As an eCommerce company, you may have heard about the European Union’s (EU) new regulation, the General Data Protection Regulation (GDPR). It’s a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in a transparent and secure way. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens, which includes CoreCommerce, your hosting platform.
We are working to ensure that our practices are GDPR-compliant and helping you, our customers, be compliant as well. Between now and May 25, 2018, the GDPR deadline, we are committed to enhancing the platform to enable easier compliance with the GDPR. An example of how the regulations work is that “James” is a contact (or customer) of yours and an EU citizen. He’s called the “data subject,” and your company (let’s call you eComm Corp.) is called the “controller” of that data. If you’re a CoreCommerce customer, then we act as the “processor” of James’ data on behalf of eComm Corp. With the introduction of the GDPR, data subjects like James are given an enhanced set of rights, and controllers and processors like yours and ours, respectively, an enhanced set of regulations. Another example is rather than automatically signing a user up for a mailing list and later offering an unsubscribe option, companies now have to explicitly seek consent ahead of time. The default option when asking users if they want to subscribe must be “no.”
Here are a few items to think about as you consider the process to comply with GDPR.
• The GDPR has specific rules about enabling your contacts to specify exactly what they want to receive from you, so don’t send to contacts that don’t want to hear from you, and make sure the ones that do get to choose what they want.
• The GDPR requires increased transparency around data collection and processing which is the “right to access” and “portability,” which mean your contacts can demand a copy of their data in a common format. In other words, your contacts should be able to ask you what they’re signed up for, and receive an easy to understand answer.
• Contacts have the “right to be forgotten” and can request that you delete them from your database.
• The GDPR requires lawful basis for processing. Thus, you need a legal reason to use a contact’s data, like consent or legitimate interest.
Some self assessment questions to consider are:
* What personal data is collected/stored?
* Have we obtained the data fairly?
* Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
* Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
* Are we keeping it safe and secure using a level of security appropriate to the risk?
CoreCommerce will provide additional instructions (including some screen shots of new features in the Admin) as we implement changes to your site to comply with GDPR.