Unless you’ve been living under a rock for the past year and a half, you’ve probably heard of the GDPR. If not, well, let me try to hide my concern. This, ladies and gents of eCommerce, is a big deal. And if you haven’t already done your research, the time is running out to do so.
The GDPR is the most comprehensive data privacy law to date and is bound to affect your company if you operate or have customers within Europe.
Considering the nature of our work at Crobox, we've been knees deep in all things GDPR to ensure we are prepared. And we want to make sure you are as well! So, if you're looking to brush up your knowledge, this blog post includes the most important aspects of the legislation for eCommerce companies.
Cut to the chase, what is the GDPR?
The GDPR, in all its glory.
The GDPR, or the General Data Protection Regulation, as the name infers, is a data protection law that passed in the EU Parliament in 2016. It builds on the 1995 Data Protection Directive with an increased focus on the rights of personal data protection and more stringent penalties for non-compliance. It also brings consistency to the data laws within Europe, as it applies to all organizations that collect or process data in any of the 27 EU member states.
In many ways, this initiative was long overdue. Many things have changed since the 90s, and I’m not just referring to frosted tips and baggy jeans.
In the last 20+ years, our reliance on data has increased tenfold. Throughout this transition, the consumers have lost sight, or were never aware, of the amount of data that is being collected on them. Not to mention the unclear ownership rights of this data.
Because of this, the necessity to protect individuals online and give them the ability to control their data has become an integral part of ethical data collection. It, therefore, goes without saying that these changes will have a notable effect on eCommerce companies that collect any form of digital data.
With the impending deadline for compliance approaching on May 25th, 2018, I sat down with our Chief Data Protection Officer to learn more.
What will this law change?
Individuals will own their personal data
In its most simple terms, the GDPR empowers the consumer to be the all-encompassing owner of their data.
Specifically, it gives individuals in the EU the right to review, adjust, erase, and restrict the processing of their data. These requests must be facilitated online by the controller (aka eCommerce company) and provided to the individual no longer than one month after the initial request.
In addition to this, organizations are required to inform other organizations, like Google, to delete any copies of the public personal data. To help tackle this, Google has already set up a process to speed things up for businesses.
From opt-out consent to opt-in
Whereas the traditional cookie consent form required web visitors to opt-out of data collection, the GDPR will require individuals to manually opt-in. This means that websites will no longer be able to pre-populate consent forms.
The idea is that consumers will be more conscious of what they're agreeing to, as they will have to check a box and agree with two clicks instead of just one.
Within this consent, you will be required to clearly and simply communicate which parties are collecting their data (i.e., third parties), for what purpose, safeguards in place, and the length of time that the data is stored.
Data protection and storage requirements will become more strict
To better protect consumers from having their data mishandled, various measures will come into place.
- Sensitive Data: Data such as race, health, sexual orientation, religion, and political beliefs must be protected with additional safeguards.
- Data Protection by Design: When working with third parties (i.e., processors), make sure that their product has the appropriate safeguards, like pseudonymisation. See Article 25 for more information.
- Data Protection Officer: If your organization collects data on a large scale or deals with sensitive data, you need to appoint a data protection officer that has expert knowledge of data protection law. See Articles 37-39 for more information.
- Data Breaches: You will need to inform affected customers within 72 hours of a serious data breach.
- Lead Supervisory Authority: If your organization has offices in multiple countries, there needs to be a lead supervisory authority as the central point of enforcement.
- Record Maintenance: Records must be kept of all processing activity.
- Data Transfer Outside EU: Additional arrangements must be made when transferring data outside of the EU.
High non-compliance fees
As with most things in life, prevention is better than cure. If found non-compliant with these regulations, fines can be up to €20 million or 4% of annual revenue. With fees high enough to put a company out of business, it’s simply not worth the risk.
How do I ensure I’m prepared for the GDPR?
In short, there are several steps you need to take to ensure you’re eCommerce business is prepared for the GDPR to come into effect.
1. Review your processes
If you collect any online data, it’s your responsibility to ensure that it is secure. Even when working with third parties, you need to be sure that the data you collect within your organization is protected from external threats and mishandling.
2. Create a process for data transparency
Lay out a plan on how to handle personal data requests. Because when they start rolling in, the month you have to provide that information will quickly pass.
If possible, create an easy process on your platform for your customers to request and obtain all of their data quickly and without complication.
3. Write clear documentation of your data activity
Starting in May, you will need to inform your customers exactly what is happening with their data. This includes who is collecting and viewing it, as well as how it’s stored.
Have your documentation ready so it can be easily found on your website.
4. Redesign consent forms
Be sure to deactivate all of your opt-ins. No more pre-checked boxes.
Individuals must give their explicit consent when it comes to collecting their data, and they should be able to withdrawal at any time.
5. Appoint a Data Protection Officer and meet with a lawyer
For companies that are required to appoint a Data Protection Officer, be sure to do that sooner rather than later. They can assist you in making sure that everything is in order for the GDPR.
It’s always wise to meet with a lawyer specialized in this area. Even with all the online resources, there are some articles in the GDPR that are left unclear. Many national governments have taken steps to clarify these. Meeting with a specialist is the only way to know 100% that you’re fully prepared.
The GDPR is surely giving us all a run for our money. However, it’s all for the better good. While these initial implementations and preparations are costly, it’s all part of working toward a future that is better prepared to deal with data securely.
For more information on the GDPR check out the following resources:
Our GDPR-compliant software creates persuasion profiles of shoppers with psychographic data. Want to see how we do it? Download our whitepaper!