With modern technology, we are now generating more data than ever before. The existing rules for the protection and privacy of personal data were non-binding. Further, these rules failed to address how that data is stored, collected, and used in today’s digital age.
On 24 October 1995, the European Union (EU) adopted the Data Protection Directive (officially Directive 95/46/EC). This directive regulates the processing of personal data within the EU. Although the directive guidelines are still true to this day, they are not enforceable by law.
This article aims to serve fundamental information on GDPR compliance.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework. It was designed to protect personal data and privacy of users. On 25 May 2018, the EU parliament put into effect a set of rules in the form of a GDPR compliance policy. This regulation places equal gravitas on all forms of customer data. This includes personal data relating to bank transactions, social media, and even photos.
Who does GDPR apply to?
The GDPR applies to all businesses that offer services or goods to EU citizens. This would include any e-commerce company that uses the personal data of users residing in the EU. Databases comprising user information like bank credentials and transaction-related data fall under the GDPR.
What does it mean if the GDPR is violated?
If you violate the regulations of GDPR, the consequences include:
- Economic Consequences: Fines leading up to 20 million euros or 4% of the global turnover, whichever is higher. If personal data of an individual is compromised in a data breach, companies have to pay a fine.
- Reputational Consequences: Companies that are unable to prove their compliance with the GDPR regulation. This could tarnish their reputation and incur financial impositions.
- Commercial Consequences: Data breaches have become a growing cause for concern among many customers. Especially in the e-commerce sector where customers entrust companies with sensitive personal data. 3 million Yahoo user accounts were hacked in 2013, leaving them open to data theft.
Noncompliance with the GDPR regulation can lead to heavy financial losses.
To avoid this, the GDPR policy has established a checklist for companies to follow. The checklist below also provides key questions for organizations to confirm compliance.
The following checklist intends to create awareness about GDPR for e-commerce businesses. It is by no means to be perceived as legal advice. It aims to help e-commerce business owners gain knowledge about GDPR regulations. This guide will also help identify cardinal issues and address them.
GDPR e-commerce checklist
#1. If your e-commerce business is based outside of the EU, are you complying with GDPR?
According to the European data protection law, personal data can be shared with only certain third countries. These countries must maintain an adequate level of data protection. All e-commerce companies must comply with this regulation regardless of their location.
As an e-commerce company operating outside of the EU, your business must protect the data being fed to you. This can be achieved by adhering to the GDPR e-commerce compliance policy. E-commerce companies in the United States must adhere to the Privacy Shield.
- Is your company familiar with the new requirements under GDPR?
- Is your company in compliance or is remedial work required?
- Is your company Privacy Shield compliant?
- Does your company include GDPR compliance in contracts with the EU partners?
- Is your company aware of all international transfer of data?
- Is your company aware of data usage as stated in the privacy notices?
#2. Is your e-commerce business’ privacy notice in plain English?
- Is your company’s privacy notice:
- Written in plain English
- Clear and transparent description of how the data is being used
- Clear about who the data is shared with and what the user’s rights are.
- Does your company’s privacy notice list what and how the data is being used?
- Does your privacy notice provide options for:
- Individual rights
- Subject Access Requests
#3. Does your e-commerce business deal with children? If yes, have you written privacy notice in a language they can understand?
The UN Convention on the Rights of the Child defines a child as anyone under the age of 18. The privacy notice should be written in a language that children will understand. Transparency of data usage is especially important when children are concerned.
- As an e-commerce company, are you aware if you collect information from or about children?
- Is the documentation in place for the processes you use to protect information about children?
- Has your company documented data minimization, storage, and deletion processes for children’s’ data?
- Do children provide their information directly on your e-commerce website? If so, have you written a privacy notice for children in plain English language?
- Does your company have documentation of evidence to show that you have parental consent for processing children’s’ data?
- Does your company delete children’s’ data records on request from a parent or guardian? Is this done without requiring documentary evidence of the relationship?
- Does your company agree to requests to delete data obtained from an individual as a child, but is now an adult?
#4. Do you take consent from your visitors and customers before collecting data?
In the e-commerce domain, the GDPR aims to give customers complete control over the usage of data. Consent is one of the important elements in the data protection module.
As an e-commerce company, you must have legitimate solutions for consent management. The privacy notice on your website must include all necessary details. This would include the collection, processing, storage and usage of customer data. Additionally, the collection of data via forms, sign-ups, email collections and popups is a part of the same compliance. It should allow users to permit or withdraw their consent from the use of that data.
- As an e-commerce company, have you classified the different aspects of your data collection and processing? If yes, are they grounded in consent or a legal basis?
- Do your company’s consent processes meet all the necessary criteria of the e-commerce GDPR policy?
- Can you produce documentation that proves that the data collection and processing is grounded on a legal basis?
- Is your company able to document proof of consent or legal basis for the data you collect and process?
- Has your company reviewed existing consent mechanisms? Can you ensure that your consent processes meet the above criteria?
- Does your company regularly update its consent mechanisms?
- Is your company prepared to stop data processing and delete records? Even in cases where there is no legal basis or secure consent for the data collected?
#5. Have you told your users what you’re going to do with their data?
