The General Data Protection Regulation concerns all online merchants whose customers live in a European Union country, and who collect any personal data that can be used to identify a person. The GDPR requires that companies act with transparency and inform their customers about how their data will be processed, namely what data is going to be used and stored, and for what purpose. Companies must obtain a customer’s consent for the various ways this information is to be used. For example, a customer may agree to create an account to have their order processed and shipped but may not want this same data used for marketing purposes. The online merchant must ensure that all of the personal data that they have collected is used solely in the way the customer has allowed – and in no other way.
Also, under GDPR, companies will be required to respond to requests from persons whose data is being collected as they now have the right of access to this information for consultation, correction, and removal.
"This new regulation involves changes in the policy and data collection process," advises Alexandra Gazda, quality director and data protection officer at OSF Digital. “Online retailers will now need to stop using the same data source for all their activities. And if a user asks to exercise their right to be forgotten, they will be forced to delete all of the data related to this individual on all storage locations, including backups.” She continues, “This can be quite technically demanding since data is now saved in many places and it can be quite difficult to delete it from all of the various locations where it has been collected, stored and used.”
The GDPR requires the development of a personal data registry to ensure companies have an overview of the data collected, as well as where it has been stored. For an overview of the best practices for compliance, please consult the list at the end of this article.
To ensure that those who work with data are held accountable, namely companies that control and organize data collection, the GDPR requires the reinforcement of its security policy. Data that is stored must now be subject to strong constraints, such as the strict management of authorizations, the ability to trace access, network security, and control over any exchanges undertaken with third parties. This obligation also applies to any subcontractors you work with that may have access to this information. For this reason, it is recommended that companies clearly define these security obligations contractually between each of the parties involved. Online merchants will be responsible if the necessary precautions have not been taken by a subcontractor, even if it’s the latter who is at fault.
"OSF has already defined a plan for the implementation of the GDPR. We are also working on the creation of adapted templates and the implementation of data security, encryption, and other solutions. We plan to develop other services for managing consent," says Alexandra Gazda.