The EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018 and will affect businesses in all sectors. E-commerce is no different. Any company that takes orders online will process vast amounts of personal data, so it’s important to know what you need to do before the Regulation’s compliance deadline.
Review existing processes
Although the GDPR introduces new requirements and strengthens existing ones, its concepts and principles are much the same as current data protection laws. If you comply with current laws, you will have a starting point to build from.
To help start your compliance programme, you need to compare the Regulation’s requirements with your current measures. Areas of significant change include subject access requests, data breach notifications, the need for qualified staff (i.e. data protection officers (DPOs)) and consent requirements (discussed below).
Consent
Email marketing is an important part of e-commerce. Under the GDPR, organisations need to be much clearer in the way they obtain consent from customers. Requests must be granted with a “clear affirmative action” from the data subject, and they need to explain what information will be gathered and why it’s needed.
Data subjects also need to be given the right to withdraw their consent.
The ICO adds that consent requests should be:
- Unbundled: consent requests must be separate from other terms and conditions.
- Opt-in: pre-ticked boxes or other pre-selected options are invalid.
- Granular: if the data is to be used for multiple marketing activities, then consent must be granted for each of them separately.
- Named: the request must state all organisations and third parties that will be relying on consent.
- Documented: records must be kept to demonstrate when, how and what the individual consented to.
Allow access to data
The GDPR also gives data subjects the right to access any information that’s held on them. This means that organisations must store information in a way that allows them to access information quickly. They will also need to offer any data for download where possible.
Organisations also need to provide full visibility across their business so they can detect and resolve any problems.
What happens if you fail to comply?
Supervisory authorities will have the ability to fine organisations €20 million or 4% of their annual global turnover – whichever is greater. But it would take a serious violation of the Regulation for a fine close to that figure, and the ICO reassures us that fines will be a last resort.
This doesn’t mean that there are no repercussions for failing to comply with the GDPR. Supervisory authorities will almost certainly mandate that non-compliant organisations take steps to become compliant, which may include auditing their security processes. There is also the likelihood of reputational damage following a data breach. Even today, it’s not uncommon for breaches to lead to the loss of customers, a reduction in stock prices and senior staff being forced to resign.
Achieving compliance
The GDPR takes effect in less than a year, so you need to be as prepared as possible. Our products and services can help you better understand the Regulation and your requirements, but many organisations should get professional advice.
Our GDPR Gap Analysis service provides an on-site assessment of your organisation’s current level of compliance with the Regulation and is performed by expert data protection consultants. They’ll also provide a detailed breakdown of your compliance status and an action plan that sets out and prioritises the key issues that your organisation must address to become compliant.
We provide a complete compliance support service to help you prepare for and adapt to the GDPR, including:
- A data flow audit
- A gap analysis
- Data protection impact assessments (DPIAs)
- Bespoke transition services
