We use cookies to provide the best site experience.
Ok, don't show again

GDPR & What It Means for E-commerce Businesses

We're seeing that web apps are beginning to replace standard websites. Web applications are becoming more user-friendly, because they're easily updated and aren't bound to a specific platform or device.

Trust is vital in customer-business relationships. Transparency and security increase in importance as personal information is spread across industries and businesses across geographic borders. Data breaches and improper use of personal data are a fast way to hurt and lose trust. The European Union (EU) replaced the Data Protection Directive 95/46/EC with the General Data Protection Regulation effective 25 May 2018 to hold companies more responsible and give the people more power over their personal information.

GDPR requires more than a change in policy. It requires a proper security framework, explicit active consent of customers, and precise procedures and policies in case of a data breach.

The official document is available in at least 23 languages at eur-lex.europa.eu. It's a lengthy piece, so here is some key point to help you understand and begin your journey in becoming compliant with the GDPR.

Who. What. When.

All businesses within or dealing with the EU and its citizens must comply with GDPR laws. This mandate makes this regulation a global data protection law for those who have customers who are citizens of the EU.

GDPR's major points of action include ensuring that privacy policies are explicit, clear, and understandable — leaving no room for misunderstanding.

Active consent is now required to gather customer personal data. For businesses with more than 15 employees, it's required to hire a Data Protection Officer whose main focus is to ensure customer private personal data security. Businesses are required to alert customers quickly and effectively within 72 hours of a security breach, requiring the technology to detect such breaches.
May 25, 2018, is the official date of required compliance in the EU. Since this date has passed, it is highly recommended to initiate or finish changes in policy, frameworks and security procedures immediately. Non-compliance within the EU, or any entity with customers in the EU, is subject to a large penalty of 20 million Euros or 4% of the company's global revenue, whichever is the highest amount. This fine can be detrimental to some small businesses.
Andrii Tymoshenko
Personal Data
Personal data is defined by the EU as "any information relating to an identified or identifiable natural person ('data subject'); or in other words, someone who can be identified, directly or indirectly by name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

This includes:

  • Name
  • Photo
  • Email address
  • Social media posts
  • Bank details
  • Medical information
  • IP addresses
Clear & Concise Policies
Privacy policies are now required to be more clear and concise, leaving no room for misunderstanding for ordinary customers. No longer can convoluted or complex legal writing pass the cut. Terms and conditions must be transparent, coherent, and user-friendly.

Before a company can collect, store, and use personal data, they must explicitly receive active consent from their customers. The privacy and protection policy must clearly detail what, when, how and for how long personal data will be collected, stored and used.

Customers have the right to withdraw at any time, for any reason. Companies must respect the right of the customer to have their data removed from any locations it is stored.

Hire a DPO
For entities that have more than 10-15 employees, they require a Data Protection Office (DPO). The DPO should secure a company's collection, storage and use of private personal data. Regular and systematic monitoring is necessary to ensure everything is up-to-date and in compliance with GDPR.

Assess the data protection impact
Before beginning a project, perform a Data Protection Impact Assessment to measure the effects of a potential privacy data breach.

Auditing the processes and procedures in place before beginning a project can help prepare and prevent a personal data crisis.

Ensure compliance with laws and regulations and carefully evaluate the risks, effects, protection, and solutions.

Breached? Report it ASAP
According to the GDPR, a company has 72 hours to report a data breach. This means businesses need to have the proper technology to detect compromises in data security. This regulation is a strict section of GDPR, so changes in policy and training may be required to be compliant and up-to-date.

The EU is not joking around with GDPR. Failure to comply with its standards will result in a fine of 20 million Euros or 4 percent of a company's global revenue, dependent on whichever is the highest amount. Compliance is mandatory.

If records are not kept properly and orderly, a fine of 2 percent of a company's global revenue can be charged. All fines will be dependent on infringement of regulations, case by case.

Avoid these massive fines by quickly and properly, aligning these new policies, procedures, and workplace with GDPR standards.

Next steps
The best place to start is to focus on areas of highest risk, such as large-scale processing of sensitive data. Utilize the company's legal counsel and refer to them when questions arise. Start here and move forward.

Simply put, GDPR is all about giving more rights and security to the people of their personal data and holding companies more accountable for their acquirement, storage, and use of data. Taking the next steps and continually evaluating compliance is critical but it will also help businesses build more transparency and trust.

Helpful Resources:
Magento is the future of eCommerce. It offers new approaches that should solve the modern challenges faced by merchants. Our team can successfully embody your business strategy with Magento