BACK TO RESOURCES
blog

What do you need to know about GDPR?

4 Min Read
Mike Sole

Privacy has always been a hot issue, but in the last 10 years it has become explosive. Every year seems to bring with it an incident that ignites a powder keg of controversy, from how Google collects and uses your personal information to revelations of how the National Security Administration (NSA) mines phone records of U.S. citizens, to the most recent uproar over Facebook and Cambridge Analytica.

Though it’s usually titans like Google and the social media giants who eat up the news coverage, every company with a website that collects customer data needs to consider the legal and ethical questions of what to do (or not do) with the data.

This is especially true for online retailers and, soon, the landscape is going to radically change. With offices in London and clients all around the world, Corra has operations within EU jurisdiction and understands the challenges of adjusting to the new regulations. We’ve compiled an introduction to help you clear things up and learn more about the steps you may need to take towards compliance.

A brief introduction to GDPR

If you were on an elevator with a stranger who had on a shirt that read “Ask me about GDPR” and you took him up on his offer, they might say something like this: GDPR is a set of regulations that gives individuals in the EU more control over their personal data. It includes provisions to strengthen data privacy and protection against third-party attacks, as well as making an organization that collects or uses personal data more accountable for how they store, handle and use that data.

For the sake of clarification, Article 4 of the GDPR defines “personal data” as any information relating to an identified or identifiable natural person.

Interesting, but…

Does a U.S. company need to know about GDPR?

Many Americans don’t know that across the ocean, the European Union is about to enact one of the most far-reaching regulations on data protection and privacy. The General Data Protection Regulation (GDPR) will go into effect on May 25, and it won’t only affect EU-based companies.

You know that global economy everyone keeps talking about? Well, let’s just say it’s largely responsible for why many firms located outside of the EU will have to abide by the GDPR regulations.

The reason is that the GDPR provisions apply to all EU residents, meaning that any firm that does business in the EU or that handles data from EU residents must comply with GDPR.

This includes numerous U.S.-based retailers with a foot in the European market.

For the sake of streamlining operations, and to avoid maintaining two different systems (one that is GDPR compliant and one that isn’t), many retailers will apply GDPR regulations to all customers, regardless of where they’re located.

What might a GDPR policy look like?

Considering the EU has an 85-page law on the books that regulates textile names and labeling, you can probably guess that the far more complicated matters covered by GDPR have resulted in a very long piece of legislation.

Takeaways from the GDPR include:

  • Right to access: Individuals will have easier access to the data that companies collect and store about them.
  • Right to be forgotten: Individuals may have the right to have all their personal data permanently erased.
  • Breach notification: If a breach occurs, companies may be required to notify everyone who has had their data compromised.
  • Territorial-free jurisdiction: As stated earlier, any company that offers goods and services to, or monitors the behavior of, an EU resident must comply with GDPR.
  • Obtaining consent: GDPR doesn’t preclude organizations from gathering data for legitimate reasons, which are listed in article 6. Consent should be seen as a last resort, and obtained only when none of these reasons are applicable.

5 aspects to consider when preparing for GDPR compliance

1. Access. To address GDPR compliance, you need to prove that you know where personal data is — and where it isn’t. Whether data is stored in traditional data warehouses or Hadoop clusters, whether it’s structured or unstructured data, data at rest or data in motion, you need seamless access to all data sources to evaluate your privacy risk exposure and enforce enterprise-wide privacy rules.

2. Identify. With access established, the next step is to identify what personal data can be found in all your data sources. Personal data is often buried in semi-structured fields, which means you’ll need to parse these fields in order to extract data. Considering the sheer volume, the process of classifying and cataloging data can’t be manual. Tools that automate the process through pattern recognition, data quality rules, and standardization are essential.

3. Govern. GDPR privacy rules must be documented and shared across all lines of business, including Human Resources and Customer Relationship Management. To achieve this, roles and definitions must be established in a governance model that ensures personal data can only be accessed by those with proper rights based on the nature of the personal data, the rights associated with user groups, and the usage context.

4. Protect. Once the personal data inventory and governance model are established, it’s time to set up the correct level of protection for the data. For GDPR compliance, you can use three techniques to protect data: encryption, pseudonymization, and anonymization. You must apply the appropriate technique based on the user’s rights and the usage context. This must be done without compromising your need for analysis, forecasting, querying and reporting. The easiest way to ensure data privacy is to keep only the data needed for critical business processes and analysis, and delete everything else.

5. Audit. At this point, you’ll want to be in a position where you can produce reports to clearly show regulators:

  • What personal data you have across your data landscape and where it’s located.
  • There is a well-managed process for getting consent from individuals who are involved.
  • How personal data is used, who uses it and for what purpose.
  • You have the appropriate processes in place to manage things like the right to be forgotten, data breach notifications, and more.

There’s a lot to consider when it comes to complying with regulations around data privacy and protection.

A whole lot.

Ecommerce platforms such as Shopify, Magento, and SAP Hybris can provide additional resources to learn more about GDPR, but make sure to seek legal advice as quickly as possible. Your lawyers will help you stay up-to-date and prepare your internal resources at best.

Corra does not purport to provide legal advice regarding data protection legislation or GDPR compliance.
Ecommerce retailers should obtain legal advice regarding compliance with data protection legislation.

Mike Sole

Mike Sole is Director of Support at Corra. Mike has 30 years of IT experience, and has worked with companies such as Xerox and Times Mirror. He also has over 8 years of experience in Agile development and has implemented the Agile methodology that Corra utilizes in the TotalCare program.

Corra, a Publicis Sapient company, is the global commerce leader and SI helping brands and organizations grow by evaluating, building, and optimizing their digital commerce ecosystems. Our vast experience with composable and headless implementations speeds time-to-value and provides technical freedom to our clients. Our TotalCare managed services program provides gold-standard support, enhancements and ongoing commerce strategy. We are strategic thinkers, accomplished engineers, and award-winning experience designers. We believe outstanding customer experiences can’t exist without flawless technology, and that flawless technology is pointless without beautiful, human-centered design. Our clients are an integral part of our team. Together, we remove the obstacles that are limiting growth and discover new opportunities. We don’t rest until our clients achieve their full potential. Our clients’ KPIs are our KPIs. We have 20 years of experience in commerce technology, but we also know that customer expectations are constantly evolving. For this reason, we’ve built future-proof solutions and refined an agile execution process that helps our clients achieve more with less. As a Publicis Sapient company, Corra joins a global network spanning 20,000 people with 53 offices around the world enabling us to accelerate our clients’ businesses through designing and building the experiences and services their customers demand.

You may also like

blog
Corra Wins Best Places to Work Award in Multiple Major Markets!

Everybody has to work—it’s a fact of life. Working doesn’t have to be “work” though. According to the Best Places to Work Program, Corra has always be

Read More
blog
Nine Things You Need to Know About GA4

Most ecommerce businesses rely on Google Analytics for tracking their most critical business metrics.  Google, however, is depreciating the version of

Read More
blog
7 Live Examples of Headless Commerce on Shopify

What is Headless Commerce? Most ecommerce websites are built using a monolithic architecture. This means that both the front and the backend of the we

Read More
want more?
Get exclusive access to Corra content and events
We'll let you know when we publish anything new