6 Things You Need to Know About GDPR
In a matter of weeks, the EU General Data Protection Regulation (GDPR) will transform online privacy as we know it. The new laws were adopted by the EU on April 8th, 2016, and go into effect on May 25th, 2018. Even though these regulations are tied to the EU, online retailers across the globe will feel its impacts.
What is the GDPR?
The GDPR is a comprehensive European privacy law that streamlines data protection requirements across the EU and addresses the export of personal data outside the EU.
The statute aims to give consumers more control over their personal data while simplifying the regulatory environment for international businesses operating within the EU.
The law seems very Euro-focused, but the reality is that it will affect retailers all over the globe. Here are 6 things you need to know before GDPR goes live on May 25th:
1. GDPR Will Affect Your Business
Even if you don’t sell in European markets, GDPR will have an impact on your business. The regulation is designed to safeguard EU individuals and their data, regardless of your business location.
If a retailer handles the data of just one EU-based shopper, that retailers MUST have proper protections in place.
2. “Personal Data” is A Broad Term
The GDPR’s definition of “personal data” is exceptionally broad. According to the EU GDPR Portal, personal data is, “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.”
This can be anything from a name, a photo, an email address, bank details, social media posts, or even an IP address. Companies are restricted from using or storing this data without a person’s consent, and even then, there are time limits on data storage.
Personal consent is one of the pillars of GDPR. Essentially, shoppers can object to merchants processing their personal data (e.g. sending marketing communications, online tracking, or user profiling).
Consent conditions have also been strengthened, calling for companies to request consent in an “intelligible and easily accessible form, using clear and plain language.” Furthermore, it must be as easy to withdraw consent as it is for consumers to give it.
4. “The Right to Be Forgotten”
Second, the “Right to Be Forgotten” is another win for privacy-conscious consumers. Shoppers can now request that their personal data is deleted at any time. This extends beyond eCommerce – the law covers all personal data in all locations.
The broad interpretation of “personal data” means that everything from addresses and phone numbers to orders and product reviews fall under the jurisdiction of the “Right to Be Forgotten.” Personal data directs strategy and insights, so ensuring that shoppers trust your brand with their data is more important than ever.
5. Non-Compliance Will Cost You
Failure to comply with GDPR will be costly. Organizations can be fined up to 4% of annual global turnover or €20 million. These are the maximum fines for the most serious violations such as processing data without customer consent.
Should a breach occur, merchants must notify both the authorities and any affected individuals within 72 hours of discovery. Failure to do so will result in a fine of 2% of annual global turnover. Fines can be doled out to companies even for not having their records in order.
6. GDPR Applies to both Controllers and Processors
Controllers and Processors are two key groups affected by GDPR. A controller is an entity that determines the purposes, conditions, and means of processing personal data. A processor is an entity that processes personal data on behalf of the controller.
So, hypothetically, Willie’s Warehouse sells online on a cloud-based platform and collects personal data on its online shoppers. In this situation, Willie’s Warehouse is the data controller – it has full control and responsibility for its customer’s data.
It’s cloud-based commerce platform, however, processes this data to help Willie’s Warehouse optimize its digital experience. This makes the platform provider a data processor – it processes Willie’s data on behalf of the company.
The important point here is that GDPR doesn’t just apply to merchants – cloud-based platforms and data services will also fall under GDRP jurisdiction.