Officially approved by EU Parliament, General Data Protection Regulation (GDPR) is going to come into force on May, 25th of 2018. This law is supposed to replace Data Protection Directive 95/46/EC established back in 1995, and unite and update the regulations controlling data protection across EU countries.
The main aim of General Data Protection Regulation is to provide EU citizens with personal data security by imposing specific restrictions and responsibilities on the organizations (or data controllers) processing and collecting such data. Personal data hereby stands for “any information relating to an identified or identifiable natural person”.
Territorial ApplicabilityThe regulation supervises any of such institutions notwithstanding with the place of their establishment. It means that GDPR is applicable to any system processing an EU citizen’s personal data either within or outside EU territory. Besides, this law stipulates one-stop shop principle: in case a company has its sub-departments in other member states, it will deal with the authority located in the same state as the main office.
Individual’s RightsGDPR comprises an enormous number of rules and restrictions, so a data controller should be very attentive and careful to avoid violation of any of them and getting penalized. Some of these limitations consist in preserving the following rights by an individual, whose personal data was disclosed or was required to be disclosed:
- to refuse from giving personal data;
- to erase the given personal data after the end of processing;
- to obtain an access to the recorded data;
- to request for restricted processing of data.
No personal data can be processed without a person’s clear consent. An individual, whose rights were infringed, may lodge a complaint or demand a remedy or compensation.
Technical and Organizational MeasuresBeside legal restrictions, GDPR applies Technical and Organizational Measures (TOMs) in order to strengthen personal data security and provide maximum transparence of data controllers’ activities. TOMs include:
- Preventing data access of unauthorized individuals;
- Enabling access to data only after a personal authentication;
- Recording all changes made to data;
- Providing backup and recovery of data;
- Separating data collected for different purposes.
Non-compliance with the regulation can lead to being penalized with a fine up to €20 million which is 4% of the annual global turnover.
What you should do to be GDPR-compliant?- Update your Privacy Policy / License Agreement;
- Inform your team about GDPR compliance requirements;
- 3 Inform your customers about that
- Inform or request your subcontractors to follow those rules (shipping company, payment processor, bank, accountant team, external marketing team, etc).
Show customers that you’re not vulnerable. Add “GDPR Compliance” message on the create account/login/checkout page to inform your customers about your compliance.
Request for personal data deletionAnother important thing is to accept and perform customer requests to delete their data. Unless we really need these data, this request should be fulfilled.
“A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.”
So if customer requests you to remove his/her personal data but you need to keep it for some reason, describe it in FAQ and LA to inform users about that.
For example users who have placed their order in EU should be backuped and saved at least for 5 years (basing on EU Laws), so you cannot remove his/her personal data right away but you should inform when and how it will be done.
It is your obligation to explain the procedure of personal data removal. For example in 5 years when the obligation to keep data for accounting expires, the customer request for removal will be automatically or manually processed and customer will be informed additionally.
Access to personal dataAnother major aspect of the GDPR is access to personal data. When talking about that, you should keep in mind all business processes that you have in your company. Who have access to the personal data? What is the company offering delivery or shipping services? What is the company processing payments? Do they fulfill the GDPR?
Here are few more examples of people or positions with the access to personal data: site administrators, freelancers, hosting company, sales manager, support manager, accountant, mail client (if you’re using third-party SAAS client), CRM system, etc. You have to make sure that they do understand and follow the principles of GDPR.
Just for example – someone calls to your sales asking to provide some information about his/her order. You may decline his/her request due to GDPR compliance. You may ask him/her to identify himself/herself to make sure he/she has rights for these data.
Once again, add FAQ, Useful article or documentation and explain how personal data is treated in your business and how it can be obtained.
What if your site was hacked and data was compromised?In case you failed to provide ultimate security for the collected personal data and your site was hacked, the first thing to do is to report about the data breach to the GDPR supervisory authority within 72 hours.
If you have not managed to make the notification within this time, you are obliged to state the reasons of the delay. You report must include the nature of data fraud, its possible consequences, contact details of your responsible protective officer and the measures applied.
If there is a high risk of violating the rights and freedoms of the individual whose data was hacked, you have to inform this individual about the data breach right away.
In case of failure to report about the fraud, you can get penalized or taken to court.
What if I’m from US. Should I follow the GDPR?GDPR is not an obligation for the US store owners but it would be a good sign for EU customer if you follow the GDPR regulations. EU customer will feel comfortable placing an order from you keeping in mind that he/she can control the way data is gathered, stored and utilized.
ConclusionsThe reasons of introducing such strong protective measures seem to be clear: the number of business systems and other entities requiring sensitive personal data is constantly increasing and needs to be appropriately controlled. Despite of the strictness of newly introduced regulations, eMagicOne’s policy comes in full compliance with GDPR standards and provides its clients with complete personal data security and privacy.
Read the original General Data Protection Regulation (GDPR) at:http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
Add comments if you have more questions about GDPR and we’ll do our best to assist you!
