Privacy has always been a hot issue, but in the last 10 years it has become explosive. Every year seems to bring with it an incident that ignites a powder keg of controversy, from how Google collects and uses your personal information to revelations of how the National Security Administration (NSA) mines phone records of U.S. citizens, to the most recent uproar over Facebook and Cambridge Analytica.
Though it’s usually titans like Google and the social media giants who eat up the news coverage, every company with a website that collects customer data needs to consider the legal and ethical questions of what to do (or not do) with the data.
This is especially true for online retailers and, soon, the landscape is going to radically change. With offices in London and clients all around the world, Corra has operations within EU jurisdiction and understands the challenges of adjusting to the new regulations. We’ve compiled an introduction to help you clear things up and learn more about the steps you may need to take towards compliance.
A brief introduction to GDPR
If you were on an elevator with a stranger who had on a shirt that read “Ask me about GDPR” and you took him up on his offer, they might say something like this: GDPR is a set of regulations that gives individuals in the EU more control over their personal data. It includes provisions to strengthen data privacy and protection against third-party attacks, as well as making an organization that collects or uses personal data more accountable for how they store, handle and use that data.
For the sake of clarification, Article 4 of the GDPR defines “personal data” as any information relating to an identified or identifiable natural person.
Does a U.S. company need to know about GDPR?
Many Americans don’t know that across the ocean, the European Union is about to enact one of the most far-reaching regulations on data protection and privacy. The General Data Protection Regulation (GDPR) will go into effect on May 25, and it won’t only affect EU-based companies.
You know that global economy everyone keeps talking about? Well, let’s just say it’s largely responsible for why many firms located outside of the EU will have to abide by the GDPR regulations.
The reason is that the GDPR provisions apply to all EU residents, meaning that any firm that does business in the EU or that handles data from EU residents must comply with GDPR.
This includes numerous U.S.-based retailers with a foot in the European market.
For the sake of streamlining operations, and to avoid maintaining two different systems (one that is GDPR compliant and one that isn’t), many retailers will apply GDPR regulations to all customers, regardless of where they’re located.
What might a GDPR policy look like?
Considering the EU has an 85-page law on the books that regulates textile names and labeling, you can probably guess that the far more complicated matters covered by GDPR have resulted in a very long piece of legislation.
Takeaways from the GDPR include:
- Right to access: Individuals will have easier access to the data that companies collect and store about them.
- Right to be forgotten: Individuals may have the right to have all their personal data permanently erased.
- Breach notification: If a breach occurs, companies may be required to notify everyone who has had their data compromised.
- Territorial-free jurisdiction: As stated earlier, any company that offers goods and services to, or monitors the behavior of, an EU resident must comply with GDPR.
- Obtaining consent: GDPR doesn’t preclude organizations from gathering data for legitimate reasons, which are listed in article 6. Consent should be seen as a last resort, and obtained only when none of these reasons are applicable.
5 aspects to consider when preparing for GDPR compliance
1. Access. To address GDPR compliance, you need to prove that you know where personal data is — and where it isn’t. Whether data is stored in traditional data warehouses or Hadoop clusters, whether it’s structured or unstructured data, data at rest or data in motion, you need seamless access to all data sources to evaluate your privacy risk exposure and enforce enterprise-wide privacy rules.
2. Identify. With access established, the next step is to identify what personal data can be found in all your data sources. Personal data is often buried in semi-structured fields, which means you’ll need to parse these fields in order to extract data. Considering the sheer volume, the process of classifying and cataloging data can’t be manual. Tools that automate the process through pattern recognition, data quality rules, and standardization are essential.
3. Govern. GDPR privacy rules must be documented and shared across all lines of business, including Human Resources and Customer Relationship Management. To achieve this, roles and definitions must be established in a governance model that ensures personal data can only be accessed by those with proper rights based on the nature of the personal data, the rights associated with user groups, and the usage context.
4. Protect. Once the personal data inventory and governance model are established, it’s time to set up the correct level of protection for the data. For GDPR compliance, you can use three techniques to protect data: encryption, pseudonymization, and anonymization. You must apply the appropriate technique based on the user’s rights and the usage context. This must be done without compromising your need for analysis, forecasting, querying and reporting. The easiest way to ensure data privacy is to keep only the data needed for critical business processes and analysis, and delete everything else.
5. Audit. At this point, you’ll want to be in a position where you can produce reports to clearly show regulators:
- What personal data you have across your data landscape and where it’s located.
- There is a well-managed process for getting consent from individuals who are involved.
- How personal data is used, who uses it and for what purpose.
- You have the appropriate processes in place to manage things like the right to be forgotten, data breach notifications, and more.
There’s a lot to consider when it comes to complying with regulations around data privacy and protection.
A whole lot.
Ecommerce platforms such as Shopify, Magento, and SAP Hybris can provide additional resources to learn more about GDPR, but make sure to seek legal advice as quickly as possible. Your lawyers will help you stay up-to-date and prepare your internal resources at best.
Corra does not purport to provide legal advice regarding data protection legislation or GDPR compliance.
Ecommerce retailers should obtain legal advice regarding compliance with data protection legislation.
Corra is a digital agency creating transformative commerce experiences for fashion, beauty and lifestyle brands. With headquarters in New York, Los Angeles and London, Corra provides strategically led creative and technology solutions to a growing global market.