Observance of personal data protection laws and regulations is getting increasingly important for companies working in the EU or serving customers in the European Economic Area (EEA). Read on to learn how your company can effectively maintain a GDPR requirements list and adapt its websites to strictly conform to them in the least intrusive and most cost-efficient manner.
Before we delve into the nuances of preparing your organization for GDPR compliance, let’s take a look at the history of the GDPR and get acquainted with its scope of application.
The GDPR (General Data Protection Regulation) is a comprehensive collection of data security rules and recommendations that regulate the gathering, processing, storing, and transferring of the personal data of EU citizens. Enacted on May 25, 2018, GDPR is currently one of the most elaborate legal frameworks in the digital world that is being constantly updated to reflect the ever-changing reality of doing business and building communities online.
The original purpose of GDPR was the alignment and unification of national legislations pertaining to online security and identity protection. Today, GRPR has largely replaced legacy national laws and is serving as a single source of truth for all organizations and online businesses operating in the European Union.
GDPR is constantly evolving to cover a wider scope of data handling scenarios and technologies involved. For example, European governments, regulators, and representatives of the business community are working hard to reach consensus over the interplay of established GDPR principles and AI-powered automated data processing systems.
The very fact that the GDPR received a lot of public interest and is being actively refined and elaborated — based on both the outcomes of international discussions and the fusion of political opinions — is a testimony to its Pan-European importance and the attention that state regulators pay to its effective implementation and global observance.
Websites differ greatly in the way they capture and store their visitors’ and members’ personal data. Some require just basic details, while others capture an array of sensitive data that are later used for customizing the user experience. As a result, popular eCommerce platforms happen to know a lot about us — consumers of their products and services.
Online stores are known to use this data for a number of purposes:
The GDPR aims to set simple, industry-agnostic and unambiguous rules regarding the ways in which every data subject (read: us) can explicitly give consent for providing such information and request for such information to be deleted from respective websites.
On the service providers’ end, the regulation dictates how this data is collected and used, including its transfer to authorized third-party recipients, and controls the extent to which eCommerce companies must update their systems to ensure data security and prevent invasive data tracking.
Now that we have learned why GDPR compliance matters are extremely relevant for EU companies, do they only apply to EU companies? Not exactly.
Although the GDPR in and of itself is a European law, the data protection policies set forth in it equally apply to all foreign legal entities serving European consumers and the data they capture, process and store within the territory of the EU/EEA.
In simple terms, the GDPR has no effect on EU citizens residing abroad, but does apply to foreign residents whose data is being collected in the EU. For example, an international US-based eCommerce platform would be subject to GDPR regulations in the EU and would have to take measures to enforce compliance in this regard.
Not really. The only difference between typical websites and eCommerce websites is that the latter tend to collect a lot more sensitive personal information and share it with third parties for identity verification, payment, delivery, and other purposes.
It goes without saying that online businesses were not exactly happy when the GDPR was released, as it called for a fairly serious revision of their data processing and data protection policies, as well as rebuilding their data processing mechanisms.
However, all things considered, it was a small price to pay for their peace of mind. Any serious GDPR compliance audit ending with a negative summary could result in extremely heavy fines being imposed on a breaching party — if you were to be found guilty of of mishandling users’ data or neglecting GDPR requirements, you could be facing fines up to 4% of your annual global turnover or €20 million (whichever is higher).
Check out a few examples of online services that ignored the regulations or were a tad too late with their compliance efforts:
Amazon: in July 2021, the global eCommerce giant was fined $888 million by the Luxembourg National Commission for Data Protection (CNPD).
H&M: in 2020, the Swedish clothing retailer paid over $41 million for illegally obtaining sensitive personal data of its own employees at its Nuremberg office. This information was shared with over 50 top managers and ranged from health-related posts and notes to recent travel destinations and even religious beliefs.
British Airways: in 2020, the airline was fined $26 million by supervisory authorities (ICO) for failing to provide adequate means of protection for its users’ personal data — a breach that affected over 400,000 customers.
As we can see, turning the blind eye to GDPR regulations can cause massive damage even to the most financially sound companies on the market.
Although the general concept of the GDPR may appear confusing and hard to understand for someone who has never dealt with compliance matters (after all, the document alone is almost 100 pages long and contains over 50,000 words), the enablement of GDPR compliance requires just a few high-level process changes:
Note that the GDPR does not differentiate between the methods of obtaining personal information, which means that a log file on a server, a database record, a voice recording, and a paper printout are all treated exactly the same way in terms of GDPR applicability.
The scope of collected data may be very diverse and include the following:
Now that we know what the GDPR is in general terms, let’s proceed to the practical aspects of its implementation in your own organization.
Whether you are just preparing to enter the EU market or looking to close some gaps in your GDPR compliance, the most important thing you should keep in mind is that the General Data Protection Regulation is a lot more about processes, guidelines and principles than it is about technology or software development.
Apparently, if you used to keep some sensitive data in an unencrypted form or passed it around without limitations and with no measures of precaution, you may be facing a great risk of data breaches and major compliance issues.
