In May 2018, the General Data Protection Regulation (GDPR) comes into force.
What is GDPR?
GDPR is a European law intended to protect personal data. It concerns itself with how businesses and organisations request, record, store, and process personal data.
The GDPR gives more obligations to companies that process personal data, while simultaneously granting more and more rights to their data subjects (that is, the individuals whose data they are processing).
Under the new legislation, data subjects have more control over how their personal data may be processed, and to whom it may be disclosed.
The GDPR exists to unify data protection legislation (which varies from country to country) across Europe. This will make things easier in matters of cybersecurity and prosecution for online offences.
Who needs to comply?
The GDPR applies to any company that controls or processes personal data. This is defined as any data from which an individual can be identified, or which is identifiable.
Running an eCommerce site, you receive many pieces of your customers’ personal data, including names, addresses, and bank or credit card details.
As such, you will need to update your Data Protection policy to cover the GDPR.
How will GDPR affect my company?
Data subjects must be informed about what happens with their personal data, and their consent must be recorded.
Data subjects have the right to be forgotten. If you keep data on an individual, you are obliged to delete it upon their request.
At the start of any new project, you must consider how you will protect personal data before processing it.
If you offer several options with your product or service, you must ensure that the most privacy-friendly option (for instance, a newsletter checkbox is left unchecked, rather than checked) is set by default.
If your company transfers personal data to countries outside the EU, you must ensure that adequate safeguards are provided by the receiving organisation.