GDPR - 4 letters that have created a lot of hype. Amid all the Brexit discussions, the government made it clear at an early stage that the General Data Protection Regulation would be implemented into UK law. So what do you need to know about the GDPR and staying compliant?
What is the GDPR?
The EU General Data Protection Regulations was adopted in May 2016 and has been directly applicable in all EU member states since May 25, 2018. The aim is to create a more harmonised level playing field regarding data protection. It is the major update to the new digital age, as the current UK data protection rules are based on the EU data protection directive from 1995.
A step rather than a revolution
For those who have been compliant with previous data protection rules, the GDPR is not a drastic change from that. It is more of a step than a revolution. However, the deadline has passed and businesses should already be compliant, so if you haven’t yet made the necessary steps, it is high time. People now have new rights to access information that companies hold about them and companies are obliged to manage their data better. Also, there are new fines (more on that below). In the UK, the ICO remains the data protection regulator.
Why care about GDPR after Brexit?
It is important to reiterate that the GDPR will still be relevant even after Brexit is completed.
Firstly, the new regulation has come into effect while the UK is still part of the EU. The GDPR is a regulation and therefore directly applicable to UK national law as opposed to a directive, which needs to be implemented by UK lawmakers into national law. The regulation is already enforceable by itself.
Secondly, the British government has already started work on a new Data Protection Bill in August 2017. The new bill will adopt most of the GDPR rules in order to facilitate further smooth trade with the EU after Brexit.
Thirdly, GDPR states that any organisation processing EU citizens’ data will need to comply with GDPR, no matter where they are based. So, even with a new Data Protection Bill, UK retailers will need to comply with GDPR rules if they want to trade with EU customers.
Having said this, it is critically important for everybody with business in the EU to pay close attention to the changes post Brexit.
To help you get a better understanding of what has changed, we’ve put together a list of 7 things to know about the GDPR:
1. What is personal data?
To comply with data protection regulations, it is important to know which data it protects.
The GDPR works with a new and different definition of the term “personal data”. Under the GDPR, all data that could be used to identify an individual can be considered personal data and, as such, be subject to the GDPR.
This includes any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
2. Data breach notifications
One of the reasons why data protection regulations are much needed is to prevent data breaches.
Yet even the best regulations cannot eradicate the possibility of a breach. All it can do is to implement certain processes to best handle the situation once a breach does occur.
Thus, the GDPR requires organisations that experience a data security breach to immediately notify the supervisory authority competent in accordance with Article 55 GDPR and also the Data Subjects whose data have been impacted. The competent authority in the UK is the ICO.
This notification must occur within 72 hours of having first become aware of the breach.
3. Data Protection Officer (DPO)
Under Article 37 of the GDPR, data protection officers must be appointed within a company where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like, defined in Article 9).
While Article 37 does not state the exact credentials that are required for a DPO, it does say that he or she shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Consent is crucial when it comes to the controlling and/or processing of personal data.
This is why the GDPR has raised the bar on what it means to give consent. Companies will now have to be very clear in the way they acquire their customers’ consent to use their personal data.
It will no longer be possible to use long and illegible terms and conditions to obtain the consent of customers for using their data. Consent must be unambiguous. It must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, with the purpose for data processing attached to that consent and it must use clear and plain language.
Consent must be as easy to withdraw as it is to give it.
However, requirements for consent are not the same in every case.
Explicit consent – meaning nothing short of “opt-in” – is only required for processing sensitive personal data. In other cases, “unambiguous consent” will suffice.
5. The right to be forgotten
Under the new regulation, every EU-resident will have the right to request deletion of personal data from businesses, where one of the criteria in Art. 17 applies.
The business will then not only have to erase any and all copies or links to personal data where the data subject withdraws consent, but will also need to be able to present proof of the deletion.
This deletion of personal data will also have to occur in a timely fashion. So, everyone is advised to review their procedures for handling requests of erasure, to ensure you can comply with the request wholly, correctly and quickly.
6. Record keeping
According to Article 30, organisations must keep detailed records on their own processing activities. This includes info such as the reasons for processing, the description of the categories of the data subjects and personal data, categories of recipients to whom personal data is disclosed, the time limits for erasure and a description of the security measures taken.
GDPR states that only enterprises employing 250 employees or more have to keep a record of processing activities.
This can, however, also apply to smaller enterprises. If the processing is likely to result in a risk to the rights of affected employees or the processing is not occasional or includes special categories of data (Article 9 (1) GDPR), the obligation to keep records holds for smaller enterprises, too.
Therefore, also a lot of small and medium-sized enterprises will be obliged to keep the records.
Another novelty is that the GDPR does not distinguish between internal and external records anymore. There is now only one kind of record: the internal record. Upon request, it has to be made available to the supervising authorities.
Lastly, you should know why it is so important for you to comply with the GDPR: if you don’t, you might face some hefty penalties.
Some have even questioned the scale of the penalties, worrying about the potentially catastrophic impact they might have on smaller businesses.
