stolen or compromised. Produce a public relations campaign and strategy to assure customers this has become your No. 1 priority.
If you still feel unsteady about the potential backlash from not upholding GDPR, or have any concerns for that matter, you can take courses to better educate yourself. Keep in mind that this regulation only applies to your customers who are citizens of or reside in the following countries in the EU:
- Republic of Cyprus
- Czech Republic
- United Kingdom
However, you’ll want to seriously consider abiding by some of the principles outlined with all of your consumer bases. With recent major news focusing on private data breaches and protection or usage of personal information, companies will want to get ahead of the problem by letting their customers know they value their privacy, protection, and ability to control the dissemination of their information.
What are three things your company needs to do to ensure it is complying with GDPR?