The European Union's General Data Protection Regulation (GDPR) is to take effect from 25th May, most people think this comes as a response to recent scandals such as the Cambridge Analytica. However, it is a mere coincidence as this has been in the works for the past 4 years.
Essence of GDPR
GDPR, at its core, has upset the balance when it comes to data and privacy of individuals. Let us say, it's BooHoo Corporations and Yeehaw Consumers! Previously, the companies who collected personal data of individuals were viewed as the owners of that data set, however, GDPR makes it the individuals property.
Digital rights for EU citizens
As we go into the future where personal data is becoming of increased economic and marketing value, GDPR has brought EU citizens digital rights. It makes things much more clear in terms of:
Who collects their information and what information is collected.
A right to be forgotten, if they want, their data can be removed from a company's databases.
Improved data protection practices with customers consent and privacy getting the priority.
Changes under GDPR
It is not just data compliance, GDPR is changing the way businesses operate. It is time companies update their personal terms of service. Businesses will be restricted from accessing and using individuals private data unless the individual decides otherwise. Empowering individuals to take control of their data! The way companies interact with consumers will be under constant scrutiny.
There is a new obligation on companies to notify the relevant authorities in case of any personal data breach that is likely to result in a risk to the rights and freedoms of individuals, moreover, the notifications must be made without undue delay (within 72 hours of the event discovery where possible).
Companies based outside the EU
GDPR also takes into account the export of personal data outside the EU, meaning EU residents across the globe are protected. Any business or organization (regardless of whether or not they physically operates in European Union countries) that processes or stores the data of EU residents are subject to GDPR rules and regulations.
Failure to Comply
Companies can be fined up to €20,000,000 or 4% of their worldwide annual revenue from the previous financial year, whichever is greater! So the stakes are high for businesses to make sure their terms and conditions fall within the guidelines set by GDPR.
Legal Grounds to Process Personal Data
If you process personal data from visitors or customers coming on your Online Store, an important question to ask yourself is; Do you have a valid lawful basis to process personal data?
The GDPR lays down 6 grounds for the lawful processing of data. To fall within GDPR one must meet At Least 1 of the 6, depending on the purpose and activity for which the data will be processed. Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
Has the subject given consent for his/her personal data to be processed in an activity for one or more specific purposes. Note that Purpose is important here, the consent must be given in relation to “one or more specific” purposes.
In most cases, it is likely one can’t enter into any contractual relationship without first providing personal data, depending on the nature of the contract. Hence, contractual necessity is a basis for the personal data being processed.
If you have a legal duty for which specific personal data needs to be processed, then processing is permitted. The requirements to comply with a legal obligation can be a ground for processing personal data.
This refers to any 'life-threatening circumstances' where there is no other legal ground for processing, but in case of not processing personal data, would mean that someone would die. Hence, you need to know a few things about the 'natural person' who is in danger.
The public interest remains a ground for processing date, the public interest can mean, among other things, performing many possible public tasks (for example taxes) you have as a public authority, which requires personal data processing in accordance with legal obligations and other data processing operations which are seen as being of public interest.
Even before GDPR, Legitimate interest (For example: To Prevent Fraud) was a lawful basis for processing personal data. GDPR adds to it is in the form of stipulations when it does NOT apply, so the Article 6 states that processing is necessary for the purposes of the legitimate interests pursued by the controller (in this case; Your Online Store) or by a third party.
Read details about Legal Grounds to Process Personal Data.
Checklist for GDPR
To help you out, we have created a checklist consisting of some important steps you can take to prepare for GDPR. However, please keep in mind that these are only our recommendations!
Data Storage & Customer Erasure Request
- Are you collecting data from customers in Europe?
- What type of information have you been gathering from visitors and customers?
- Create a strategy for incoming requests to access, change or remove previously stored data. This can involve removing emails and IP addresses saved on your logs.
- Check if the customer’s consent is recorded and stored somewhere.
- Review your data collection policies and identify the points where you are making contact with the customer.
- Check the 6 legal grounds for the lawfulness of personal data processing. AT LEAST 1 of the 6 legal grounds should apply.
- Are you collecting the information fairly, is there a pre-opt-in option there, do you clearly define the reason you require a certain personal information.
- If any of your visitors/customers are under the age of 16, do they have to get parental consent before processing their data?
- Mention clearly on what grounds you are collecting and processing data.
- The policy should be in plain words and easily understandable.
- Is it publically accessible? if you want information there should be a lawful reason stated there as to why so.
Documentation and Notifications
- There must be documentation available for visitors and customers on your online store where they can read about the changes you have made to fit with GDPR.
- Do you have security notification procedures in place to ensure you meet your enhanced reporting obligations under the GDPR in case of a data breach in a timely manner?
- Check if your business is using third-party apps for support services.
- In cases where your third-party vendors are processing personal data on your behalf, have you ensured your contracts with them have been updated to include those same processor requirements under the GDPR?
Changes Made By Jumpseller
We’ve been working hard preparing for the GDPR for a while. The main highlights are:
- Our data retention policies and processes were updated to fall within the limits of the law;
- Internal processes have been created to respond to data requests;
- Updated our Google Analytics integration to anonymize IPs and not pass any personal data;
- Within the order and customer sections of Jumpseller stores, new methods were added for exporting personal data;
- When deleting a customer, a new option was added to delete all their personal data from the store;
- Published informative material to help merchants meet the standards demanded by GDPR.
Every business is different, to be on the safe side, it would be a good decision to consult with a lawyer or even hire a Data Protection Officer.
Because I host my business on Jumpseller, does that mean by default, my business complies with GDPR?
No, using Jumpseller does not automatically make your online store GDPR compliant. While the operations of Jumpseller will meet the GDPR, and Jumpseller will provide tools to help you comply, it is the responsibility of each store owner/merchant to ensure that their business is compliant with the laws of the jurisdiction where it operates.
Does processing data of EU personnel always require the consent of the data subject?
In one word, No. As mentioned in the Legal Grounds to Process Personal Data section above, consent is just one of the legal bases that can be used for the processing of personal data. For example, personal data can also be processed:
When necessary for the performance of a contract to which the data subject is a party;
When an organization has a legal obligation to do so (such as the submission of employee data to a tax authority); and
Under an organization’s legitimate interests which may include commercial and marketing goals. The legitimate interest must not, however, override the data subject’s rights and interests.