While the General Data Protection Regulation (GDPR) was ratified in May 2016, it will only be enforced from May 2018 and brings greater responsibilities for ecommerce businesses, irrespective of size, that hold data about EU citizens and visitors.
Personal data is anything that can identify a "natural person" and can include information such as a name, a photo, a physical or email address, shoe size, billing histories and online identifiers such as IP addresses, cookie strings or mobile device IDs. The GDPR will impact any online retail store that collects data sourced from their websites, apps, emails or any other means that results in data being retained in an internal database.
What e-commerce marketers need to know
Opt-In is in, Opt-out is out
To meet the GDPR regulations, consent must be ‘freely given, specific, informed and unambiguous’ and therefore should be:
- separate from the terms and conditions, with separate consent for each marketing activity;
- identifiably opt-in so consent boxes cannot be pre-ticked;
- named in that any / all 3rd parties must be specifically mentioned.
It requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand. The GDPR includes seven references to “clear and plain language.”
Businesses must adopt measures to provide appropriate protection to the personal data they hold. For example, personal data should be encrypted and not stored as plain text. Businesses are also required to adopt measures relating to the resilience of their systems and services and how data is restored in the event of a breach. Businesses are also required to test the effectiveness of their security measures on a regular basis.
Notification of data breaches
Businesses have to notify the data protection authority if there is a security incident that affects the integrity, confidentiality or security of the personal data that they hold. Businesses will also have to notify data subjects if it is likely to result in economic or social disadvantages unless the business had implemented appropriate security measures prior to the breach.
Companies doing business with ‘data subjects’ in the EU need to comply with the GDPR. ‘Data subjects’, in this instance, covers both EU citizens as well as temporary residents, even those on holiday. Furthermore, the “territorial scope” of European data protection law has been extended to include companies outside the EU. The “territorial scope” clause does not mean that every web based business accessible from the EU is within the scope of the GDPR. Businesses that are actively targeting people in the EU through regional domain names, currencies, languages (not native to country of origin) or localised content are subject to the regulations.
EXAMPLES: “territorial scope”
In the UK, the Data Protection Bill was introduced to the House of Lords on 13 September 2017. It aims to bring the GDPR standards into law ahead of the UK’s exit from the European Union.
What rights do individuals have?
The right to be informed relates to the obligation to provide ‘fair processing information’, typically through privacy notices. It also covers the need for transparency over how the personal data is used.
The right of access gives individuals the right to obtain confirmation that their data is being processed. It also gives them to the right to access to their personal data and other supplementary information.
The right to rectification gives individuals the right to have personal data rectified if it is inaccurate or incomplete.
The right to erasure also known as ‘the right to be forgotten’ gives an individual the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to restrict processing continues to give individuals the right to ‘block’ or suppress processing of personal data currently allowed via the DPA. However, when processing is restricted, the GDPR permits data controllers to store the personal data, but not further process it.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
The right to object gives the individual the right to object to processing at any time, unless the controller has compelling legitimate grounds. Previously, the burden was on the data subject to show that the objection was justified.
The rights in relation to automated decision making and profiling provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
What are the penalties?
The GDPR wants to be taken seriously so has given data protection authorities more powers to tackle non-compliance including revenue based fines of up to 4% of annual worldwide turnover or up to €20m (whichever is greater), for the most serious infringements.
The GDPR also makes it considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed, and allows data subjects who have suffered non-material damage as a result of an infringement to sue for compensation.
This checklist should point to any potential red flags in your data protection procedures and point towards steps that should be taken to maximise data security and minimise the risks of GDPR non-compliance.
Step 1: Data inventory
- Why is the data being held?
- Where and how is the data stored? Create an inventory of all critical assets that store or process data.
- How long will the data be retained, is it still needed?
Step 2: Document data flow
- How does the data enter the organisation - a website comment section, newsletter subscription, or online identifiers such as IP addresses?
- Where does the data leave the organisation and is it shared with third parties?
- Who, in the company, can access the data?
- Can anonymous data be combined in any way to identify individuals?
Step 3: Examine data collection
- Amend consent procedures to comply expanded requirements, e.g. remove pre-ticked boxes.
- Is the request for consent in clear and plain language?
- Revisit existing reasons for collecting and processing the data – both legal and "legitimate interest".
Step 4: Review procedures
- How do current processing procedures stand up to the new data subject rights?
- How do you seek, obtain and record consent?
- Are the reasons for collecting the data provided or available?
- Is there a procedure in place for withdrawing consent and blocking/erasing data?
- What access procedures are in place for the data subjects?
Step 5: Security
- How secure is the data?
- In the event of a data breach, can you demonstrate that appropriate security controls were in place?
- How regularly do you test to ascertain if the security controls are working as designed?
- Will you be able to identify and respond to a breach as soon as it occurs?
- Are all relevant parties informed and aware of what to do in the event of an incident?