In January 2012, the European Union began creating what is now known as the General Data Protection Regulation, or GDPR.
Aimed at ensuring the security of personal data for all citizens of countries within the European Union (and elsewhere), the GDPR will officially become the law of the land on May 25, 2018 for companies operating within all EU member states. Additionally, companies around the world will be required to adhere to GDPR regulations when engaging in business relations with individuals or entities within EU member states.
In essence, the GDPR is meant to replace the Data Protection Directive of 1995, which current technology has rendered antiquated in many areas - most specifically, the way in which people’s personal data is collected, transmitted and stored by companies.
The GDPR, then, is meant to serve a number of purposes:
- Regulate and standardize the process of protecting the personal data of individuals both within EU countries and around the world
- Allow for “easier transfer of data throughout the European Union.”
- Allow individuals to easily access and export data as collected by specific companies, as well as withdraw consent and ensure destruction of personal records within these companies
As mentioned above, the GDPR applies to companies that operate within EU member states as well as to companies that do business with individuals or companies within the EU.
To illustrate the reach of the GDPR, consider the following examples:
- A German-based company is, of course, required to follow the new regulations, as it operates within an EU member state.
- A Canadian-based company that partners with a marketing firm operating within Sweden is required to adhere to the GDPR for all operations in which the Swedish company is involved.
- A US-based ecommerce company that sells its products to customers living in Spain must adhere to the GDPR for those customers only (as well as any other EU-based customers, of course).
(A quick note regarding the United Kingdom: As the UK will not officially break from the EU until Spring 2019, the GDPR remains in effect for its citizens and companies - and any entity that does business with them. There exists a decent amount of unsurety regarding what will happen with GDPR laws in the UK after Brexit becomes official - but this doesn’t really affect what we’ll be discussing in this article.)
As you can imagine, the implementation of the GDPR will certainly affect...well...pretty much any company that even potentially may come into contact with an EU-based individual or entity. Not the least of these, of course: ecommerce businesses such as yours.
In other words: you need to be 100% prepared to follow GDPR guidelines to the letter, whether you operate within the EU or not.
CEO of SuretyMail Anne Mitchell seconds this, for a number of reasons:
“You really have no way of knowing whether someone with whom you are interacting online is actually in the EU or not…(also, the GDPR prohibits) using automation to determine certain information about a data subject, including location.
...(The GDPR also) specifically states that they will go after anyone - anywhere - who violates GDPR with respect to someone ‘in the union.’
Plus, GDPR also has a private right of action, meaning zealous individuals will be filing their own grievances against companies wherever those individuals feel their rights under GDPR have been violated.”
Even if you're confident that you will not come into contact with an EU-based individual or entity, it would still behoove you to at least consider becoming GDPR compliant.
As Maurice Flynn, GDPR Author and trainer, says:
"You could do a cost benefit analysis and decide, as a US company to avoid needing to be compliant by ignoring EU customers, but if you are a growth ambitious company, you can ill afford to ignore this huge geography. Plus some argue that if GDPR adoption in the EU is successful, it may become the gold standard for personal data protection and be adopted even more widely, even by US companies."
But before we discuss the changes you’ll need to make within your organization in order to comply with GDPR rules, let’s look at what the new regulation is all about.
GDPR: The Data, Players, and Processes
While the full text of the GDPR is, of course, rather extensive, we’re going to go over the overarching aspects of the regulation to give you a good idea of what the law entails, such as:
- The data the law pertains to
- The entities involved
- The benchmarks for adherence to the law
Let’s start by defining the data that falls under GDPR regulations.
What Does “Personal Data” Mean?
The GDPR’s full definition of “personal data” is:
“...any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
So, it’s really no exaggeration to say that “personal data” essentially refers to any information about an individual either living within an EU member state or involved in an EU-based company’s operations, period.
(Note: In the interest of not confusing the issue, we won’t go into the few exceptions listed within the GDPR’s text, as they pertain to legal [i.e., criminal] situations that don’t have anything to do with ecommerce.)
Simply put: anything your company knows about your customers, your employees, your partner companies’ employees, etc. is defined as “personal data.” A safe assumption, here, is that if you even think you’re dealing with personal data, you almost certainly are.
Who’s Involved in the Personal Data Equation?
In a moment, we’ll break down a couple example situations in which personal data is exchanged for a variety of purposes, and explain how GDPR is to be adhered to in these situations.
Before we do that, though, we need to note how the GDPR defines various entities within the overall process of transmitting, storing, and otherwise communicating personal data.
- Data Subject: The individual who the data in question belongs to. Typically, the term “Data Subject” refers to consumers, but it can also refer to an employee of your or a partner’s company, as well.
- Data Protection Authority: The government officials who have been charged with enforcing data protection laws. Data Protection Authority personnel work to ensure companies remain in compliance with GDPR laws, promote awareness of GDPR rules, and provide guidance to companies regarding compliance. Data Protection Authority officials also hear complaints and cases from data subjects who believe they have been a victim of a data breach, and investigate potential breaches among responsible entities.
- Data Controller: The company or entity that determines the purpose for processing a specific piece of data, and the way in which it will be processed.
- Data Processor: The company or entity that processes the requested data as has been requested by the controller.
One thing to note, before moving forward, is that Data Controllers can also act as Data Processors in certain scenarios. Conversely, as Data Processors are subject to follow processes as defined by Data Controllers, Processors cannot always act as Controllers.
Now, let’s take a look at a couple examples:
A retail company contracts with a marketing firm to help increase the effectiveness of their Google Adwords campaigns. In order to make appropriate suggestions, the marketing firm requests information on the retailer’s current customer base.
In this instance, the retail company acts as the Data Controller, as it had previously collected this customer-facing data. The marketing firm, then is the Data Processor, as it will be analyzing the customer-facing data as a means to determine the retailer’s best course of action moving forward.
A retail company partners with a payroll processor to maintain employee records regarding salary, sick time, etc.
In this case, the retail company is again the Data Controller, as it is providing personal data to another entity to be used for a specifically-defined purpose. The payroll processing company is, of course, the Data Processor in this situation. Again, note that this scenario doesn’t involve consumers at all; still, it falls under GDPR regulations.
A bit later on, we’ll talk about what, exactly, Data Controllers and Data Processors are responsible for with regard to the GDPR. For now, though, let’s agree that both parties, in one way or another, are ultimately responsible for keeping personal data safe and secure.
Next, we’ll talk about exactly what “safe and secure” means from the perspective of the GDPR.
Principles of Data Processing
Depending on how you look at the GDPR’s documentation, there are either nine principles regarding data processing, or six (with three of the nine being grouped under one umbrella).
In the interest of clarity, we’re going to look at all nine principles separately.
This probably goes without saying, but from May 25 onward, all instances of data processing within the EU must occur within the scope of GDPR guidelines.
Moreover, a specific instance of data processing must be done for the purpose of one or more of the following lawful bases:
- Consent: The Data Subject has given your organization permission to use their information.
- Contract: The processing of a Data Subject’s information is necessary for you to fulfil a contractual obligation with that person.
- Legal Obligation: Law enforcement requires you to process the information.
- Vital Interests: The processing of data is necessary to protect the life and health of an individual.
- Public Task: The processing of data is in the interest of the public, and the task for which you are processing the data is lawful in and of itself.
- Legitimate Interests: The processing of data is for your legitimate interests. However, the Data Subject’s right to privacy may trump these interests.
The fairness principle stipulates that Controllers or Processors cannot attempt to mislead Data Subjects in any way with regard to how and why their data is being used.
Essentially, the terms and conditions set forth by a company - and agreed upon by the Data Subject - cannot leave room for interpretation, especially to the point that the company can attempt to skirt around the agreement in any way.
