- 10th October 2018
- Posted by: Amit Khanna
- Category: eCommerce
The General Data Protection Regulation (GDPR) became enforceable beginning 25 May 2018 – the legislation places scrutiny on (and potentially penalizes) eCommerce websites for the way they collect the data of European citizens. Management consulting firm Oliver Wyman predicts that $6 billion in penalties will be levied against non-compliant companies in the first year of GDPR enforcement.
The GDPR applies to every company within the European Union (EU) that processes personal data, and to organizations outside the EU that market their products to individuals in the EU. The GDPR enables stronger data protection designed for the digital age, where it’s possible to shop online from our mobiles and smartphones, to order a pizza or book a taxi. eCommerce companies can collect collate this information to provide more accurate and targeted advertising. However, an individual can be identified by metadata related to their mobile device or desktop. The GDPR consists of a unified and clear set of rules to help individuals (data subjects) gain control of their personal information.
Under the GDPR, eCommerce businesses processing EU citizens Personally Identifiable Information (PII) “personal” or “sensitive personal” data need to have legitimate grounds for processing, this classification is tide to consent. Explicit consent is required to process sensitive personal data, the
GDPR requires that consent be specific. This is a significant change for eCommerce organizations requiring clear affirmative action from the data subject in order to be able to hold personal data in your electronic systems: the current practice of relying on a customer’s silence or inactivity or pre-ticked boxes is no longer sufficient.
Privacy & Cookies
Privacy concerns surrounding cookies has been an issue for several years now. Recital 30 of the GDPR mentions Cookies; an important update and requires robust opt-in consent. Personal data like IP addresses and other information collected by cookies is now no longer a corporate asset, instead, it’s owned by the data subject. To stay compliant with the GDPR, you will either have to abandon this practice or obtain consent from your customers.
There are many systems that could be used to collect personal data. Each needs to be clearly identified and classified accordingly, personal data should be kept only for as long as necessary, simply put, if it’s no longer needed, destroy it. The GDPR doesn’t state a time frame for holding personal data. eCommerce sites will have to decide how long they hold onto a data subject’s personal data based on the purpose that data was processed for. Personal data that is no longer needed must be erased to reduce the risk of inaccuracy, excessive, irrelevant, out of date or using such data in error.
Storage limitation can also help you comply with other GDPR principles, specifically the Data Minimization and accuracy principles. It’s clearly inefficient to store personal data that is not required, which can lead to avoidable costs on storage and security. Under the GDPR, site owners may have to respond to subject access requests, larger and inaccurate datasets can make this much more challenging than it need be.
eCommerce organizations should introduce a data retention policy, and document standard retention periods for different categories of personal information. Retention policies must also be flexible enough to allow for early deletion of personal data if appropriate, and include:
- The stated purposes for processing the personal data
- Whether keeping a record of a relationship with the individual once that relationship ends is needed
- Any legal or regulatory requirements
- Whether keeping information to defend possible future legal claims is needed
- Any relevant industry standards or guidelines
Most eCommerce organizations store customer data in different places within their technology landscape, and their legacy systems do not support rapid deletion or anonymization. In the GDPR era, the future is about managing data, not just the storage and infrastructure on which it sits.
Individuals from the EU freely provide their personal information to eCommerce sites; the recent Facebook/Cambridge Analytica saga highlighted a case invasion of privacy, facilitating data exploitation by some companies. Any breach must be reported to a local supervisory authority within 72 hours of the business being aware of the issue. Failure to notify can result in a penalty fine of up to €10m or 2% of global turnover. Negligent or intentional violation of GDPR can result in a fine of up to €20m or 4% of turnover. North American eCommerce businesses are not exempt from the GDPR if they market their products to EU markets, they ought to incorporate stringent data protection policies to avoid reputational damage and significant fines.
FileOM provide a complete compliance support service to help implement and adapt to the GDPR, including:
- A data flow audit
- A gap analysis
- Data protection impact assessments (DPIAs)
- Bespoke transition services
Our GDPR Compliance program includes a scan of personal data across your eCommerce business.