The GDPR, or General Data Protection Regulation, comes into effect on May 25, 2018. The GDPR is aimed at strengthening the privacy of personal information for everyone within the European Union. But, what exactly is the GDPR and how will it affect you as an eCommerce merchant?
What is the GDPR?
The GDPR is a new EU Regulation adopted on April 27, 2016 and set to become enforceable on May 25, 2018. The GDPR replaces the 1995 EU Data Protection Directive (DPD) with increased measures to protect the personal data of EU citizens and enforce more responsibility for their privacy onto organizations that collect or process personal data. The GDPR builds upon some of the DPD's requirements for data security and privacy, but also includes several new provisions to give citizens more rights regarding their data, and to raise the penalties for organizations that violate these regulations.
How do I know if the GDPR applies to my business?
The GDPR applies to you if your business is located within the EU or if you either market your products to, or collect or process data from, people in the EU. This means the GDPR can apply to you anywhere in the world, if your business meets these criteria.
What does the GDPR change about data privacy?
The GDPR expands individual rights regarding how the individual's data is retained. The changes (as opposed to the DPD) consist of changes to Individual Rights, Internal Procedures, Supervisory Authorities, and Scope, Accountability and Penalties.
Individuals have two new specific rights under the GDPR: the "right to be forgotten" which enables individuals to seek complete deletion of their data from a company's records, and the "right to data portability" which allows individuals to demand a copy of their data. This gives individuals increased control over the retention and use of their personal data, and forces organizations to share what they've collected when the individual requests it.
Clear consent must be given by the individual for their data to be collected in the first place. Organizations are subject to higher standards for disclosures regarding their data collection practices in order to ensure that the customer can give informed consent. The major change from the DPD is that now, individuals must signal their consent through "a statement or a clear affirmative action" whereas before, consent could be inferred by the customer's actions.
Entities that handle personal data are required by GDPR standards to build data privacy into any new system they build, and to meet an obligation to perform a Data Privacy Impact Assessment (DPIA) when using "new technologies" or taking any risks. A DPIA is a systematic process involving a careful evaluation of any potential privacy issues that could result from the use of a new product or initiative.
Public authorities and any organization that regularly monitors or processes sensitive personal data on a large scale will be required to have a Data Privacy Officer (DPO) in place to oversee their compliance. DPOs will also help oversee any transfer of data with vendors who also process personal data, helping review their security and informing them of data requests.
Controllers and Processors will need to review their Privacy Notices, Privacy Statements and all internal data policies in their organizations to ensure they meet the GDPR requirements. Contracts with vendors will also need to be updated with the new Processor provisions found in Article 28 of the GDPR.
The GDPR's new "one stop shop" provision stipulates that organizations with offices in multiple countries in the EU will have a "lead supervisory authority" to ensure consistent directions regarding GDPR compliance.
The GDPR requires Controllers to notify their country's supervisory authority within 72 hours of learning of any personal data breach unless the data was encrypted or otherwise anonymized. Identity theft, breach of confidentiality, and other breaches likely to bring harm to an individual must also be reported to the individuals affected.
Scope, Accountability and Penalties
The GDPR has a wider scope than the DPD, as it also applies to non-EU businesses and entities that market to people in the EU or otherwise monitor their information. This applies even to businesses that themselves are not located in the EU.
The new Accountability standards require Controllers and Processors to be able to demonstrate their GDPR compliance to their local supervisory authority. Staff should be appropriately trained and measures should be taken to further demonstrate compliance. All processes should be recorded and regularly reviewed.
The GDPR imposes severe penalties for violations, and the mishandling of personal data or violation of an individual's rights concerning their data could incur fines of up to €20 million ($24,858,000 USD) or 4% of the violating entity's global annual revenue (whichever is greater).
GDPR compliance is the responsibility of the business. If you meet the criteria to be subject to the GDPR, it falls to you as a business owner to ensure compliance. You may want to read the full text of the GDPR to familiarize yourself with it as best you can (helpful legal glossary here). Consider consulting with an attorney who is familiar with the GDPR and can assist you.
All software you use to run your business, e.g. your eCommerce platform, Google Analytics, MailChimp, and any third-party apps or plugins, need to meet GDPR requirements for your business to be compliant.
If your online store is built on Shift4Shop, you'll have several tools available to help you achieve GDPR compliance, but as mentioned, all additional software must meet the requirements as well.
Shift4Shop's Compliance Efforts