The main objective coming into play from GDPR is to give individuals greater control of their personal data that has been captured and kept. In the UK, the current Data Protection Act 1998 itemizes how personal information can be used by companies and the government. The key difference is that GDPR will change how this data can be used.
It is important to note, that we are by no means experts of the new General Data Protection Regulation (GDPR) but here is our understanding of it, and an overview of what online businesses need to consider prior to May 25th.
All individuals or companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by GDPR, this includes Magento eCommerce merchants and other businesses whereby individuals data is collected and stored.
These definitions are by no means limited to two different people. Anybody that has access to data is either a controller or processor, and since personal data can be as little as a telephone number or email address, our guess is the majority of employees will in one way or another be processing data.
Personal data refers to any information relating to an identifiable person. It applies to all data that can directly or indirectly identify said person. It includes names, IDs, locations, emails etc. Data relating to past and present employees and suppliers too, not just customers.
All of this data is required under GDPR to be processed lawfully, collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. It should be relevant and limited to what is necessary in relation to the purposes for which they are processed, and it requires that any data is processed in a manner that ensures appropriate security.
That was quite the mouthful.
But in short, you must be able to justify data processing in accordance with the lawful basis chosen by the business. You need to determine this lawful basis before May 25th and include it in your Privacy Notice.
The requirement to have a lawful basis in order to process personal data it not new and mirrors the Data Protection Act 1998. However, GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing and sets out that you must now inform people upfront about your lawful basis for processing their personal data.
The General Data Protection Regulation sets a very high standard for consent. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent has been given and there has been a “positive opt-in”, pre-ticked boxes or other methods of default consent will be unlawful.
Explicit consent requires a very clear and specific statement and must be kept separate from other T&C’s. You will need separate consent given for each processing action (obtain, use, hold, disclose etc) and any third party with whom the data will be shared need to be individually listed. Keep evidence of who, when, how and what was told to receive consent and maintain clear records to demonstrate it.
However, your consent records will need to be maintained and regularly updated. Consent diminishes within two years, or less, dependant on the messaging used to get that person’s consent. For example, a fitness guru has a subscription service to receive a series of newsletters in a bid to “Get the Summer Bod of your Dreams”, so ultimately come the end of summer, the fitness guru’s right to continue processing their subscribers’ data dissipates.
Sounds like a lot of work, huh? There’s more.
The GDPR gives a specific right to withdraw consent, meaning an easy process for withdrawal of consent at any time needs to be available, making it known to people how they can withdraw.
In the case of “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”, if that breach is likely to result in a risk to the rights and freedoms of individuals, then that breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. In the case of the UK, that’s the ICO – the UK’s independent body set up to uphold information rights. Even a simple honest mistake like accidentally sending an email to the wrong email address will need to be notified to the ICO.
Firstly, you need to identify every piece of personal information held by your business, even if it’s on a mobile device or the cloud. Once all of the data stored has been gathered, you will better understand where you’re holding personal data and be able to monitor compliance and the processes involved in dealing with that data.
Knowing where your personal data is being held will also be helpful when a request to see the information being held on an individual by organisations comes in, these are typically referred to as Subject Access Requests (SARs) and are sometimes followed by the ‘right to be forgotten’ whereby you will need to erase all of an individual’s data.
In a perfect world, all data would be stored securely and processes would be in place to ensure all personal data is kept separately under a security framework. But we know that can’t always be the case.
Magento has put together a useful blog: 3 Key Actions Merchants Need to Take.
However, we suggest seeking legal advice to clarify your own legal standing on the new change, before taking any action to update your terms.