What is GDPR?
n 14 April 2016 the EU Parliament approved The General Data Protection Regulation (GDPR) after four years of planning and preparation. The new regulation goes into effect on 25 May, 2018, after a two year transition period.
The new regulation has been put in place in order to give individuals more rights over their personal information, and to provide a fully harmonized, single data protection regime across the European Union. GDPR will replace the Data Protection Directive from 1995 which, according to policy makers, has become outdated and irrelevant.
nder GDPR, the rules for data protection will be much stricter, with more severe penalties for non-compliance.
The key changes are:
The right to access your data
Under GDPR individuals have the right to obtain information from organisations regarding whether their data is being collected and for what purpose. Organisations must provide this data free of charge upon request.
The right to be forgotten
Individuals have the right to request that organisations erase their personal data if the data is no longer relevant for the purpose it was collected for.
Clear and affirmative consent
Individuals must explicitly consent to their data being collected. The request for consent should be in an intelligible and easily accessible form, and the subjects must be able to withdraw their consent as easily as give it.
The right to be notified in case of a data breach
If personal data has been compromised, organisations are required to notify authorities within 72 hours. They must also notify their customers without unnecessary delay.
Privacy by design
Under GDPR, privacy becomes the default setting. This means that data protection must be built into the design of information systems from the beginning, rather than added. Furthermore, organisations must only collect personal information when it’s absolutely necessary and be able to demonstrate that they have measures in place to safeguard such data.
Data Protection Officers
Organisations that systematically collect personal data on a large scale are required to appoint a dedicated Data Protection Officer (DPO) whose role is to oversee compliance with the GDPR. This must be someone with expert level knowledge of data protection and GDPR.
Stronger enforcement and harsher penalties for non-compliance
Non-compliant organisations can be fined up to 4% of annual global turnover or 20 million euros (whichever is greater).
GDPR mean for eCommerce?
ll businesses that deal with customers located within the EU must comply with the law, and this likely means making changes to the way they collect, store and use personal information.
In other words, any ecommerce retailer that collects data on its customers, whether its loyalty cards, email newsletter subscriptions or credit card details, is required to prove that it’s protecting this data in compliance with the new rules.
The good news is that the new data regulation can increase consumer trust in the digital economy by giving customers peace of mind that their private data is being protected. On a wider scale, this is likely to have a beneficial effect on European ecommerce.
One obvious concern for small business owners has revolved around the requirement to appoint a dedicated Data Protection Officer to oversee compliance. However, SMEs with fewer than 250 employees are not required to do this where data processing is not their main business activity.
One thing is very clear: every business needs a GDPR strategy, and if yours doesn’t already have one, you would do very well to get up to speed. In the long run though, it’s likely to be a matter of “short term pain for long term gain”.
Finally, Accolade’s own modules for such as our Bttn and Glome Magento modules are fully compliant with GDPR. Since no personal details are being collected or stored, they already have privacy by design built in.