Maximum fines can be up to 4% of global annual turnover or €20 Million, whichever is higher. Those figures are reserved for the most severe of infringements of the GDPR, like not having sufficient customer consent for processing data.
There are different tiers depending on the gravity of the offence.
Tier 1 is for the “less serious” breaches, such as administrative failures in record-keeping. But even those “less serious” breaches can cost businesses up to 2% of global turnover or €10 million.
Tier 2 is for failures categorised as “serious”, such as a breach of basic data-protection principles. In those cases the aforementioned maximum penalty can be imposed.
For a look at some of the most frequently asked questions about the GDPR, we’ve created a free whitepaper for you to see what our legal experts have to say!
What Elements You Should Check for Compliance with the GDPR
The General Data Protection Regulation (GDPR) imposes various requirements on online retailers in order to protect the personal data of consumers. Cookies, contact forms, subscriptions to your newsletter – these are just a few points you should check to make sure your online shop is compliant with the new regulation. Here is an overview of the most important areas you need to consider.
Balancing of interests for cookies
Everyone loves cookies, at least for dunking them in their coffee. For cookies on a website, however, things are not as clear. Website cookies are small text files that are temporarily stored in the browser of the user’s end device. They record information that may include personal data, such as the user’s IP address. Data is stored to make user analysis and recognition possible.
Within the scope of the GDPR, cookies are generally considered as personal data. However, a balancing exercise is performed between the online retailer’s interests and the protection of the consumer's personal data.
Encryption for contact forms
Forms, including contact forms, in which user data is requested, must be encrypted without exception. Moreover, site operators must clearly mark mandatory fields so that only data that is necessary for the registration is required.
Do not install social media plugins directly on your website
Social media plugins enable customers to share the products they’ve just ordered on social networks like Facebook, Twitter & Co. Due to the automatic data transfer to the respective service providers, the user's consent to the plugins is also required. Since this is difficult to obtain, systems to prevent automatic data transmission like Shariff or the two-click solution have become more popular.
In general, the principle of consent continues to apply under the GDPR. However, according to art. 7, section 1, the site operator must also be able to prove that consent exists. This is difficult to implement, which is why it is recommended to check how many users use the plugin buttons at all and remove them completely from your site if necessary. If you want to keep them, you should definitely use a solution like Shariff.
A legally-compliant consent to send out newsletters
Logically, newsletters may not be sent without the recipient’s consent, which is nothing new. However, consent must comply with the new requirements introduced by the GDPR, e.g. the recipient needs to be informed of the right of revocation within the scope of the consent in accordance with art. 7, section 3.
That’s why it was best to have obtained valid consents to newsletters in line with the GDPR before 25 May, so that you could still send legally-compliant emails afterwards.
All Set? The GDPR Checklist for Your Online Shop
We’ve also created a checklist for you to check if your online shop is compliant. You can download our free GDPR checklist whitepaper we’ve created to help you get a good overview of your responsibilities. However, here is a short overview of what you’ll have to check:
- Create or update your record of processing activities.
- Online retailers must be able to provide the authorities with a record of up-to-date data on request.
- Check whether you need to carry out a data protection impact assessment and do so if necessary.
- The data protection impact assessment must only be carried out before data processing if there is a potential risk for the rights and freedoms of your customers. This is not the case for most online retailers, but to be on the safe side, you should clarify this issue for your company.
- Implement a reaction plan in the event of data breaches.
- A reaction plan will help you report data breaches to the relevant supervisory authorities within 72 hours, as required.
- Update your processes to protect the rights of data subjects.
- The GDPR strengthens the rights of “data subjects”, i.e. your customers whose data you process as an online retailer. For example, customers may request their order history in a machine-readable format. This may not happen very often in practice, but you should be prepared from a technical and organizational point of view to respond to such requests.
- Check your contracts with service providers.
- Whether for server hosting, newsletters, or tracking, as an online retailer, you usually work with service providers who collect personal data. This requires contracts for data processing on your behalf by a third-party in line with the requirements of the GDPR.
- Create a form for information requests.
- As an online retailer, you must provide your customers with all stored data on request. It is therefore recommended that you provide a form customers can fill out and submit if they want to have their data deleted or get information about the data that has been stored.
There is no need to fear the changes introduced by the GDPR. In today’s age, data protection is becoming increasingly important. This is reflected in the GDPR in the form of more accountability for the retailer’s handling of personal data. Customer rights are strengthened and people will have the right to access their data free of charge as opposed to currently being charged £10 when they want to know which data is being stored about them.
Also, the GDPR sets the stage for new larger fines. In this respect, the ICO has already made it clear that they prefer continuing their approach of working with companies to improve their practices, but the regulator will make use of its powers if compliance cannot be reached otherwise. To sum it up, there is no need to fear May 25th nor the phase thereafter, if you are willing to work properly on data protection in your online shop.
To download our free GDPR checklist, which goes into more details from the points mentioned above, click here: