A source of concern for many businesses and e-tailers, the GDPR came into force on 25 May 2018.
If you handle online payments or manipulate data of EU residents for commercial and marketing purposes, you are one of the organizations concerned!
To put an end to your worries, we help you to see more clearly by giving you all the GDPR best practices to comply.
But first, let’s start with the basics: what is the GDPR?
GDPR: definition
Established by the EU Council in April 2016, the General Data Protection Regulation (GDPR) is the European Union’s new data privacy law.
Its entry into force took place on 25 May 2018, when it replaced the old EU Directive on the protection of personal data dating from 1995.
The GDPR is an 88-page text that sets out the rules that organisations processing data must follow in terms of collection, storage, use, protection and security.
Its stated aim is to extend the rights of European citizens with regard to their personal data, by strengthening their protection and giving them the means to manage the way it is used by companies.
Specifically, the GDPR gives individuals the right to access, correct, delete and strictly process their data.
GDPR: who is concerned?
It is legitimate that you ask yourself the question: who is the GDPR for? To answer this question, here are three things you should know.
1 – Business activities in the EU
Even if your company is not based in the European Union but you do business there, you need to comply with the GDPR.
This new regulation concerns all companies in the European Union, but also all those who sell products or services to European residents.
2 – Data processing activities
You are concerned by the GDPR as soon as you collect and/or process personal data.
What data is affected by the GDPR? Any customer information that identifies an individual. Photos, posts on social networks, IP addresses, bank details and all identification numbers such as the NIR: the GDPR applies to all marketing, sales, advertising, HR and accounting databases.
In short, if you use your customers’ data for purposes other than simply filling orders, then you are particularly concerned!
Don’t worry, you are not alone in this. The GDPR does not only apply to e-commerce owners, associations or any other organisations. Tools, software, CMS and social networks such as Google, Facebook, MailChimp or Shopify, to name but a few, are also concerned and must comply.
3 – VSEs, SMEs, associations, major accounts… all in the same boat
The GDPR affects private AND public companies of any size or sector.
It doesn’t matter if you have one employee or 10,000: as long as you manage data on European citizens, the GDPR applies. However, small e-tailers and VSEs do not have to comply with the same requirements as a large company or an e-commerce monster.
A company in the health sector, which manages medical data considered as “sensitive” will not have the same requirements as a company selling beauty products.
However, many of the requirements of the GDPR apply to all businesses.
GDPR: best practices for compliance
[Editor’s note: our best recommendation is to consult a specialist GDPR agency to help you get compliant]
Obtaining client consent
” Consent should be given by a clear positive act by which the data subject freely, specifically, knowledgeably and unambiguously expresses his or her agreement to the processing of personal data concerning him or her.”
The GDPR requires organisations to be clear in how they obtain customer consent. In other words, an individual’s consent to hand over their data must be explicitly given.
In this sense, previously checked boxes are not a valid indication of consent.
Data subjects must also be able to withdraw their consent easily. In this case, they must also be able to request the deletion of their data.
Good practices for obtaining client consent :
- Perform a complete audit of your current forms and privacy notices across your entire e-commerce site. In particular, make sure they are easy to understand. Also check that the mandatory information is mentioned.
- Check to see if additional consents will be required.
- Disable any default opt-ins you have in place.
- Ensure that separate consents are in place for separate data processing activities.
- Allow customers to easily withdraw their consent and exercise their right to be forgotten, for example by allowing them to easily delete their account and erase their data. Rather than an online deletion process, you can redirect your customers to your customer service department, as Amazon does:
Allow access to data
” Arrangements should be made to facilitate the data subject […] to request and, where appropriate, obtain without charge, access to and rectification or erasure of personal data and the exercise of a right of objection. “
The GDPR gives affected individuals the right to simple access to any information held on them and to obtain a copy of that data within one month.
This means that you need to store the data you hold in a way that it can be accessed quickly.
Best practices for granting access to data :
- Collect only the data you need to make your job easier. For example, if you have no business or marketing interest in asking a client what company they work for, then don’t.
