At Xcommerce we are daily enabling companies bringing their business online.
Since every eCommerce platform needs to obtain personal information from its buyers in order to ship the goods to or simply to login, we want to advise our customers on GDPR.
General Data Protection Regulation, a new European law to protect personal data.
In fact it’s not that new, a first version goes back to 1992.
Let’s focus on the latest version since it wille be taking effect from 25/05/2018.
In short GDPR focusses on how your organization is requesting, recording and managing individual’s data.
GDPR is a part of the EU privacy and human rights law and is all about putting more obligations on companies that process personal data while giving more rights to the data subjects, the identifiable natural person, regarding their personal data.
In this way data subjects have more control about whether, when, how and to whom personal data are provided and for which activities their data may be used.
The GDPR also seeks to achieve greater harmonization legislation on data protection, because legislation can vary greatly from one member state today within Europe.
The GDPR applies to all companies which in an automated and structured way control or process personal data. Personal data is all data of individuals which can be identified (eg. name) and which are identifiable (eg. customer number).
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
When individuals fill in a form on one of your webpages that your organization will accept, you are a controller.
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, for example the hosting company where your servers are located.
In a nutshell: all companies which are storing personal data no matter in which software, CRM, ERP, database or text files, have to be in line with the GDPR.
Companies have to respect the GDPR and have to be able to prove that they do.
This principle therefore requires companies to implement the necessary policies and to document these policies and initiatives.
Data subjects (natural persons), have to be informed extensively about what happens with their personal data, how long they are kept and if they will be shared with others. Based on that the data subject’s consents have to be recorded.
The right to be forgotten
Data subjects have the right to be forgotten. Here the company which stores the data can be asked and obliged to delete all data about a subject.
Data Protection by Design & Default
At the start of a project companies have to consider how to protect personal data before processing it (by design).
When companies offer several options in their products or services they always have to set the most privacyfriendly option (by default). Eg. By default uncheck the signup for newsletter checkbox instead of checked.
Some companies have to register all data they process. When processing sensitive data, in advance, companies have to perform a data protection impact assessment to measure involving risks.
Data transfer to third countries
When transferring personal data to countries outside of the EU, adequate safeguards have to be provided by the receiving organization. These can be setup in the form of contracts.
In case of privacy breaches, privacy regulators and affected individuals have to be notified if there is a risk of harm to individuals.
Individuals are to be protected against decisions based on profiling and automated decision making.
Access by individuals
Every data subject should be given the tools to view and update personal information. Besides that, data subjects have to be informed about how the data will be used and when it will be destroyed.
Companies that are not in line with the GDPR are, as from 25/05/2018, risking fines of up to 20 million euros or up to 4% of their annual turnover.
Cross border expansion
Since all regulations in all EU countries will be the same, it will be easier for companies to expand activities in other countries.
Any company, regardless of whether it is established in the EU or not, will have to apply EU data protection law should they wish to offer their services in the EU. This levels the playing field for all businesses; it is about fair competition in a globalised world.
The data protection law across all EU countries will be the same – one European Union – one law. This will eliminate the need to consult with local lawyers to ensure local compliance whend doing business across the EU. The result is direct cost savings and legal certainty.
Individuals suspecting their data is used not according to GDPR will be able to lodge a complaint to the EDPS. This is the EU’s data protection authority.