GDPR: Recommendations for e-commerce
General Data Protection Regulation (GDPR), becomes enforceable on the 25th of May 2018.
It’s the largest regulation on handling customer information to date, and will affect businesses operating with clients in the EU/EEA. There are many articles explaining what GDPR exactly is, but we want to focus here on the most important things that you should take into account while preparing for its adaptation.
After thorough review we’ve listed the key points that should be taken under serious consideration. We suggest staying up-to-date with the newly introduced legal obligations as the fines can be as high as 4% of the annual turnover.
Identify All Data in Your Possession
“‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’);”
Make sure there is a purpose for every field to be included. Make sure your site only collects what is absolutely required to fulfill orders. For every other bit of data you will now have to ask separately while clearly stating how you intend to use it.
“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Remember that all identifiers uniquely assigned to a person are also personal data. Logins, handles and so on but it’s not limited to data given to you explicitly.
Some personal data is created in the process of customers interacting with your store. This includes session identifiers typically paired with a client cookie and tracking IDs used by analytics software. This also includes the browsing history recorded by your analytics stack and all of the orders placed by an account.
Obtain Explicit Consent
It’s no longer enough to say that “by visiting you agree…”. All consent needs to be explicit. This means there needs to be an action taken by the user for each and every scope (set of information and intended use). It also means there needs to be freedom of choice; you can’t just deny service until customers agree to being tracked.
“When the processing has multiple purposes, consent should be given for all of them.”
Enumerate all of the purposes you need to collect data for. Make sure they are all opt-in and are not checked by default. Not taking an action (to uncheck a box or to unsubscribe from a mailing list) can no longer be treated as a “go ahead”.
“Silence, pre-ticked boxes or inactivity should therefore not constitute consent.”
Since tracking cookies are now considered personal data (you need to store some identifier for tracking to work), cookies will also require explicit consent before they can be used. It’s not clear yet if browser vendors can make this process easier (for example by asking to allow cookies the first time you visit a website) but what’s certain is that the old “this site uses cookies” warning has to go.
Provide Enough Information
For each purpose provide information of what an agreement implies. Before giving consent your customers need to be able to answer the following questions:
- Who are you and how can customers reach you?
- What are you going to do with the data?
- What information will be shared with third parties?
- Is the data going to leave the EU and if so, is there a rating provided by the EU Commission?
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
Inform users if any of the purposes involve automated machine profiling or decision making as it requires a separate agreement (which, again, cannot be required until absolutely necessary for fulfillment).
Inform users that they have the right to ask for their data, update it or request that it is removed.
Take Responsibility for Third Parties
“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
Identify all partners and contractors with access to even portions of personal data in your possession. This includes payment gateways, analytics, hosting companies, and so on. All of your contract workers are also considered external processors. Make sure each of those is GDPR-compliant. This includes this very point: maintaining a list of all third parties that get access to data through them.
“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.”
Identify any partners/contractors operating outside of EU/EEA. Ensure they are GDPR-compliant and that their country of operation has a good data protection rating (issued by the EU Commission).
Establish Processes to Handle Data Requests
Create a process to handle data requests within a timely matter. Make sure you remove the possibility of swamping your business by issuing enough simultaneous data access/update/removal requests. You are allowed to charge processing fees in cases where a single person is issuing multiple requests.
The law requires that you obtain an adult guardian’s consent when dealing with children. This is tricky to handle in a verifiable way, especially so when dealing with foreign citizens. Many businesses may instead opt to refuse their services to minors entirely.
Respect the Right to Be Forgotten
Prepare a “kill switch” that wipes all personal data of a particular user (remember that includes their address data, order history etc.). It’s usually a per-account operation but be prepared to handle cases where data was provided by an anonymous checkout or where one person provided another person’s data for payment or shipping (for example when buying a gift or when using a relative’s credit card).
The right to be forgotten does not explicitly require the business to be able to continue providing any services to the person (that would be hard without any trace of said person’s data) so it’s most likely fine for the customer to lose access to all services.
For business reasons anonymization is likely preferred to deleting records so your aggregate reports remain unchanged. The trickier part is to remove the data that resides with your partners (it is your duty as the controller to ensure that all processors comply with the request). Different identifiers (some of them generated) could relate to the same person across multiple business boundaries so data erasure needs to be a cooperative process.
Prepare for the Worst
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
Create a process to handle data breaches. I can’t stress this enough. No one plans for this to happen but under certain conditions you will be required to notify affected users within 72 hours of detecting an incident.
The above are the most crucial aspects of the upcoming law changes. Familiarize yourself with the new requirements so your business has enough time to adapt.
For further reading check out the friendly information portal prepared by the Data Protection Commissioner of the Republic of Ireland:
