GDPR E-commerce And How It Affects Data Protection
Do you know what the GDPR says for e-commerce?
Are you sure you comply?
The GDPR, which came into force in May 2018, clarifies the processing of personal and sensitive data of individuals who browse online and register on websites and e-commerce. In this case, those who have an online shop must know that there are exact rules regarding the regulation. Let’s see which ones.
Table of Contents
All data processors and sub-processors must comply with the General Data Protection Regulation.
The General Data Protection Regulation includes all personal data held by your organization and your third-party agents.
The General Data Protection Regulation does not prevail over other laws. For example, if you need to keep personal data to justify charging VAT, you must keep it for tax compliance.
The tax topic in the e-commerce sector is quite complicated, and many parameters and regulations have been modified with the new regulations. This is why it is fundamental to contact a professional who can guide you in the correct direction to obtain clear, timely and correct information.
So, what should I do to comply with the GDPR for my e-commerce?
Appoint a staff member who will be responsible for Data Protection. Receive data protection training and certification. Generally, this is a figure who is part of the Board of Directors, as he will require indemnity insurance to cover this role’s liability.
- Include a General Data Protection Regulation compliance line;
- Specify what information you collect and store from visitors to your website. (For example, IP addresses, device information, login information, cookies, length and tracking of visits, mouse and cursor actions, email, phone, name, address and billing addresses);
- Specify who has access to this personal data. (For example, you, MailChimp, Google, Salesforce, etc.);
- Specify the contact details of the data protection officer assigned by your organization;
- Specifies how interested parties submit a request for access to data;
- Specify how long you keep personal information.
2 – Remove all automatic opt-ins on your site
In online forms, all boxes must be blank. An empty box cannot lead to acceptance.
3 – Collect only the information you need to run your business
“If you don’t have the information, you don’t need to protect it.”
Delete personal information that you no longer use and that is stored on servers, excel sheets, etc., including emails with file attachments that contain personal information.
Keep only one version of personal information. You can keep copies only for backup and restore, up to a maximum of 4 backups. If you keep more, the possession must be justified. The location of backups must be recorded in data verification.
In case you may use it in the future, the collection of additional information is unlawful. Personal information that you do not need to use should be deleted.
4 – Record and preventatively manage all data breaches
Examples of data breaches:
- Personal information transmitted to or in the possession of an unauthorized data processor or sub-processor.
- Transmission of personal data to a country that does not comply with the General Data Protection Regulation.
- Transmission of personal data to third parties without the knowledge of the interested party.
- Personal information was disclosed following a cyber attack on a website.
5 – Create a data breach procedure and plan
“An incorrectly handled data breach can cause immeasurable damage to your brand.”
Create an action plan and experiment with worst-case scenarios to test your plan.
6 – Create a plan for those seeking a copy of their personal data. (Requests for access to data by interested parties)
“I have received a request from someone who wants to access all their data; what should I do?”
- Verify the subject’s identity;
- Make sure you have the data before processing the request; if you don’t have any data, reply: “I don’t have the data.”;
- Do not generate any more personal data when executing the request;
- Process the request;
- Record it in your data audit log;
- Do not reveal other people’s personal data. That is, the details of orders from the e-commerce site where the customer’s name does not match that of the requester;
- Process it within 20 days.
7 – Update your agreements, nondisclosure agreement and privacy policies on your website
All staff must have signed the confidentiality agreement and training on data protection awareness activities. A good general rule is to include all staff, even those who do not have direct access to personal information, in the normal course of their duties.
All customer contracts must be updated with a General Data Protection Regulation clause.
We answer some common questions about GDPR.
Arranging all the documentation according to the GDPR does seem like a lot of extra work for an entrepreneur.
This is a good opportunity to do some data cleansing and make sure all sub-processors are bona fide and that you have valid contracts with your clients.
This only applies to large companies; they will never control a small company.
Wrong!! The Data Protection Commissioner may not monitor you at this time but will always be able to do so at any time in the future. When you suffer a data breach, you must report it to the Office of the Personal Data Protection Commissioner. Not doing so is illegal. You could be sued for failing to protect personal data properly. If anomalies were to emerge during your processes, you would be required to pay heavy fines and be penalized for the loss of reputation and, consequently, the reduction in business volume. (Google “building trust” and see what a data breach would do, even several years after the event.)
What can you no longer do?
- You may not send unwanted emails to anyone: no more purchased lists or merged lists of different companies into other lists.
- You cannot refuse to provide customers with their personal details upon request.
- You cannot send unwanted text messages via mobile numbers.
This is a brief summary of the General Data Protection Regulation from an e-commerce perspective. It is recommended to have a person within the organization who is Data Protection Certified.
Do a data check. Record the location of all personal data stored in your company. Maintain an updated list/record for inspection and control. This will become the source of data requests in the future.
- Create a data breach plan.
- Conduct a data risk assessment.
- Run a data breach dress rehearsal.
- Update your policies and contracts to include compliance with the General Data Protection Regulation.
- Create a system within your organization dedicated to processing individual requests for personal information.
Also Read : Read Google Analytics KPIs for E-commerce