If the title didn’t grab your attention, here’s something that might: on May 25th, 2018, any company that collects or processes data of European customers online is subject to enormous fines if they don’t comply with the new GDPR privacy regulations signed into law by the European Union. This fine would be to the tune of €20 million or 4% of a company’s annual global turnover – a penalty with the power to snuff out smaller businesses, as well as severely hurt anyone else unfortunate enough to get caught breaking the rules.
The General Data Protection Regulation (GDPR) was officially approved on April 14th, 2016, and companies were granted a two year window to become compliant. That first year is in the rear view mirror, and we are quickly approaching the beginning of GDPR enforcement. If you want to keep your ecommerce business afloat, it’s in your best interest to prepare yourself. Here are four key ways how to do so.
Know What Data You’re Collecting & How You’re Collecting It
Data Controllers vs. Data Processors
Every business that operates online, from Amazon to your local mom and pop shop selling holiday baubles, can be classified as either a data processor or a data controller. A data controller is defined by the GDPR as “the entity that determines the purposes, conditions and means of the processing of personal data.” This entails most retailers, ecommerce businesses, and websites that (intentionally or unintentionally) collect the information of European web users.
Data processors are the entities that “process” any information collected by a data controller. Processing data, as established by the Data Protection Act of 1998, includes the:
- Organization, adaptation or alteration of the information or data
- Retrieval, consultation or use of the information or data
- Disclosure of the information or data by transmission, dissemination or otherwise making available
- Alignment, combination, blocking, erasure or destruction of the information or data
If you’re not sure which data umbrella your company falls under (note: it could be both), understand that most data processors can be classified as one or more of the following:
- Cloud service providers
- Payment processors
- Payroll companies
- IT service providers
- Accounting services
- Data disposal services
Past regulations, such as those from the Data Protection Act, were directed toward data controllers. However, the GDPR has specific statutes that apply to processors, holding them more accountable than in the past. If your company processes data, make sure you understand these new rules to avoid problems down the road.
Personal Information vs. Sensitive Personal Information
All of the information being handled by data processors and controllers can be classified as either “personal” or “sensitive personal” information. Regulations on the collection and processing of sensitive personal information are more severe, so it’s important to know which type you deal with on a regular basis. “Personal” information is comprised of the following:
- Email address
- Photos, videos, or audio files
- Any type of identification number
- Your banking details
- Location coordinates
- Pseudonymous data (data that can’t be used to fully identify someone)
- Your IP address, account numbers, and PINs
In contrast, sensitive personal information is any data that outlines:
- Your race or ethnicity
- Religious or political beliefs
- General health
- Sexual orientation and/or sex life
- Genetic makeup
- Physical characteristics, such as body weight, height, etc.
Such details about a customer are more private (thus the “sensitive” designation), and if your company wishes to collect them post-GDPR you’ll need explicit consent. To understand what that truly means, it’s important to consider the two primary ways websites elicit consent: by using clickwrap agreements and browsewrap agreements.
Understand that Clickwrap is Safer than Browsewrap
In the past, having pre-ticked boxes or simply linking to your policies somewhere on your site (often in the footer) was considered legally acceptable. This strategy has been dubbed “browsewrap,” because the act of browsing a site implies your consent to data collection and any other site policies. However, after companies like Barnes & Noble were successfully taken to court for using this method, it’s become increasingly nebulous as to what constitutes “consent.”
Once the GDPR is enforced, clickwrap will be the safest bet for conveying policy details and future updates to your customers. If you need “explicit consent” before gathering user data, you 100% need to use clickwrap. If you only plan to collect “personal” information, then you can still use browsewrap – but you’re leaving yourself open to potential scrutiny.
For an idea of what clickwrap looks like in action, take a look at the screenshot above. If you want to sign up for newsletters and recipes from Jamie Oliver’s website, this popup will appear – very clearly stating that you agree to their terms by submitting the form. Links are also included to those policies, giving users easy access to them (unlike before, when they were often buried in the footer). If you plan on collecting sensitive personal data online, this is the new norm. If you think this is too obtrusive, consider the pros and cons of both methods before making the decision.
The heart of GDPR legislation can be boiled down to one word: transparency. Collecting user data will soon be substantially more regulated, and companies will need to be much more open with what data they’re drawing from their users. Making your terms and policies clearly visible is an important step toward compliance, but ensuring that their content is easy to understand is equally important if you want to avoid a lawsuit.
Be Ready to Notify Your Users of Breaches Quickly
On July 29th, 2017, the credit-score company Equifax realized their users’ personal data had been compromised – the result of an enormous security breach believed to have impacted 143 million Americans. Over a month later, this breach finally became public knowledge (after several executives sold their stock, of course). Even though Equifax primarily serves U.S. consumers, Europeans use their services as well, which makes their delay an illegal one in the eyes of this new legislation.
Article 33 of the GDPR states that companies must notify supervisory authorities within 72 hours following the discovery of a data breach. While this might be a difficult pill for many businesses to swallow, it’s a necessary one that benefits consumers and holds companies accountable for securing the personal information they collect.
Once a company learns a breach has occurred, they are responsible for:
- Describing how many people were likely affected, and what data is at risk
- Providing the contact information of their data protection officer to users
- Highlighting the main steps being taken to reduce problems caused by the breach
- Elaborating on the potential consequences of the breach to users
If you’re able to avoid compromising situations, great. However, if something does happen, it’s important to be transparent and move quickly. Getting the full force of the GDPR levied against your business will be at best a huge financial inconvenience, and at worst a catastrophic one.
Preparing for the GDPR in totality will take some serious effort by businesses. In the end though, this is a good thing for both companies and consumers, and will help shine some light on the darker areas of online data collection. Be on the right side of history, figure out how to comply to this new legislation, and avoid the steep fines that will soon start costing businesses millions (because paying fines, regardless of who you are or what you do, feels like setting money on fire).