Tilo Tech
Published in

Tilo Tech

Everything you need to know about Personal Data and the General Data Protection Regulation (GDPR)

“As an eCommerce company working with public data and utilizing cloud computing for data processing, we ensure GDPR compliance.”

This is a line quoted by many eCommerce giants who have an in-house consultant and big team to ensure GDPR compliance.

As a startup or a newly established company, are you aware of the data privacy terms like GDPR requirements, GDPR compliance, and risk assessments?

Image via iStock

What are the steps you are taking to ensure the data security of your data subjects?

Let’s start by looking at GDPR laws from two points of view.

  1. The legal aspect which involves understanding GDPR laws for your industry.
  2. The technical aspect that provides a roadmap to implement GDPR laws for your industry (we will learn more on this in our next article).

In this article, let’s talk about legal aspects of GDPR laws for the eCommerce industry.

The first step toward understanding GDPR is to understand what is Personally Identifiable Information (PII) and the importance of protecting it.

If you have ever accessed a website before, I’m sure all of you have noticed a pop up asking you to manage your cookie settings.

It is nothing but requesting permission from you, the user, to confirm what data you are willing to share with the data controller or the one who is accessing the information.

Prior to GDPR, it was assumed that by accessing a website, you agreed to share your personal information with the server; however, this is no longer true; viewing a website is in no way an acceptance to disclose your personal data.

Apart from websites, your personal data is exposed to the applications you use, your social media, your bank, the government. Leaking your personally identifiable information like your social security number, phone number, email address, or any other sensitive information from the above platforms can expose you to potentially fraudulent activities that can harm you financially or damage your reputation.

Fraudulent activities can range from using your credit information for purchases to even politically influencing a sea of people by harvesting and analyzing important data.

This is where the European Union’s General Data Protection Regulation (GDPR) comes into play. To protect your Personally Identifiable Information (PII).

So, what is GDPR? And how does it protect your data subjects?

Image via iStock

Data subjects?

Data subjects are your consumers who are trusting you with their personal data, give permission to process their sensitive information, and hope that you will take the best care of their valuable information.

Now coming to GDPR, thanks to many data-related scandals in the recent past, the European Union has been compelled to take a stand on data privacy and security policies. In light of the misuse of public data by businesses for personal gains, Global Data Protection Rights laws came into effect on the 25th of May 2018 for EU regions.

The GDPR laws applies to

  • Every organization operating in the EU region.
  • Organizations that use data from EU citizens regardless of where they live.
  • Foreign citizens accessing data from the EU region.
  • Companies that may be based in another country but have websites that are accessible to EU citizens.

In effect, the majority of organizations had no choice but to comply with the GDPR legislation or risk stiff penalties, which may include fines of up to 4% of a company’s global annual revenue or €20 million (whichever is greater).

In light of such stringent laws and heavy penalties levied, any and every company that utilized personal data scrambled to ensure GDPR compliance.

GDPR differentiates between the data controller and data processor. As the name suggests, the data controller controls the data and defines why and how personal data is processed. The controller is also responsible for the compliance of the data and has to monitor the data processor to handle the data in a compliant way. The data processor only processes data on behalf of the data controller.

As an example, think of an online shop that sells electronic devices and uses a payment processor for its payments. In this case, the online shop is the data controller as it gets the data from its customers to fulfill the orders. It then forwards the data to the payment company to bill the customer. The payment company in this case is the data processor as it processes the data for the customer.

How can you ensure GDPR compliance as a new company?

The first step to achieving GDPR compliance is to understand the key principles of GDPR.

Lawfulness, fairness, and transparency: The data should be treated fairly and transparently toward the data subject, in accordance with the applicable legislation.

Purpose limitation: The data must be collected for a legitimate reason, and you cannot reuse the data for any other purpose than the one defined in the beginning.

Data minimization: Instead of storing as much data as required to use later, you must just store and process a minimum amount of data that is absolutely necessary to fulfill the purpose.

Data accuracy: Data must be kept up to date, and if it is incorrect or out of date, it must be erased.

Data storage limitation: The data can only be kept/stored for as long as the original purpose is still valid.

Data security: Personal information must be safeguarded against not just security breaches but also accidental loss. Data security must ensure integrity and confidentiality.

Accountability: Companies must demonstrate that they follow the GDPR’s principles. They must document how personal data is handled, and the procedures are taken to ensure that the key principles are followed.

What is the bare minimum GDPR requirement for storing and processing sensitive data of your data subject?

Article 6 of GDPR mentions that storing and processing data is lawful.

  • Only when the data subject provides consent.
  • The data processor has a legitimate interest
  • For a legal obligation or a contract
  • Public interest
  • The interest of a data subject or another person involved.

However, in most situations, consent of the data subject or legitimate interest of the data processor is the primary rationale for retaining the data.

Legitimate interest again can be utilized to exploit data privacy and therefore cannot be relied upon as the sole legal reason for data processing if there is another less intrusive way to achieve the same goal.

Legitimate interests can turn unlawful if the data processed impacts the data subject’s privacy. Hence you must perform a Legitimate Interests Assessment (LIA).

