The advances in ecommerce make it easier than it has ever been to expand your business way beyond the UK. In doing so, your business needs to consider compliance with EU laws and regulations.
On 25th May 2018, the General Data Protection Regulation (GDPR) is coming to the EU and replaces the 1995 Data Protection Directive. The new regulation has been published in the EU Official Journal (May 2016) giving you two years to prepare for the changes that GDPR brings.
1995 – EU Directive on Data Protection
1998 – UK Data Protection Act
2000 – Safe Harbor established (framework for international businesses)
2011 – Max Schrems gets all personal data collected by Facebook
2015 – Safe Harbor invalidated by EU court
2016 – GDPR adopted (will be applied from 25 May 2018) – companies need to be very clear and transparent from the beginning on how they are going to collect, manage, store and delete data from consumers.
What is GDPR?
If you are required to comply with the 1995 Data Protection Directive, then GDPR will affect you.
So, what is the General Data Protection Regulation and why do you need to know? EU regulation is still relevant for UK businesses, and will be for some time yet. GDPR replaces the current Data Protection Directive 1995. The GDPR brings a wide range of implications for ecommerce merchants if found not complying.
The General Data Protection Regulation helps consumers manage how personal data is used and protects them from data misuse. It brings hefty fines for businesses that don’t comply, obligations for improved data management, and more transparency for consumers in the understanding of the data that a company has on them. That said, there are opportunities too.
There are plenty of new conditions, and one of the biggest changes is related to consent. The new regulations mean, as an ecommerce business, you must keep a thorough record of how and when consumers give consent to use their personal data.
What does GDPR mean for your ecommerce business?
A lot of consumers don’t really understand how their data is tracked and used. GDPR means they have greater rights in accessing the data you hold about them.
GDPR covers sensitive data as well as personal data. Personal data is defined as name and address, email address etc. Sensitive data is defined as sexual orientation, political opinions, religious views, and so on.
Right now, consumers can request the personal data your business holds, and you can charge £10 to release this information. The GDPR means requests for data can be without charge.
In the 99 articles of the GDPR the obligations of businesses and the rights of consumers are set. You have a greater responsibility to gain active consent from consumers when collecting data and the new fines regime will enforce compliance.
OnePoll questioned 2,000 customers in the UK between May 24th – 26th 2017. This study found that 33% said they would exercise their right to have personal data removed by businesses, 24% of the same people said would exercise their rights and access the personal data that businesses hold.
”33% would exercise their right to have personal data removed by businesses.
In order for you to take accountability and be sure that your business complies with the GDPR, it will be necessary to have:
data protection policies in place;
relevant information detailing how the business processes data;
data protection impact assessments.
A pre-ticked box is no longer acceptable as a solution to infer consent! The GDPR means consent in the form of an active agreement. You’ll need to deactivate any default opt-ins in place on your website. Everything will need to have an audit trail.
Consumers have greater control in their right to withdraw consent at any time, and when they do so, the consumer must be forgotten completely and data needs to be deleted permanently.
What if you don’t comply with the GDPR?
It’s going to cost you… A lot!
”Fines from the Information Commissioner's Office (ICO) against Brit companies last year would have been £69m rather than £880,500 if the pending General Data Protection Regulation (GDPR) had been applied.
- NCC Group
If you find yourself in a position where a data breach occurs, GDPR means you must inform the relevant authorities within 72 hours. This is an example of the demanding nature of the new regulations.
Not complying will likely shut down your business. Non-compliance means you could be fined €20 million, or 4% of your turnover (whichever is bigger).
The obvious opportunity from the General Data Protection Regulation is getting your data organised. Getting compliant means being more transparent with consumers.
Compliance puts you in a position where you gain a single-view of your consumers. This means you can drive personalisation and actually benefit from GDPR from a business perspective.
GDPR simplifies the process for businesses servicing in different Member States. You’ll won’t be required to register with a data protection authority and will do so only in the Member State in which your business is established.
The GDPR also streamlines the process across the EU bringing consistency across borders.
What does GDPR mean for UK companies after Brexit?
If you collect personal data of EU residents, you will need to comply fully the GDPR regulations, even after Brexit.
In the EU, each member is required to comply with the 1995 Data Protection Directive. Every member state also has national laws, which is where the UK’s Data Protection Act 1998 comes in.
A new Data Protection Bill was published in the UK in 2017 and is currently in Parliamentary process to become law. This Bill incorporates the many of the same requirements as the GDPR, so the requirement for compliance to the regulation is imminent and necessary.
For your information
We recommend attending Econsultancy’s GDPR event. You can also find an excellent GDPR webinar from our partner dotMailer and an article on GDPR from Magento themselves posted at the start of February 2018.
Here is a list of resources from UK Privacy Commissioner:
Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now;
Privacy notices, transparency and control – A code of practice on communicating privacy information to individuals;
ICO’s guide to GDPR is essential for both consumers and those working within businesses.
Other useful sources:
The full regulation is 88 pages long and has 99 articles;
EU GDPR Portal details all you need to know and has a handy countdown clock for when GDPR will come into force.
The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.