EBusiness and GDPR – What Should You Know About This Regulation?
The General Data Protection Regulation or the General Data Protection Regulation (GDPR) will come into force on May 25th of this year. It is a large-scale set of data privacy laws adopted by the European Union, but it can also have an impact on non-EU countries.
GDPR gives users more rights to their personal data and describes very widely what data is considered personal. The Regulation gives users the right to access, correct, delete and limit the processing and processing of their data. GDPR also sets strict guidelines on how consent from your customers should be obtained in order to use their data. This is especially important if you use customer data not only to fill orders but also, for example, advertising or marketing.
In addition, the regulation states that it is your responsibility, as entrepreneurs, to protect those data and to ensure that customers enjoy all the rights they currently hold.
If a customer from the EU write to you by email and ask you to delete his order history from your store, you will need to be able to do this
GDPR is likely to affect you, even if you are not in the European Union
Do not be fooled – despite the fact that the regulation is linked to the European Union, it will affect businesses around the world. What is the reason? GDPR is designed to protect EU personal data and therefore applies to any organization that processes EU-oriented data, no matter where the organization is.
So, if your company touches at least one European Union personal data, you are responsible for proper data protection.
What is considered to be personal data?
‘Personal data’ is a very broad term, so the regulation is subject to any information that may be used to identify a person in any way, even indirectly. This includes names, email addresses, photos, ID numbers, and financial information. For example, if a customer can create an account in your store or if a customer needs to enter his / her email to place an order. This is considered as personal data.
In addition, information that does not identify a particular person, such as IP address or web cookies, is also considered as personal data.GDPR rules include even if something is remotely related to “physical, psychological, genetic, mental, economic, cultural or social identity” – the regulation says.
For example, companies can only store or process data when the person concerned explicitly allows it, but GDPR additionally sets a solid data retention period. In addition, the law requires companies to delete personal data on demand within 72 hours after the violation has been discovered and to report any data breaches to both public authorities and affected parties. Read more about what personal data is considered personal here.
What should I do before May 25th?
Some points you should think about preparing for the GDPR:
- Do I need to update my privacy policy or change the information you provide to your customers?
- If you use third-party applications or themes in your store, do they match GDPR?
- Do you need to start documented data protection impact assessments?
- Do you need to obtain customer consent for data processing and do you need to change the way your consent is received to meet the terms of the DAR?
- Will you be able to comply with the rights granted to customers and consumers, including access, correction, deletion and export of data?
You may have noticed that we have asked questions that you should ask yourself, not the exact steps. This is because every business is different and you may need to prepare more (or less) for the regulation to come into force than for other e-business owners. You may decide that it is right to consult a lawyer if you are not sure how GDPR will affect your business.
„Magento“ and GDPRBecause Magento Marketplace extensions are created by third parties, you must evaluate all extensions associated with your account. „Magento Marketplace“ extensions can store personal data in other locations than „Magento’s“ main e-commerce platform. Some extensions can send data to external service spheres. It is your responsibility to know the policies and behaviors for using the selected extensions data.
May 25th is fast approaching! Read more about the General Data Protection Regulation at the European Commission website.
The article is written based on „GDPR: What You (And Your Store) Need to Know About This New Data Protection Law“
Interested? Let's discuss your project
Call us or write us an email and we will arrange a meeting, during which we will discuss your project and our ideas for you.