The EU General Data Protection Regulation (EU GDPR) is set to take effect on 25th May 2018. Is your business ready for this?
The GDPR places significant legal responsibilities on businesses or organizations that collect, store or process data. A major aim is to protect the personal data of every EU citizen.
On 14th April 2016 the EU approved the Data Protection Regulation with full compliance being required about two years later on 28th May 2018.
To ensure these regulations are implemented, any business or organisation in breach of the regulations can be fined up to 4% of annual turnover.
The aim of the General Data Protection Regulations
These new regulations cover many different aspects of data protection, but the key aspects are:
- All people will have a right to know what personal data is stored, and how their data is processed.
- If there is personal data within search engines, there will be an increased right “to be forgotten” and to request that data in search engine results is removed
- If data is hacked or disclosed, everyone who could have been impacted will have the right to know as soon as possible after the event.
- Any New technology or systems will need to provide data protection by design and by default.
- Data portability will make it easier to transfer data between different service providers.
- One set of EU wide data protection standards instead of 28 for each country.
Is this relevant post Brexit?
According to the UK Government, yes.
The UK government has made it clear that GDPR will affect UK businesses and any organisations that process, manage or store consumer data. And GDPR will remain the new benchmark for data handling and privacy for many years.
Implications for eCommerce websites
Businesses or Organisations with eCommerce websites have several major areas to consider:
- How the customer account data is stored and how this is processed
- How payment data is collected, and transferred to a payment service provider, and ability to show any 3rd parties are complying with GDPR
- Any other 3rd parties (such as hosting companies, marketing agencies, 3rd party marketing analysis systems) are complying with GDPR
- If a customer requests access to their data, an efficient means of extracting this data quickly.
- Ability to delete personal data if requested to do so.
- Any current use of customer profiling and if this will still be legitimate after 28th May 2018. Ability to remove any customer from any profiling activity.
What has been happening so far to prepare for this?
Many of the key service providers have already done significant work in ensuring organisations can comply with this.
For example, some of the Payment Service Providers we work with have significantly updated their methods of handling credit card or payment details, and are requiring all their existing clients to upgrade to more secure methods.
New development ExtraDigital have undertaken has taken on board the new GDPR by ensuring use of https instead of http (technology), careful database design and consideration on types of data collected.
It appears that the “technology” is progressing well to meet the May 2018 deadline. This is because it is profitable to do so – providing a more secure, better structured platform gives better customer experience.
A more interesting question remains with the marketing use of personal profiling as this currently gives many companies a big competitive advantage with increased sales. From a business perspective leaving this change to the last minute makes a lot of sense.