GDPR: What are the obligations for online merchants? Ecommerce: Best practices for GDPR compliance

GDPR: What are the obligations for online merchants? Ecommerce: Best practices for GDPR compliance

On May 25, 2018, the General Data Protection Regulation (GDPR) will enter into force in European Union countries. This article provides an update on the new obligations that will be placed on companies in the collection of personal data. It also offers details on recommended best practices for online merchants who my need additional information on how to conform to these new requirements.

The General Data Protection Regulation concerns all online merchants whose customers live in a European Union country, and who collect any personal data that can be used to identify a person. The GDPR requires that companies act with transparency and inform their customers about how their data will be processed, namely what data is going to be used and stored, and for what purpose. Companies must obtain a customer’s consent for the various ways this information is to be used. For example, a customer may agree to create an account to have their order processed and shipped but may not want this same data used for marketing purposes. The online merchant must ensure that all of the personal data that they have collected is used solely in the way the customer has allowed – and in no other way.

Also, under GDPR, companies will be required to respond to requests from persons whose data is being collected as they now have the right of access to this information for consultation, correction, and removal.

"This new regulation involves changes in the policy and data collection process," advises Alexandra Gazda, quality director and data protection officer at OSF Digital. “Online retailers will now need to stop using the same data source for all their activities. And if a user asks to exercise their right to be forgotten, they will be forced to delete all of the data related to this individual on all storage locations, including backups.” She continues, “This can be quite technically demanding since data is now saved in many places and it can be quite difficult to delete it from all of the various locations where it has been collected, stored and used.”

The GDPR requires the development of a personal data registry to ensure companies have an overview of the data collected, as well as where it has been stored. For an overview of the best practices for compliance, please consult the list at the end of this article.

Strengthening data security

To ensure that those who work with data are held accountable, namely companies that control and organize data collection, the GDPR requires the reinforcement of its security policy. Data that is stored must now be subject to strong constraints, such as the strict management of authorizations, the ability to trace access, network security, and control over any exchanges undertaken with third parties. This obligation also applies to any subcontractors you work with that may have access to this information. For this reason, it is recommended that companies clearly define these security obligations contractually between each of the parties involved. Online merchants will be responsible if the necessary precautions have not been taken by a subcontractor, even if it’s the latter who is at fault.

"OSF has already defined a plan for the implementation of the GDPR. We are also working on the creation of adapted templates and the implementation of data security, encryption, and other solutions. We plan to develop other services for managing consent," says Alexandra Gazda.

Seven best practices to ensure GDPR compliance

  1. Identify all stored personal data that belongs to citizens of the European Union, where it’s stored in your systems as well as the process by which this data is transferred within and outside of the EU. It is strongly recommended to keep a record of this data. This must contain information such as: 
    • the type of data being stored,
    • the location where it’s being kept,
    • information on who owns this data,
    • its legal retention period,
    • the purpose(s) this data will be used for,
    • if this data has, or will be transferred to a third party,
    • the security measures that will used by the various parties who have access to this information.
  2. Determine all of the various third parties who can access and handle your customers’ personal data. Enforce their compliance with the GDPR by signing a contract that specifies how they will process and transfer this data.
  3. Based on the results you’ve obtained in points 1 and 2, begin to design a compliance plan.
  4. Update your company’s security and confidentiality policy based on the items listed above. Be sure to take into account any subcontractors you work with and how they relate to these new requirements.
  5. Be certain to obtain your customer’s consent for every instance that you will be using their personal data.
  6. If consent has not been obtained, the customer’s data must be deleted. This doesn’t apply to any information that has been captured and stored for legal purposes such as billing information, including a customer’s bank account number. It’s important to ensure storage facilities are secure to prevent any data leaks or security breaches.
  7. Create legal documents to identify and record the conditions for the transfer and processing of data by third parties, including any transfer of data to a country outside of the EU.