Part 1: The new Data Protection Law - GDPR, and how it impacts eCommerce businesses.
Come May 25th, 2018; the GDPR will take effect, changing how businesses collect consumer data significantly.
The implication of this is that any business that requires the collection of large amounts of consumer data would have to make massive changes to be compliant. Most especially, e-commerce businesses, as their core operations mandates collecting large amounts of data.
What is the GDPR?
GDPR stands for General Data Protection Regulation. It is set to replace the existing EU’s Data Protection Act as the new standard for handling business data and privacy laws. The regulation will affect any business based in the EU or has customers in the EU.
In summary, the GDPR extends the right of consumers to access, correct, delete, and restrict processing of their data, and places a lot of responsibility on businesses to protect such data with strict guidelines for its handling.
The GDPR has a more extensive scope than the current DPA. For example, even information that doesn’t identify a specific person, like an IP address counts as personal data.
The most important thing right now is for businesses to begin to prepare to adopt the demands of the GDPR. I have put together a few guidelines on how to do this and are as follows;
-
Start by reviewing your existing data collection and handling processes including all outsourced elements such as marketing or payments. Check your current compliance level against the requirements of the GDPR legislation to figure out the specific places to make quick changes.
In your reviews, these are some fundamental questions to ask:
• Does your privacy policy need to be updated?
• Are the third party services and sub-processors (e.g., cloud services) you use are GDPR compliant?
• Would you require the services of a Data Protection Officer? -
Transparency: Make everything regarding data collection and handling very clear to your customers. GDPR compliance regulators love transparency – even as simple as placing the unsubscribe button right beside the subscribe button. Let it be easy for customers to give their explicit consent in handing over their data. Also, you may need to let your data subjects know the other organizations that have handled their data and why this was necessary.
-
Data Accessibility: your data subjects should be able to access their data easily and quickly. Where possible, there should be no unnecessary delays in offering any data for download.
-
Consistent Record Keeping: Henceforth, it is essential to keep a detailed record of all data subject consents, including what the consent was for, and the method of receiving such consent.
-
Don’t collect information you don’t need. If you aren’t going to use a particular’s customer’s info, there’s no point asking for it. This even goes to increase the efficiency of your data management system.
-
Henceforth, customers will need to give explicit consent. Therefore, any default opt-ins should be deactivated. The implication of this is that no pre-checked consent boxes will suffice as a validation of consent.
-
In the event of a data breach, it should not take more than 72 hours to inform the data subject(s) involved, with a readiness to demonstrate your security and data privacy procedures. This is equally applicable when the risk poses a high-risk to the rights and freedom of the subject(s). It is even essential to prepare mock breaches to test this feedback procedure.
-
Implementation of Privacy-by-design: When collecting any customer’s data, there’s a need for clarity as to what happens to the data, where it is stored and whose responsibility is its storage and processing. This is particularly very imperative for e-commerce businesses when collecting customer’s email addresses, physical addresses, and card details during payment.
What you gain by being GDPR compliant?
GDPR compliance will be a strong selling point for companies in the EU market, and e-commerce businesses can very well latch on to this. You can already see several discussions about GDPR popping-up everywhere on the internet.
Is there a penalty for non-compliance?
Depending on which is bigger, you may be fined 20 million euros or up to 4% of your turnover if you are found to be in breach of the new GDPR guidelines. So, why risk having to pay a fine large enough to shut down your company when you can get ready for the 25thof May.
Despite the time and work needed to comply with the new demands, the GDPR will prove to be of huge benefit to any business that puts in the effort.
This post is to help you get a head start on preparing for the launch of the new regulation and position your business for the critical data privacy advantage ahead of time. We have, have you?