08.04.2018 17:07

What will GDPR mean for you?


In case you haven’t heard yet, enforceable from 25 May 2018 is the new EU privacy regulation known as the General Data Protection Regulation (GDPR). This directive lays down rules relating to the processing of personal data of your customers and therefore is closely related to the field of your business – e-commerce and online marketing.
Let’s start from the beginning: what is GDPR? And whom does it affect?

This directive is the most complex amendment and regulation in regard to any processing of personal data. Therefore it affects practically all legal persons that use information relating to an identified or identifiable natural person. It affects employers, brick-and-mortar retailers and online shops as well. As such, it affects everyone who works with personal data of EU citizens. The regulation introduces a number of new terms, rights of citizens and an obligation for legal entities to meet these rights.

Thus you should become attentive – not only if you run an online shop, but also if you have a CMS website (with content only) that uses the functionality of a contact form, where customers enter their personal details.

On the other side, the upcoming updates give no reason to panic. Many of the data protection measures have been in place for a long time already and the new directive just adds on to them. Basically the changes should be of particular interest to you if use your customers’ personal data above the scope of fulfilling an order (marketing, newsletters, advertisement placement, etc.), or if up until now you haven’t really thought about where and which person data of your customers’ you keep.
Which terms and rights does GDPR introduce to my customers?

From the perspective of an online shop the following new terms are of particular interest:

  1. Right of access by the data subject – learn more
  2. Right to rectification – learn more
  3. Right to erasure – excluding information that must be kept for bookkeeping purposes by law (laws differ between countries) –
  4. Right to be forgotten –
  5. Right to restriction of processing –
  6. Right to data portability –
  7. Right to object –
 If your customer requests any of the above, you must oblige, otherwise you risk a considerable fine.
 So much for the official part. Let us have a look on ways to translate this into practice.

What do I need to do?

It all comes down to how you are used to process the person data of your customers. It is imperative to focus on the individual processes and revise them in order to avoid fines. Although data protection has not been completely out of sight even up until now, some of the individual points of the new directive might require your action. In short, if one of your customers request a list of all the saved personal details about him or requests their deletion, you will have to meet his request.

In simple terms, from the available information that we have analysed we would recommend the following: Undertake all the necessary measures so that your customers won’t have an eligible reason to lodge a complaint relating the processing of their personal data.
At the same time, be prepared for the customer to claim their rights at any time.

What concrete steps do we recommend?

  1. Appoint a person inside your organization responsible with data protection. This employee should prepare an overview of how you process personal data. Because every company has different processes, only you from inside of your company can gather an appropriate notion of what to pay attention to. Get straight what you use your customers’ personal data for. Is it just to process the order or do you distribute marketing newsletters with offers? What information do you request from your customers and for what purpose? Do you save person details such as phone number and email only or do you also process technical data, such as the IP address? It is important to have a clear overview on that.
  2. All personal details of your customers should be saved in documents in a well arranged manner, to allow you to access it easily.
  3. Read through the Privacy Policy on your website or create this section if you don’t have it yet. If you only give basic information in your Privacy Policy, you should extend it to cover all the needed details. What should such a text contain?
    • For what purposes you use your customer’s personal data
    • Where it is saved
    • How long you save it
    • What external tools do you use that process personal data – it could be social networks or mailing tools for the distribution of newsletters
  4. If you want to use customer information above the scope of what is absolutely necessary, going forward from 25 May 2018 you will require explicit consent from the customer. If you haven’t had a check box for consent for processing of personal data for marketing purposes during checkout, sending messages through the contact form or customer registration, but nevertheless have been sending newsletters and other mass emails to customers, beware. We strongly advise to add such a check box to your website, whilst such an agreement must not be a requirement to complete an order. In simple terms, customers must explicitly agree with any usage of their e-mail, phone number or other personal details. This also gives you a guarantee that if a customer lodges a complaint, you will have proof that they agreed to such usage of personal data.
  5. This point is related to the previous one: Note that the consent for processing of personal data for any purpose other than completing the order must not be a part of the General Terms and Conditions. Many online shops simply put a note saying that by completing the order you agree to the Terms and Conditions – this is not an explicit approval. There must be a separate check box for this!
  6. If you have registered an infringement of personal data protection, you must immediately and at latest within 72 hours report the incident to the respective supervisory authority.
  7. At last, please note that these bullet points are just a general summary of GDPR as we understand it. It should act as a first step to understanding the upcoming regulation. It is, however, impossible to cover every specifics of all web applications and we recommend consulting a law specialist on how GDPR applies to your particular situation. 

facebook twitter gplus pinterest

Copyright © 2020 | Protection of personal data | Impressum