In May 2016, the General Data Protection Regulation (GDPR) was ratified by the European Union to guarantee more security and protection of personal data for citizens, becoming the most relevant change in data privacy regulation on 20 years. Such changes will be finally enforced from the 25th of May 2018, which will mean higher responsibilities for e-commerce business in about two months. The new measures will affect e-commerce businesses of any size as long as they hold data related to both European Union citizens and visitors. From Rich Clicks, we want to invite you to find out the key details of this new regulation in the interest of helping your business to be ready for such enforcement.
Meaning of personal data for GDPR
All the information that can aim to identify a “natural person” is considered personal data for the new GDPR. Thus, personal data includes information such as names, a physical or email address, photos, clothes or shoe sizes and, online identifiers (e.g. IP address, cookie strings or mobile device IDs). The new regulation will affect any online retail store collecting data from either websites, email, apps or any other source that can retain details from users in an internal database.
This GDPR has been designed with the purpose of harmonising data privacy laws across Europe, protect and empower all EU citizens data privacy, as well as reshape the approach of organisations to data privacy.
GDPR highlighted changes
Extra-territorial applicability: From the 25th of May 2018 the territorial scope will be increased with an extended jurisdiction of the GDPR, applying the new regulation to every company processing the personal data of citizens residing and visiting the European Union, regardless of the locations of such companies.
Penalties: Issues such as not having sufficient consent from customers to process their data or, violating the core of Privacy by design concepts can be reasons for fines. Moreover, companies can also be fined for not having their records in order, not notifying the supervising authority and data subject related to a breach or not conducting the impact assessment.
Consent: The new regulation will no longer allow companies to use long and illegible terms and conditions. From now on, the request for consent must be given must be an easily accessible form, with the purpose of data processing attached. Consents must be the most transparent possible.
Data subject Rights
Breach notification: Breach notifications will be now mandatory in all member states where data breach can be a risk for rights and freedom of citizens.
Right to access: The right for data subjects to obtain from data controller confirmation as to whether or not personal data concerning them are being processed, where and for what purpose. Besides, controllers must provide a copy of the personal data free of charge and, in an electronic format.
Data portability: GDPR includes now the right for a data subject to receive the personal data concerning them and they had previously provided and which the company have the right to transmit to another controller.
Privacy by design: the new GDPR will call for the integration of data protection from the start of the designing of the system.
Data Protection officers: Under GDPR, there will be internal recordkeeping requirements. Moreover, DPO appointment is from now on mandatory only for the controllers and processors whose focus is processing operations which need regular and systematic monitoring of data subjects either on a large scale or of particular sections of data for criminal conditions and offences.
Right to be forgotten: it permits the data subject to have the data controller erase his/her personal data and possibly have third parties halt processing of the data.
What e-commerce marketers need to know.
Consent must be freely given, concretely informed and clear, separate from the terms and conditions and, including separate consent for each marketing activity. Moreover, all the content must be identifiably opt-in. Thus, consent boxes cannot be pre-ticked. Finally, any/all third parties must be specifically mentioned.
Clear information: any information and communication related to personal data processed must be accessible and understandable.
Security: business must guarantee appropriate protection to the personal data that they hold as well as testing the effectiveness of their security measures on a regular basis.
Notification of data breaches: from May this year, all businesses also will have to notify the data protection authority in case of a security incident that can affect the integrity, confidentiality of the personal data held by the company. Further, businesses will also have to notify data subjects it can result in economic or social disadvantages (unless the business implements appropriate security measures to the breach).
Geography: companies doing business with ‘data subject’ in the European Union will be asked to comply the GDPR.
The digital market is constantly evolving and regulations to protect individuals could not wait any longer. From Rich Clicks, we wanted to approach your business and its e-commerce development to the new General Data Protection Regulation for your company to stay on the track. The time for adapting your business to the market is running out and now more than ever all the efforts must be focused on the adaptation of your online activities to the new regulations as well as your competitors will. Make sure that nothing stops your growth and your goals!
Keep calm and download our Final Checklist.
We know that there’s no time for panicking so we have created a GDPR Checklist for you to organise your ideas and understand all that needs to be done step by step to adapt your business for the new regulation. Rich clicks is here to help!