However, if the practices of handling data in your organization were generally in line with GDPR requirements and common sense, you will only need to make a series of tweaks across your website(s) to be officially GDPR compliant.
In order to help you wrap your head around the practical aspects of the GDPR, we put together this brief GDPR compliance checklist. Although it does not address every single, minute aspect of preparing a company for end-to-end GDPR compliance, it can and should be used as a high-level record of the most important things that the company must concentrate on.
As with any other compliance project, the key to success here lies in defining rules and policies, and following them to a T not once, but regularly.
The GDPR rests on seven fundamental principles briefly described in the table below:
|Lawfulness, fairness and transparency||This principle addresses the question “why do you need this information?” You cannot be collecting data from customers just for the sake of having it for potential future use. There must be a legitimate reason for you to have it and your declared intentions must match your actions. At the same time, your customers must be able to see where this data is actually used.|
|Purpose limitation||Largely overlapping with the previous principle, this one states that the processing of personal data must be “specified, explicit and legitimate.” In plain English, it means that you can only use data for the intended purpose and nothing else.|
|Data minimization||Only collect data that you really need to fulfill a particular task. If you only need an email address to send a weekly email, all you need is an email address, not the person’s phone number. In case of data breaches, this principle helps minimize their impact.|
|Accuracy||This principle highlights the importance of maintaining sensitive data in an up-to-date state and regularly “trimming” it to remove/update obsolete entries. The previous data minimization principle applies here as well.|
|Storage limitation||Implement the maximum duration of storing personal data to avoid the “archiving effect”. You don’t need data that is likely to be obsolete in 5 years, so make sure every data category has an “expiration date.”|
|Integrity and confidentiality||Any GDPR-compliant data processor has a legal obligation to protect users’ data from unauthorized access, modification, damage, and theft. Therefore, every eCommerce business must update their data processing pipelines with corresponding security mechanisms at every level.|
|Accountability||You can say that you have GDPR compliance procedures and data protection measures in place, but have none of that implemented in reality (or implemented only in part). The accountability principle dictates the need for a data protection officer with company-wide authority and 24/7 readiness for any compliance audit.|
As you can see, compliance with these principles does not involve rocket science — it all boils down to processing data securely, storing just the required minimum amount of customer data, keeping it clean and tidy, restricting the number of data recipients, and, most importantly, getting explicit consent from all data subjects that you are going to transact with.
Here are the things that you need to do first and foremost while working on your GDPR compliance:
The very first step on your agenda should be a complete audit of what you have in terms of personal data collection and processing. Identify what is captured (and whether you need this data altogether), where it is stored and how, where it goes and how often it is used. In other words, create a data map to identify any security weaknesses/flaws.
Paraphrasing the famous marketing motto, consent is king. GDPR dictates that any manipulations with personal data must be preceded by explicit customer consent. Every step involving user data acquisition (forms, checkboxes, pop-ups) must contain a disclaimer and options to accept or reject data sharing.
According to the GDPR, data subjects (a.k.a just people sharing their personal data with a website), must be provided with tools or methods for obtaining copies of said data and for requesting its complete removal. In addition, copies of personal data must meet data portability requirements — that is, be provided in a structured, machine-readable form.
According to Article 6, the GDPR requires that not only you be compliant, but all of your technology partners and third party recipients capable of processing your customers’ data in any form. Make sure to include them in your security audit and regular compliance checks.
The concept is simple: The fewer people have access to personal data, the better. Make personal data access a privilege granted on a need-to-know basis only. Conduct internal employee training to explain the importance of data security and the risks of unjustified personal data processing or even use for marketing purposes, for example.
GDPR compliance strictly requires the presence of a dedicated Data Protection Officer accountable for maintaining the GDPR compliance checklist, monitoring data controllers, keeping legal documents in order, and ensuring adherence to the secure principles of processing personal data.
Once compliant, you should stay so permanently. In order to achieve this goal, you need to make sure that every new eCommerce site you unveil or every new major feature that goes public is GDPR-compliant “out of the box.”
Make sure that your software development guidelines and processes are adjusted to initially address the questions of data portability, restricted data collection and secure data storage, encryption, GDPR-compliant integrations and data transfer, and so on. UI/UX guidelines must be transformed to include consent forms and disclaimers that are placed in corresponding locations throughout the website and key user flows.
Whenever a business decision is made to use sensitive data on a large scale for any purpose, the GDPR requires that a data protection impact assessment be conducted to gauge the impact of such actions from the perspective of a “high risk to rights and freedoms.” In general, however, a variation of such an assessment must be conducted before processing the data of any data subject.
In the unfortunate event of a data breach, there must be a clear, step-by-step risk mitigation procedure in place that will address the ramifications of the incident:
Although the GDPR may initially appear intimidating, it is not something that online services can’t handle. From the implementation perspective, it’s more of a business mindset adjustment than a major development effort, and the benefits of GDPR compliance clearly outweigh the seeming complexity of its implementation.
All you need to become compliant is the determination to work in the European market and a good GDPR compliance checklist to keep on your desktop. Once done, you will only need to make minor changes as the GDPR gets updated in the future to remain fully aligned with this important piece of European legislation.