The GDPR, i.e., the General Data Protection Regulation, has been in operation for over half a year. Still, the debate surrounding this subject remains alive. This article deals with the essential rules of the GDPR.
What should you do to adapt the store to its requirements? What exactly is it? Whom will it cover?
The GDPR is a collection of provisions on the protection, gathering, and processing of personal data of users (and, therefore, our existing or potential clients) introduced throughout the European Union.
The Regulation applies to every entrepreneur providing services to private (natural) individuals throughout the European Union. So if you offer your services to a “Smith,” we encourage you to read the article.
General assumptions behind the GDPR
Contrary to its reputation and the length of the document, the GDPR is not very detailed and does not specify technical requirements. Its primary assumption is to impose on entrepreneurs (including e-commerce) the obligation to inform users about the data the entrepreneurs collect and the way they process the data. It also stipulates that entrepreneurs must notify users about the possibilities and means of deleting personal data from the databases. Moreover, they can express marketing consents and transfer data to third parties
Importantly, if the existing privacy policy did not meet the requirements of the GDPR, it will need to obtain consent from customers existing in their database. A way of doing this is by sending an email or displaying a pop-up on the site.
In turn, since May 2018, a consent form must use language understandable to the average citizen while giving consent must be conscious.
What to change in the site rules and marketing consents?
The changes primarily cover the site rules and consent phrases that appear under the forms. The owners have to modify the existing text. Although consultation with a lawyer is not mandatory, it is worth considering. The following information should appear in the amended rules:
- types of personal data collected,
- details on the administrator of data,
- the purpose for which personal data are collected,
- that it is possible to delete and modify personal data,
- how to report a personal data breach,
- information on user segmentation.
Besides, the owner of a site must make sure that the regulations are written so that they are simple and understandable for each user. In other words, owners must beware of using complicated legal jargon.
However, it is not the only issue requiring legal support: there are also the consent forms. It is worth remembering that marketing consent and consent to the processing of personal data cannot be mandatory and must be independent. Also, it would be best to forgo the “select all” box. According to the regulations, the user must consent to them consciously, and the consent must be explicit and specific. Thus, they cannot be selected by default.
Additional collection of personal data.
The GDPR introduces another meaningful change, namely the principle of “privacy by default.” It means that it is only possible to collect data required to provide services or perform transactions. Thus, it is not possible to gather any unnecessary additional data. For example, an online store that wants to send newsletters and collects data using the subscription form should not require a zip code. However, if this store has regional branches or the offer varies depending on the region, then collecting zip codes is justified.
Third-party processing of data.
An entrepreneur may process personal data in two different ways: independently (a data controller) or by outsourcing this task to external entities (an entity processing personal data, a data processor).
A data controller is an entity that decides about the purposes and methods of data processing. In other words, a data controller determines for what purpose and how to use personal data. It is always a company or a specific business entity.
An entity processing personal data does not determine the purposes or means of data processing. This company should have an appropriate agreement with the data collector, the so-called entrustment agreement, which stipulates the rules for the processing of the entrusted data.
Record of Infringements and Personal Data Inspector
Since May 2018, the employment or appointment of a Personal Data Inspector is recommended or, in some cases, required. The obligation applies to public organizations, companies specializing in the collection and processing of personal data and enterprises processing confidential data, e.g., regarding past diseases. Thus, it means that, in general, e-commerce bypasses this obligation.
Unfortunately, the GDPR imposes another unpleasant obligation on the entrepreneurs, namely keeping a record of infringements that should include all incidents that have violated the security of personal data. f such an incident occurs, it is necessary to notify the Inspector General for the Protection of Personal Data formally. Also, it is mandatory to inform the affected users: the information must be given to them within 72 hours of the occurrence.
GDPR-related consequences and penalties
The GDPR also authorizes the Inspector General for the Protection of Personal Data to impose penalties. These may be extremely severe, reaching up to 20 million euros or 4% of the company’s total annual global turnover from the previous year, depending on which amount will be higher.