This is the most fundamental step towards the e-commerce GDPR compliance policy. E-commerce companies must be clear in their description of data retention processes. These processes include the categories of data, timelines, and verification of deleted data. Companies must describe the security measures taken to protect that data.
The GDPR has established 8 rights for individuals under the Data Protection Act:
- Has your company reviewed current provisions for meeting individual rights?
- Has your company reviewed the publicizing of individual rights in privacy notices?
- Has your company identified what data could be subject to these rights?
- Does your company own the technical capabilities to produce an electronic copy of the data you hold on a user?
- Does your product or service have the technical potential to facilitate data portability?
- Has your company allocated individual rights over data used for automated decision making? What about processing from the data that is requisite for the provision of services by your company?
- Is your company aware that customers cannot be charged an administrative fee? (for invoking their rights or for meeting with the company)
#6. Can your customers access a copy of the data that you have collected?
Under the e-commerce GDPR compliance policy, customers have enhanced rights over their data. Customers can make a Subject Access Request (SAR). This is done to invoke their right of access to their personal data.
Your company’s website should clearly explain how a user can put in a SAR in the privacy notice. Your company should comply with this request and respond to it within a period of 30 days. This request is an individual’s fundamental right, hence it cannot be charged.
- Has your company created a process for users to request the SAR?
- Is your SAR process described and explained clearly in your privacy notices?
- Is your company’s internal SAR process documented? Is it approved by the data protection regulator?
- Does your company have a central point of contact for handling SARs?
- How are SARs tallied in your company? Who regulates the reception, processing, and completion of SARs in your company?
- Does your company have the operational strength to respond to SARs within 30 days?
- Does your company have systems that can generate the data required under a SAR?
- Does your company ensure processing of a SAR will be done without overlooking any uses of data?
#7. Are you auditing all the data you’re collecting and processing?
An e-commerce company must inspect and audit all the data that is collected and processed. This includes both online and offline data. An e-commerce business is dependent on customer data. Therefore, the company must ensure that the data is audited and reviewed.
- Has your company audited all online information?
- Has your company audited all offline information?
- Has your company conducted an audit of how information is retained, re-used, and shared?
- Has your company audited data collected and stored from third party companies?
- Has your company reviewed partners and third party suppliers?
- Has your company maintained an inventory for the data shared with third-party companies?
Have you reviewed your application for best Privacy by Design practice?
Under the e-commerce, GDPR regulation designers and developers should ensure data protection. Starting from the design stage, all websites, apps, and business processes must adhere to ‘Privacy by Design’.
- Has your company reviewed current points of data input minimization? For instance, “required” form fields and outdated information.
- Has your company developed data retention and deletion policies? Does it include all kinds of relevant information that is stored?
- Has your company reviewed the Privacy Impact Assessments? (This is for partners and third-party service providers)
- Has your company reviewed the verification process for deleted data?
- Is your Privacy by Design process shareable with the general public?
- Would your company’s Privacy by Design process be approved by a regulator?
#9. Have you spread awareness about privacy with employees and other stakeholders?
- Does your company understand how GDPR is applied? Are you aware of how it is continued from the old Data Protection Act?
- Is your company compliant with the existing Data Protection Act?
- Has your company established a plan for GDPR awareness? Do you have an implementation plan for employees of all levels?
- Is your company board kept informed with regular updates about your GDPR implementation?
- Has your company allocated adequate resources to the GDPR implementation plan?
- Has your company discussed the GDPR plan implemented by your contractors and suppliers?
#10. Do you have a Data Protection Officer?
The GDPR regulation requires that every enterprise appoint a Data Protection Officer (DPO). The DPO oversees the company’s data protection strategy and implementation. The DPO handles all matters relating to data usage, security, and protection. The DPO is in charge of training and educating company employees. The DPO conducts audits to ensure data privacy and tackle potential breach issues if any.
- Has your company determined whether appointing a Data Protection Officer is enforceable by law?
- Is your company aware of the qualifications for appointing a Data Protection Officer?
- Has the company chosen a Data Protection Officer who is available in-premise?
- Does your company maintain a list of requirements to hire a Data Protection Officer?
- Is your company prepared to allow the Data Protection Officer to become a board member of the company, if applicable?
#11. Do you have a plan ready in case of a data breach?
Data breaches are a call for concern, especially for e-commerce enterprises. The GDPR requires all companies to report certain data breaches to a supervisory authority. This process must be carried out within 72 hours of gaining awareness of the breach. If the nature of the breach is likely to affect the individual’s rights, they must be informed. Also, every company must keep a record of the data breach, regardless of its nature.
- Does your company audit systems and processes to avert potential data breach issues?
- Is your company aware of the criteria for a “high-risk”, reportable breach?
- Has your company created a template for GDPR’s data breach reporting requirements?
- Does your company conduct a postmortem of data breaches incurred in the past?
- Does your company have an internal reporting system in place to report potential data breaches?
- Is there a provision for staff who wish to report a potential issue of a data breach, either technical or human, without fear of retribution?
If you run an e-commerce company, this guide will help you in understanding what GDPR means for e-commerce businesses and their impact.
The GDPR regulation enables companies and customers to protect their personal data. It is a significant improvement from the older Data Protection Act. The GDPR is quite new and not completely understood by everyone. This guide will help you plan and implement a strategy for the e-commerce GDPR compliance policy.