- Gather all the data you hold in one place and make sure you can retrieve it in a structured, readable and downloadable format so you can send it easily.
- Make sure you are in control of the information you hold, by carrying out a full mapping of your data and recording it in a data processing register. The CNIL provides you with model registers to download here: cnil.fr/cartographing-your-personal-data-processing.
- Set up a contact form so that people can request access to their data if they wish.
- Be able to respond to potential data access requests, for example by drafting a standard email template.
Implementation of confidentiality
” Personal data should be processed in a way that ensures appropriate security and confidentiality. “
As a company or e-commerce, you collect sensitive information: credit card numbers, location, e-mail addresses…
Since the implementation of the GDPR, you will need to be explicit about what happens to that data. Where are they going? Who will use them? Who is responsible for their storage and processing?
You must prove that data security is ensured by all departments of your company: marketing, IT, communication, etc.
Good privacy practices :
- Share information internally about security processes to ensure your team and supply chain are comfortable and compliant with the GDPR.
- Include a confidentiality clause in your contracts with your subcontractors. To help you, the CNIL provides you with several examples of clauses.
- Appoint a DPO (Data Protection Officer), if you are one of the companies that are obliged to do so (public body, organisation with large-scale surveillance activities and organisation processing so-called “sensitive” data).
- Take the necessary security measures by implementing the basic precautions gathered by the CNIL in this guide.
Also find out how to protect your business and e-commerce from a cyber attack
Data transparency
” The principle of transparency requires that any information and communication relating to the processing of such personal data be easily accessible, easy to understand, and formulated in clear and simple terms. “
The GDPR emphasizes data transparency.
You must therefore ensure that the information you provide is clear and easily understandable, and that individuals can easily assert their rights in relation to their personal data.
Good practices for data transparency :
- Provide “information notices” informing individuals of the purpose of the various data collected. To help you, the CNIL offers a generator of mentions for different sectors of activity (marketing, banking and insurance, health, real estate, etc.).
- In the context of an e-commerce business, be very clear about how you will use the data you collect, both in your terms and conditions and in your privacy policy.
- Link your general terms and conditions (GTC), as well as your privacy policy, in the footer of your website.
See also our article on tips for drafting your GTCs
- If you have “Third Party Use of Data” checkboxes on your website, specifically list the “third parties” who may have access to the data.
- If you have certified or verified processes, don’t hesitate to mention them on your e-commerce site, as Zalando does:
Data breach notification
” As soon as the controller becomes aware that a personal data breach has occurred, it should notify the supervisory authority as soon as possible.”
With the GDPR, you are required to report any data breach to the CNIL within 72 hours of discovery and be able to demonstrate your data security and privacy procedures very quickly.
The data subject must also be notified if the violation would result in a high risk to his/her rights and freedoms.
Best practices for data breach notification :
- Make sure you have procedures in place in the event of a data breach.
GDPR: what sanctions if you do not comply?
Any company found to be in breach of the new GDPR guidelines can face an administrative fine of up to 4% of annual worldwide turnover or €20 million – whichever is higher. But it would take a serious breach of the rules for such a financial penalty. This type of fine will therefore be a last resort.
However, this does not mean that there are no repercussions for non-compliance with the GDPR. Through public reminders and warnings, regulators will require non-compliant organisations to take the necessary steps to become compliant.
Also consider the reputational damage that could result from a data breach. In addition, data subjects have the right to take legal action and claim compensation in the event of a data breach.
In conclusion, use the GDPR as a guide on how you should collect, manage and store your customers’ personal data! Beyond the workload that compliance may entail, consider the opportunity it presents to give your customers greater confidence and a better shopping experience.
To go further, you can consult these GDPR resources:
- CNIL guide to preparing for the GDPR: www.cnil.fr/fr/principes-cles/rgpd-se-preparer-en-6-etapes.
- PDF of the official GDPR text.
- Video of youtuber Cookie made in collaboration with the CNIL to answer questions about the arrival of the GDPR :