So, your data processing agreements absolutely cannot contain any sort of loopholes, nor can you attempt to interpret the agreement’s wording differently after it has been agreed upon.
Along with the last point, the transparency principle requires companies to ensure Data Subjects completely understand all aspects of the data processing agreement, as well as their rights with regard to the GDPR as a whole.
With regard to the processing of their data, Data Subjects must be privy to the specific ways in which it is to be done. The most important thing to understand, here, is that the process must be explained so that the Data Subject can understand it with 100% clarity. In other words, the agreement can’t be laden with jargon that only specialists within your company or industry would understand.
With regard to the GDPR and the Data Subject’s rights, companies are required to again be explicit in the explanation of such. Processors must ensure Data Subjects understand that they have the right to deny, amend, or revoke consent, and also that they have the ability to report misuse of data to the proper authorities if need be.
Companies requesting the use of a Data Subject’s information must clearly state exactly what the data will be used for - and must not use the data for any other purposes whatsoever.
(Again, this purpose must be lawful, specific, and explicitly understood.)
“Limited,” in this sense, also means that the purpose for using personal data must be limited, as well.
In other words, a company can’t make a broad statement such as “We will use this personal data to improve our advertising campaigns,” as this would essentially mean the data could be used until the end of time for a variety of purposes relating to the company’s advertising campaigns.
Now, companies can certainly change the scope of their use of data; it would simply require a new agreement with the Data Subjects in question.
Going along with the last point, the principle of data minimization states that only data which is essential to a defined purpose can be collected and stored by a company.
In other words, companies cannot collect more information on an individual than they need.
For example, if a company is researching the median age of its customer base, it would certainly need to discover their customers’ birthdates. However, if the company wants to look into, say, its quarterly sales records for each of its customers, their dates of birth are irrelevant - and therefore should not be collected by the company.
Similar to the principle of purpose limitation, companies cannot reuse data for a different purpose after having collected it for an initial study without permission of the customer.
The accuracy principle is rather straightforward:
Companies must do their due diligence to ensure the information they collect on their customers is correct and up to date. Going along with this, once a company has collected a Data Subject’s information, the company must ensure said data remains as is; in other words, the company must take precautions to ensure the data isn’t mistakenly edited or changed while in use.
If, for whatever reason, it’s discovered that a piece of data is false or otherwise inaccurate, the company must have a process in place in order to both:
- Amend the data accordingly
- Ensure the incorrect data is permanently erased and disposed of
Furthermore, companies must ensure that the above processes are implemented as soon as an inaccuracy is discovered.
Just as it sounds, the principle of storage limitation states that companies should only store data for the span of time it takes to complete the defined task at hand.
While there are circumstances in which archiving certain data is acceptable (such as for scientific research or maintenance of historical records), these purposes must be clearly defined and agreed upon by the Data Subject before they provide the information in the first place.
Additionally, as we’ve discussed throughout this article, companies must ensure that any personal data being stored remain secure and inaccessible to anyone other than the appropriate and agreed-upon parties. Data being stored for elongated periods of time for archival purposes must, of course, follow these guidelines, as well.
Integrity and Confidentiality
Going along with that last point, companies must ensure that the information they collect on their Data Subjects be handled, stored, and disposed of in a way that ensures confidentiality for the individuals in question.
As we’ve said, this means that companies must develop and implement security protocol throughout the entire process of gathering, using, and disposing of data. Once in place, this protocol must be followed at all times, exactly as it has been defined.
Also, companies are required to ensure that any computer software or other such technology used to collect and store data is impenetrable to hackers and other individuals who do not have permission to view the personal data in question.
The accountability principle is sort of a “meta” rule for Controllers, stipulating that they must be able to demonstrate exactly how they intend to follow the principles listed above.
In other words, organizations must actively address these issues, and, as mentioned, follow the defined protocol at any time in which they access personal data.
The accountability principle also mandates that companies anticipate a variety of contingent circumstances - as well as the process they would implement should such a situation arise. As we’ve said, Controllers are responsible for implementing such processes “without delay” - meaning they must be prepared for any potential security breach or other possibility before such a situation arises.
Compliance, Breaches, and Penalties
Now that we know exactly what’s expected from Data Controllers and Data Processors, let’s talk about what happens when an organization doesn’t adhere to the above-mentioned principles.
First of all, while both Data Controller and Processors are expected to follow the GDPR to the letter, it’s ultimately the Data Controller’s responsibility to ensure compliance from every angle. In other words, while Data Processors will certainly be held accountable if they cause a breach in privacy, the Data Controller that contracted the Processor could also face a penalty for contracting with a less-than-reputable organization in the first place.
With regard to what actually constitutes such a security breach, the GDPR’s language is quite clear:
"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
While there are an almost infinite number of ways in which such a breach could occur, the most common instances are as follows:
- Confidentiality Breach: The disclosure of personal data - whether intentional or accidental - to an unauthorized third party, be it an individual or organization.
- Availability Breach: The unauthorized or accidental loss or destruction of data. In other words, doing away with data in a way that does not follow the specified protocol for doing so.
- Integrity Breach: The unauthorized or accidental alteration of data.
Now, if a breach of any kind occurs, the responsible party (or parties) could potentially face major penalties:
- Less-severe breaches of protocol relating to technical aspects (e.g., failure to define and implement processes in the first place) could result in fines of up to €10 million, or 2% of worldwide annual revenue for the previous fiscal year - whichever is greater.
- Severe breaches of protocol and privacy could lead to fines of up to €20 million, or 4% of worldwide annual revenue for the previous fiscal year - again, whichever is greater.
The actual penalty an organization receives will be determined based on a number of factors as set forth by Article 83 of the GDPR:
- The nature and seriousness of the breach
- Whether the breach was intentional, accidental, or the result of negligence
- The quality and timing of the organization’s response
- The organization’s history of privacy breaches
All this being considered, though, you don’t want to operate under the guise that a small compromise here and there won’t result in major penalties for your company. While an initial breach may result in your organization receiving a warning, even the slightest subsequential misstep could cause major issues for you and your team.
What The GDPR All Means for Ecommerce Businesses
Needless to say, there’s a pretty good chance that ecommerce businesses all over the world will be affected by the GDPR’s rules and regulations.
Of course, companies that operate within the EU will need to follow the GDRP’s rules at all times. Companies based outside of the EU will also need to do so when engaging with consumers or third parties within the EU. Even if a company does not currently do business with any EU-based entity, it’s still advised that said company begin preparing to comply with the GDPR in anticipation of potential expansion in the future.
With this in mind, let’s take a look at what you can do to prepare your ecommerce company for the upcoming implementation of the GDPR.
Appoint a Data Protection Officer
One of the first things you’ll need to do is appoint a Data Protection Officer within your organization.
Your DPO’s duties will include (but are not limited to):
- Ensuring GDPR compliance throughout every aspect of your organization when engaging in business with EU-based entities
- Training your team to ensure compliance from all personnel - as well as making them aware of the purpose and importance of such compliance
- Educating Data Subjects as to how, when, and why their data is being collected and processed - and ensuring they understand all of this
- Maintaining records of all data transactions throughout the company’s operations
- Acting as a liaison between their company and GDPR authorities
Note that, while you certainly can hire an individual to function as a DPO, you can also appoint a current staff member to assume these responsibilities (in addition to their current duties) if you do not yet have the bandwidth to take on an additional staff member.
Develop and Implement Proper Protocol
As we’ve said, it’s not enough for organizations to simply assume they’re complying with GDPR rules. Rather, companies need to have documented procedures in place with regard to the collection, use, and disposal of personal data - and follow these procedures exactly as stated at all times.
