GDPR is right around the corner. Are you ready?
If you’re running a business online but the GDPR abbreviation makes you feel awkward, it’s time to shed light on this concept.
95% of businesses say that meeting the compliance requirements of the GDPR will be "challenging or extremely challenging" (Independent).
Businesses that fail to comply with the new EU law can face fines up to €20,000,000 or up to 4% of their global sales of the previous year.
What is GDPR?
GDPR (The General Data Protection Regulation) - is a regulation by which the European Parliament, the Council of the European Union and the European Commission, intend to strengthen and unify data protection for all individuals within the European Union (EU).
- lays down a set of rules pertaining to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of such data.
- protects fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
What does human-understandable language mean? GDPR defines how the personal data of EU citizens is stored and transferred. This legislation changes the way businesses and public sector organisations handle their customer's information. It empowers people with rights to access the information that companies keep about them, provides obligations for better data management for businesses, and of course comes with new fines!
What kind of personal data is covered by GDPR?
Any information that could be used to identify a person in any way; their name, email address, photos, ID numbers, financial info, social network posts, cookies, and IP addresses.
It’s "physical, physiological, genetic, mental, economic, cultural, or social identity" of a person — to use the GDPR's own language — it counts. This data can be located on your servers or hosted on SaaS platforms (Salesforce, Dropbox, Google Drive, etc.), in the Cloud (AWS, Azure, etc.), or shared with 3rd parties.
The company can store or process affected data only in the case of the associated individual explicitly authorizing it, and for a length of time defined by GDPR.
The company has to export and share all of a customer's data (including transactional data), or delete a customer and all records associated with the customer, across all of their systems, within one month of request.
You have 72 hours to notify the commission about any kind of data breaches.
When does GDPR go into effect?
GDPR is coming into play on May 25th, 2018. It will experience the biggest change that it has undergone in 20 years!
What does it stand for eCommerce?
If an individual asks for the information that an organisation has on them, the organisation will have to produce this within one month. So, as a merchant you have to be able to provide your customers with such data and you should know where and how accurate this stored data is.
Magento is standing by to support your GDPR efforts. They assist customers in determining what data is being stored by Magento and where it resides.
Magento Marketplace extensions may store personal data in different locations than core Magento, and some of them may also send data to external services. It's up to you to be aware of the data usage policies and behaviors of any extensions you choose to use. So, if you are not sure that you know everything about your customer's data, it required that you review your web store code base. You need to prepare a detailed procedure to deal with data subject access requests, deletion requests, and government access requests. This may require the assistance of your web developers.