A source of concern for many businesses and e-tailers, the GDPR came into force on 25 May 2018.
If you handle online payments or manipulate data of EU residents for commercial and marketing purposes, you are one of the organizations concerned!
To put an end to your worries, we help you to see more clearly by giving you all the GDPR best practices to comply.
But first, let’s start with the basics: what is the GDPR?
Established by the EU Council in April 2016, the General Data Protection Regulation (GDPR) is the European Union’s new data privacy law.
Its entry into force took place on 25 May 2018, when it replaced the old EU Directive on the protection of personal data dating from 1995.
The GDPR is an 88-page text that sets out the rules that organisations processing data must follow in terms of collection, storage, use, protection and security.
Its stated aim is to extend the rights of European citizens with regard to their personal data, by strengthening their protection and giving them the means to manage the way it is used by companies.
Specifically, the GDPR gives individuals the right to access, correct, delete and strictly process their data.
It is legitimate that you ask yourself the question: who is the GDPR for? To answer this question, here are three things you should know.
1 – Business activities in the EU
Even if your company is not based in the European Union but you do business there, you need to comply with the GDPR.
This new regulation concerns all companies in the European Union, but also all those who sell products or services to European residents.
2 – Data processing activities
You are concerned by the GDPR as soon as you collect and/or process personal data.
What data is affected by the GDPR? Any customer information that identifies an individual. Photos, posts on social networks, IP addresses, bank details and all identification numbers such as the NIR: the GDPR applies to all marketing, sales, advertising, HR and accounting databases.
In short, if you use your customers’ data for purposes other than simply filling orders, then you are particularly concerned!
Don’t worry, you are not alone in this. The GDPR does not only apply to e-commerce owners, associations or any other organisations. Tools, software, CMS and social networks such as Google, Facebook, MailChimp or Shopify, to name but a few, are also concerned and must comply.
3 – VSEs, SMEs, associations, major accounts… all in the same boat
The GDPR affects private AND public companies of any size or sector.
It doesn’t matter if you have one employee or 10,000: as long as you manage data on European citizens, the GDPR applies. However, small e-tailers and VSEs do not have to comply with the same requirements as a large company or an e-commerce monster.
A company in the health sector, which manages medical data considered as “sensitive” will not have the same requirements as a company selling beauty products.
However, many of the requirements of the GDPR apply to all businesses.
[Editor’s note: our best recommendation is to consult a specialist GDPR agency to help you get compliant]
” Consent should be given by a clear positive act by which the data subject freely, specifically, knowledgeably and unambiguously expresses his or her agreement to the processing of personal data concerning him or her.”
The GDPR requires organisations to be clear in how they obtain customer consent. In other words, an individual’s consent to hand over their data must be explicitly given.
In this sense, previously checked boxes are not a valid indication of consent.
Data subjects must also be able to withdraw their consent easily. In this case, they must also be able to request the deletion of their data.
Good practices for obtaining client consent :
” Arrangements should be made to facilitate the data subject […] to request and, where appropriate, obtain without charge, access to and rectification or erasure of personal data and the exercise of a right of objection. “
The GDPR gives affected individuals the right to simple access to any information held on them and to obtain a copy of that data within one month.
This means that you need to store the data you hold in a way that it can be accessed quickly.
Best practices for granting access to data :
” Personal data should be processed in a way that ensures appropriate security and confidentiality. “
As a company or e-commerce, you collect sensitive information: credit card numbers, location, e-mail addresses…
Since the implementation of the GDPR, you will need to be explicit about what happens to that data. Where are they going? Who will use them? Who is responsible for their storage and processing?
You must prove that data security is ensured by all departments of your company: marketing, IT, communication, etc.
Good privacy practices :
Also find out how to protect your business and e-commerce from a cyber attack
” The principle of transparency requires that any information and communication relating to the processing of such personal data be easily accessible, easy to understand, and formulated in clear and simple terms. “
The GDPR emphasizes data transparency.
You must therefore ensure that the information you provide is clear and easily understandable, and that individuals can easily assert their rights in relation to their personal data.
Good practices for data transparency :
See also our article on tips for drafting your GTCs
” As soon as the controller becomes aware that a personal data breach has occurred, it should notify the supervisory authority as soon as possible.”
With the GDPR, you are required to report any data breach to the CNIL within 72 hours of discovery and be able to demonstrate your data security and privacy procedures very quickly.
The data subject must also be notified if the violation would result in a high risk to his/her rights and freedoms.
Best practices for data breach notification :
Any company found to be in breach of the new GDPR guidelines can face an administrative fine of up to 4% of annual worldwide turnover or €20 million – whichever is higher. But it would take a serious breach of the rules for such a financial penalty. This type of fine will therefore be a last resort.
However, this does not mean that there are no repercussions for non-compliance with the GDPR. Through public reminders and warnings, regulators will require non-compliant organisations to take the necessary steps to become compliant.
Also consider the reputational damage that could result from a data breach. In addition, data subjects have the right to take legal action and claim compensation in the event of a data breach.
In conclusion, use the GDPR as a guide on how you should collect, manage and store your customers’ personal data! Beyond the workload that compliance may entail, consider the opportunity it presents to give your customers greater confidence and a better shopping experience.
To go further, you can consult these GDPR resources: