GDPR for eCommerce
For the last decade, collection, analysis, and flow of personal data have gained a particular significance in eCommerce businesses. In order to avoid any leakage or manipulations of the users’ data, you have to ensure its reliable preservation. But now you must be extremely aware: GDPR is coming!
What is GDPR?
The General Data Protection Regulation (GDPR) is the official regulation on data protection and privacy, aimed at e-commerce sites of companies. It goes into force in May 2018, replacing an outdated Data Protection Directive from 1995.
Who is obliged to follow the new GDPR rules?
GDPR has an extraterritorial effect. It means that all companies that provide data processing of European countries citizens (both inside and outside the EU) must comply with the requirements of the document.
Enterprises that actively monitor the behavior of Europeans, analyzing it for the purpose of forecasting and identifying preferences, must meet GDPR compliance requirements, too.
If your company is located outside European countries but collects any information of its users, it still imposes strict rules on controlling and processing personally identifiable information.
What does it mean for eCommerce?
- conduct a comprehensive assessment of the methods and means of processing personal data used in the company;
- create the position of Director of Information Protection, who will be responsible for the compliance of the company’s policies to GDPR;
- develop an internal data protection policies: train staff, conduct data processing audits, complex security audit of the system, maintain documentation on processing processes, implement measures on the built-in confidentiality system.
- In case of emergency: all leaks must be disclosed within 72 hours from the time of its identifying. must have a previously developed quick response plan – a list of actions that you will take if needed.
- Do not go too far: your company should not collect data that you do not need. Once again, check the company’s goals and make sure that you do not go beyond them.
- The right to be forgotten: at the first request of the user from the EU, the company must delete all data about him/her in the system, if it does not contradict the interests of the company.
- Record: document the processing of personal data.
Analysis of possible difficulties
Fine: If the company ignores the GDPR rules, it will be fined in the sum up to 20 million Euro or up to 4% of the business’ annual turnover.
Unpleasant price: Data portability process will be quite expensive for many firms.
Additional duties: workers have to be extremely aware to control all the processes related to personal data and provide an immediate reaction in case of information leakage, etc.