Vaimo sets out an action plan for B2B e-commerce sites to prepare them before GDPR takes full effect on May 25, 2018. E-commerce managers, take note – it’s not too late to prep your online business today! Ensure that your business will stay afloat during GDPR. We highlight the areas you need to look at within your organisation to make sure you are compliant.
Here’s a shopping list of items you need to get done before GDPR takes effect on May 25th, 2018.
DATA MAPPING EXERCISE
Simply put – you can’t fix what you don’t know is broken. You need to understand what data you have about data subjects, where it came from, what you do with it, who you share it with, and how long you keep it. You can’t possibly be compliant without understanding all of the aforementioned points.
PERFORM AN AUDIT, GAP ANALYSIS
Once you are done with step 1, you need to perform an audit or a gap analysis to understand how far off your business is from being complaint, with respect to data collection and data processing. The two central pillars of GDPR are transparency and accountability. Essentially, transparency means providing the data subjects with all of the right information at the right time and accountability means being able to demonstrate what you’ve done to ensure compliance. To meet these requirements you need to review the type of information you provide to data subjects and the privacy policies and data collection notices on your website. Traditional privacy policies on websites are unlikely to be adequate, as they won’t provide enough information and are not easily readable and understandable for an average person. Ensure that you review policies and procedures dealing with data collection, retention periods, and privacy policies. Examine who you share the data with, and look at how you manage data subject requests. Make sure that you can comply with deletion requests (if required), providing copies of the data and information on processing, correcting errors and providing the information in a portable format.
REVIEW CONTRACTS WITH CLIENTS AND SUPPLIERS
Review the contracts you have in place with existing clients and any suppliers who may be processing your data. Suppliers who process personal data on your behalf will have direct obligations under GDPR, but you need to regulate how they use this data. GDPR stipulates that such processing must be performed under a written agreement and that this agreement must include a number of specific clauses. Data centres are one example of processors – if your client’s data is kept at data centres, you need to make sure you know what’s happening with the data there, whether it’s easily possible to update and retrieve the data, whether it’s backed up, etc.
Look at how data flows through the entire chain in your company in order to ensure that you can meet the transparency requirements. For example, if you transfer data outside of European Union countries, you need to do this in one of the permitted ways and inform your data subjects about that. If you don’t know about this, how can you inform your data subjects?
IMPLEMENT NEW POLICIES AND PROCEDURES
Implement testing to ensure your systems and software are robust and that they do what they’re supposed to do. Provide the right information at the right time, and ensure that you have the correct policies and procedures in place. Also make sure you have policies that deal with incident management – if a security breach occurs, the processor must inform the controller, and the controller must tell authorities and (in some instances) the data subjects. Under current law, there’s no general notification requirements, although they have been adopted by some countries, and in some cases this only applies to public bodies and some regulated industries. As part of the movement towards uniformity, GDPR makes these notification requirements universal.
CONTRACTS BETWEEN CONTROLLERS AND PROCESSORS
The key thing to note is that GDPR requires a written contract between a controller and processor, and it stipulates about 10-12 provisions which must be included. Likewise, written contracts are also required between a processor and sub-processor. Not having a contract creates risk and may result in a fine being levied – the controller is more likely to be at greater risk, but processors may be also be fined for failure to comply with requirements.
TRANSPARENCY AND ACCOUNTABILITY
The fundamentals of data protection law will remain the same; the security requirements are the largely same as they are at the moment, with a greater emphasis on transparency and accountability. Much of what was previously seen as good practice is specifically referenced in the regulations. The basic principles and the lawful basis of processing are also substantially the same. The big issues for companies are that they must be much more transparent, and supply much more information to data subjects. Companies need to show what they are doing to be compliant, and that’s what many firms are missing at the moment. Are you able to demonstrate as of right now, where you got each piece of your customer’s personal data and the written consent from the customer to use it for marketing purposes (for example)?
The fundamentals and processing is not changing drastically, but there will be much more focus on transparency and accountability. For example, a company needs to keep a record of the processing they have carried out. Under current laws, companies don’t necessarily need to do that. Going forward, collecting and processing data will be much more prescriptive. At the moment, the definition for data processing is very wide, fairly vague, and open to interpretation, although it is anticipated that official guidance and regulatory action will clarify this further down the line. In particular, the rules on consent are much tighter under GDPR, making it much more difficult to obtain and rely on.
PORTABILITY OF DATA
Portability of data is also a new factor to consider, best practice around this does not exist yet and like many aspect of GDPR future guidance is eagerly anticipated. In the meantime, the obligation stipulates that companies need to find the best way to do this.
One issue with communicating the requirements of GDPR is that it’s a big topic, and everyone wants to condense it somehow. The actual regulations are about 90 pages long, with 80 different articles. The difficulty with summarising GDPR is ensuring that the meaning isn’t lost in over-simplifying things.
On high-level interpretation, controllers (the business or merchant) have 72 hours to notify authorities about a security breach. However, what the regulation actually states is that they must notify the authorities “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” The 72 hours isn’t necessarily a time limit that allows you to let the clock rundown, or a hard cut-off. There are some exceptions and qualifications around this and if there’s justifiable reasons for taking longer to report the incident, they will be considered. However, whilst there is a knowledge qualification to the requirement to notify, if you didn’t know about the security breach because you weren’t regularly performing security scans, you will probably be in breach of the security requirements and in a bad place from a compliance perspective on those grounds instead. Unfortunately, there’s no official guidance on what “undue delay” and “becoming aware” mean right now.
Another example is that the right to deletion of data is often misunderstood and interpreted as an automatic right available to all data subjects at any time and on demand. However, a data subject is only entitled to request data is deleted if: it is no longer needed for the purpose for which it was collected; the processing was based on consent which has since been withdrawn and there is no other legal basis for processing; the data is being processed unlawfully; the data subject objects to certain types of processing (which includes direct marketing); or the data was collected in relation to information society services provided to children. Even then, this is subject to some exceptions and qualifications, such as compliance with legal obligations and, in some cases, overriding legitimate interests.
For more information on GDPR and how to prepare for it, please visit ICO. Below is a list of 12 steps to take for GDPR compliance:
And here is a data protection self assessment to follow both by the data controllers and data processors.
The information given in this article concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice. Vaimo assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information.