You shouldn’t wait until GDPR law applies to your organization to create this documentation, either. As mentioned, if even the slightest possibility of engaging with an EU-based entity exists, you want to have the proper procedures in place before expanding into these other countries. Otherwise, you run the risk of either unintentionally violating GDPR policy, or holding your company back while you get up to speed with the regulations in the first place.
Inform Your Customers of Policy Changes
While this essentially means you’ll need to update your terms of service, you’ll want to be a bit more clear when doing so. Remember: the GDPR requires you to not only inform your customers of the new law, but also to ensure they truly understand the law, as well.
That being the case, your best bet is to provide a bit of background to your customers regarding the GDPR in general, then begin discussing how the new laws affect them, as well as how the laws affect your relationship with them.
Mitchell explains that, generally speaking, taking the time to explain policy changes to your customers will only benefit your business in the long run:
“Consumers are more and more aware of breaches, and how fragile the protections of their personal data have been. (Because of this), we find that consumers are thrilled to know that a company is taking measures to tighten up protection of their personal data.”
And, again, you’ll want to provide your customers with the ability to contact your designated DPO for further information if need be.
Ensure Compliance of Third-Party Partners
We spoke about this earlier, but it’s definitely worth restating:
As a Data Controller, it’s your responsibility to ensure that the entities which you allow to access your customers’ personal data also follow the GDPR to the letter of the law.
For ecommerce companies, these third-party entities include companies that develop software, applications, themes, and plugins that you utilize within your website.
Mitchell again provides some insight, here:
“We advise that...companies update (or insist on updates to) all of their third-party contracts wherever the flow of data is concerned, as GDPR puts data controllers on the hook for liability if the data processors they are using end up not being GDPR compliant. So companies will definitely want to add indemnification clauses in their third-party contracts where data is involved.”
While it is, of course, good practice to vet these companies before using their services in the first place (regardless of GDPR law), the stakes are soon to be much higher. As you’ll recall, the penalties for failing to adhere to the GDPR can be monumental - even if the breach occurs within the partner entity through no direct fault of your own.
With that in mind, then, it’s incredibly important that you know for sure the companies you partner with are prepared to follow the GDPR’s guidelines completely. At the very least, if a partner entity does breach GDPR protocol, you want to be able to prove you had nothing to do with the breach, and had no way of anticipating that the partner company would fail to keep up their end of the agreement.
While you certainly want to be proactive with regard to your adherence to the GDPR, it’s always possible that your organization could unintentionally break from GDPR protocol at some point in time.
If a breach occurs within your organization - or you discover a breach within one of your partner companies - the first thing you’ll need to do is report it to the proper authorities. According to Article 33 of the GDPR, you have a 72-hour window in which to report the breach to the supervisory authority before additional penalties begin accumulating.
With regard to customer requests (such as a request to revoke permission or dispose of personal data), companies are obligated to honor the request - or, at the very least, respond to the customer and begin moving forward with their request - within thirty days.
One last thing to note, here, is that “responsiveness” does not mean “reactiveness.” In other words, your goal should be to remain as proactive as possible in terms of following the GDPR’s standards, as well as providing your customers with information regarding the use of their personal data. In doing so, you’ll remain a step ahead of privacy-related processes as best you can - and minimize the potential of falling victim to a breach along the way.
Wrapping Up and Moving Forward
Needless to say, the implementation of the GDPR could potentially mean your company will need to make some major changes in the near future.
But, as recent events regarding Facebook’s use of personal data have proven, the modern consumer places an extremely high value on their privacy. That being said, whether the GDPR applies to your company or not, it’s in your best interest to put into place proper protocol to ensure your customers’ data is safe and secure in your holding.
Looking at things in this perspective, while it certainly will require some extra legwork on your end moving forward, the implementation of the GDPR is actually a great thing for everyone involved. Not only does the law provide specific guidelines for your company to follow, but, by following the protocol exactly as stated, you’ll be seen as incredibly trustworthy in the eyes of consumers all around the world.