The General Data Protection Regulation (GDPR) was effected on May 25 2018. However, many merchants have numerous unanswered questions especially when it comes to GDPR for eCommerce. These regulations come with stiff consequences and penalties, and merchants need to know what they entail, and how they affect their eCommerce businesses.
What is the GDPR?
The GDPR is a set of European Union laws on data privacy and protection for both citizens and residents within the EEA (European Economic Area and the EU (European Union). It also covers exportation of individual data outside the EEA and EU.
The GDPR seeks to enable residents and citizens to regulate their personal information, consolidate the regulation in the EU, and clarify the same for the sake of international business.
According to the GDPR, all businesses and companies operating within the EU will have to adhere to stringent new rules in regard to the compilation, storage, and utilization of client data.
These regulations cover all forms of data such as posts from social media, photos, bank details, IP addresses, and any recognition numbers. The regulation states that every client data must only be opt in, securely stored, and cannot be used unless with authorization from the client.
Still, these regulations come with a rational security level on certain issues. This leaves doubts on how data from social media platforms for instance should be handled. One thing that remains constant though is that social media users should provide comprehensive opt in authorization to allow storage and use of their data in any form.
Therefore, pre-complete authorization checkboxes and authorization camouflaged in long terms and conditions will no longer be used.
GDPR provides three categories for data handling. They are:
- Data regulator. This is the business or company providing goods or services. It will be tasked with explaining why and how personal information is utilized. It will also be accountable for the safe use for the safe utilization and storage of this information.
- Dependent. This is the employee, client, user or any individual providing personal identification data.
- Data processor. These are third party suppliers.
How will GDPR Affect eCommerce Businesses?
The GDPR will apply to every department within a business including marketing, HR, sales, accounting, and all databases. These regulations will apply to all data processing and handling companies regardless of their location within the EU. Data handling and processing businesses operating out of the EU will also be required to nominate an agent in the EU.
Transparent Authorization for Marketing Activities
Every individual will have to opt in for any marketing activity, a move which will replace the age old pre-completed authorization and checkboxes that marketers have used for long. The introduction of third party checkbox requires the enlisting of all third parties likely to access the data. These factors will influence the marketing sector in terms of collecting and outlining all marketing activities involving processing of big data.
Misuse and violation of the GDPR and non compliance will attract hefty fines of up to €20 Million or 4% of global annual revenue. This will be the maximum penalty for serious violations such as contravening the principal structure of privacy, or failure to have adequate customer authorization to handle data.
Penalties come in tiers. For instance, companies can be penalized for failure to alert the data subject and inspection authority about suspected data violation, failure to maintain order in their record keeping, and failure to carry out an impact test. These regulations are effected on both processors and controllers. Therefore, companies offering cloud services will not be immune to the same.
It is important to understand that according to GDPR terms, every merchant is referred to as the data regulator and holds the responsibility to compile and store data appropriately. In addition, the regulation requires them to obtain visitor and customer authorization before utilizing their data.
Small and medium sized businesses therefore, should be responsible enough to ensure that data is safely stored. They should also master where it is stored which in this case can be in numerous areas especially for eCommerce businesses who collaborate with third party partners for the provision of software. To enhance data protection and privacy, these companies will need to adopt encryption.
eCommerce Businesses on Cloud
For the businesses already using the cloud, this transition is likely to be smooth. Big and established companies already have enough resources to implement requirements of the GDPR. On the other hand, businesses that operate via tailor made software or in house servers will have to incorporate the services of an experienced team to analyze and test their security to identify any vulnerability and introduce robust methods of data protection right from admission to deletion.
Consent conditions have been enhanced and businesses will have to adopt tangible methods of authorization complete with understandable language. While consent is still a lawful foundation for data transfer according to GDPR, it remains quite restricted.
For instance, in regulation 95/46/EC, controllers were authorized to depend on infinite and opt out in specific aspects. However, the GDPR states that the transparent affirmative action shall be used by the data subject to show agreement. The new law comes with a seclusion of some levels of personal data which existed in the regulation.
However, the new GDPR broadens the level of included issues. In addition, the GDPR imposes conditions in regard to children’s authorization of data processing in the absence of parental consent. The GDPR eliminates the need to require data before making a plain acknowledgement or statement. The GDPR comes with additional clauses which state that.
The data subject has a right to retract consent anytime at will. Further, the controller should make the process as easy as it is to surrender the same. Controllers should also communicate this right to the data subjects before they surrender their consent. When consent has been retracted, the data subject’s information should be entirely deleted and should never be used in any processing.
According to the GDPR, consent will not have been given freely incase of any shortcoming between the controller and the data subject, especially in the event that the controller is a general authority. Even then, a controller is not authorized to impose conditions within a service once consent has been given, apart from when the processing is part of the service.
The GDPR further states that consent should be limited to every data handling operation. In order to fulfill the requirements of this regulation, the controller should make the data processing consent requisition plainly identifiable from other matters contained in the written document, which must also be granted in an easily available form.
The GDPR gives data subjects the following rights:
The data subject has a right to acquire any personal data regarding them provided in a machine readable layout. Additionally, they have the right to broadcast the data on a different controller.
Data Violation Notification
The GDPR states that suspected data violation notification is compulsory in each member states where violation of data may pose a risk to individual freedom and risks. Data processors must alert the controllers and customers promptly after suspecting data violation.
Currently, anyone either processing or controlling data must adhere to the GDPR. A data protection personnel tasked with reporting any violation of data must be nominated in large companies. Reports should reach the data subjects and the information commissioner’s office before the end of 72 hours.
Right of Confirmation
Data subjects have a right to engage the controller and find out whether their personal information is undergoing processing, and if yes, the controller should be in a position to define the purpose, location, and the aspect for the same. Additionally, the controller should furnish the data subject with a transcript of their personal information in an electronic form free of charge. This will enhance data subject’s empowerment and data transparency.
Right of Erase
According to the GDPR, customers should be able to edit their data with ease as well as terminate authorization to engage in any marketing activities. Additionally, they should be allowed to delete their data and account from the system entirely.
While this is possible with many data collection and processing companies, many times comes with many challenges, with some companies requiring customers to call their agents to facilitate the process.
The GDPR states that this procedure should not only be documented and easy to maneuver, it should be adequately advertised to allow customers seeking to delete their data to do so.
This right enables the data subject to compel the controller into erasing their personal data entirely and stop any processing of the data. This may sometimes need third parties to intervene. Data deletion conditions include withdrawal of consent by the data subjects and discontinuation of data processing. In this right, controllers should analyze the data subjects’ right to the public interest in data availability, in the event of such a case.
While privacy by design has been in existence for many years, it was recently adopted as a legal necessity in the GDPR. This requires data protection inclusion from the start of system design as compared to adding them thereafter. It is the controller’s responsibility to execute applicable organizational and technical procedures.
Latest posts by Daniela Cherkova (see all)
- The Benefits of a Multi-Vendor Marketplace for My Business - June 6, 2018
- A Guide on How to Sell On Facebook - June 6, 2018
- GDPR for eCommerce | All you should know - June 5, 2018