The LIA risks assessment helps you determine the lawfulness of the data processing, and the assessment can be performed by asking simple questions such as

  1. Why do you want to store the data?
  2. Do you need to process the data to achieve the purpose?
  3. Do the person’s interests outweigh the legitimate interests?
  4. Who will benefit from the data processing?
  5. Is the data use unethical or unlawful in this particular situation?

These answers are then documented as everything else under GDPR.

Under GDPR, the data subject’s rights are paramount, and upholding the rights of the data subjects means that you uphold the key principles of GDPR.

What exactly are the rights of the data subjects under GDPR?

1. Right to Access

Article 15 of GDPR mentions that the data subject has the right to know if their data is being used for processing, and the data controller must provide access to a subjects’ personal data and the following information.

  1. Purpose of processing
  2. The categories of personal data
  3. The recipients or categories of recipients
  4. The period for which you will store the data
  5. Right of correction and deletion of data
  6. Right to complain to a supervisory authority
  7. If the data was provided by a third party
  8. If the data is processed using automated decision-making

2. Right to Erase/Right to be forgotten

Article 17 of GDPR mentions that each data subject has the right to have their data removed promptly upon request.

However, the data can be deleted only if,

  1. The data subject withdraws consent.
  2. The data is no longer needed for the defined purpose (and there is no other legal reason for processing)
  3. The personal data has been unlawfully handled, or the term for data storage has ended.

To implement the data rights i.e., right to access and right to erase correctly it is necessary to first identify the person who is requesting the data access or data deletion.

Wrongly identifying the person can lead to data leaks to a third party who is not privy to this sensitive information or deleting critical information of another person.

What does the new GDPR regulation mean to eCommerce sector firms?

GDPR covers all industries, but arguably eCommerce firms are the most affected since processing personal data forms the basis of a lot of their operations.

ECommerce companies are particularly affected since their technology platforms and data architectures collect, process, and store personal data at their core.

ECommerce firms must thoroughly assess their databases, websites, data warehouses, and information systems to understand where the data resides and how the data is processed.

They would benefit from having a holistic search tool or an entity resolution tool that houses complete identity details and connects to all internal data silos enabling easy deletion or editing of personal data upon request.

ECommerce firms must rethink their data storage strategies and may have to completely re-engineer their existing architecture to ensure GDPR compliance and avoid data breaches.

When using cloud providers for data processing, the shared responsibility model applies where the cloud provider is responsible for the security of the cloud and the eCommerce firm is responsible for the security in the cloud. This is important as the cloud provider takes care of the infrastructure and the customer for the high level configuration of the application, user accounts and so forth. For most cases the cloud provider is the data processor as the data is processed on its systems; however the eCommerce firm is the data controller as it controls how the data is processed.

How will the GDPR affect the cloud industry? Is GDPR compliance complex in the cloud industry?

Image via iStock

Digital transformation and the need to provide lighting speed services to their customers have seen most companies, whether eCommerce or not, invest in cloud technologies to store and process their data.

Companies find the cloud hassle-free, easy to navigate, and cheaper to maintain and process data, especially with the pay-as-you-go services.

But there is a risk of access to personal data and data breaches that can occur during these processing activities in the cloud; hence it is critical to perform third-party risk assessments to ensure GDPR compliance by the Cloud Services Providers (CSP).

GDPR will completely change how cloud looks at security. It is not just about compliance, but also about changing the operations of the data controller and the data processor.

CSPs must reexamine their data strategy, and changes have to be implemented at the organizational, legal and technological level to implement GDPR laws and key principles.

The greatest challenge for CSPs now is to revamp their entire processes from scratch, revise the way the personal data is stored, document at every step, and process the data so that customers enjoy complete data privacy.

Though it seems complicated, it is not an unachievable task; all it requires is a clear understanding of GDPR laws and how to implement them technically for your business or the cloud.

Conclusion

An eCommerce firm dealing with customer data must be aware of the legal implications of GDPR, the key principles of GDPR, the security implications of non-compliance and most importantly maintain the privacy of their data subjects.

In our next article we will try to decode the technological aspects of GDPR and how they can be implemented in your organization.

--

--

--

At Tilo we use serverless technologies to connect records to entities.

Recommended from Medium

Important details about Polkadex IDO & IEO, 16th of April: Whitelist winners, Timelines and…

{UPDATE} Drum Pad Machine Hack Free Resources Generator

Kerberos V5 SSO authentication in Windows 10 Home using Apache directory studio

3 components in Kerberos

What exactly is E-Contracts?

{UPDATE} Sea Serpent Snake Survival Simulator Hack Free Resources Generator

Four Ways That You Can Respond When Someone Causes a Breach

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hendrik Nehnes

Hendrik Nehnes

Hendrik is an experienced tech manager used to dealing with big data infrastructure, data centers, clouds and serverless technologies.

More from Medium

How to Build a Modern Testing Organization in 2022

In the Cloud, Make the Data Reign

BPMN: How It Helps Manage Information Flow in Business Applications

Modern Data Stack as a Service (1/3)

The Governance and Delivery parts of the modern data stack