Your Guide to the General Data Protection Regulation (GDPR)

Posted on

What is the GDPR?

As of May 25 2018, any organisation that collects data from citizens in the European Union (EU) must comply with firm changes to the regulations surrounding the subject of customer data protection. The GDPR (General Data Protection Regulation) is a private, European law approved by the European Commission in 2016. Whilst you may have heard of the GDPR, it’s unlikely that you’ve come to grips with the changes, which will almost definitely affect your business or organisation.

From May 2018, the EU is implementing a set of rules designed to protect European citizens’ personal data. This will impact any company that deals with EU citizens’ data, even if your company isn’t based in Europe. The GDPR is a binding act, with which organisations must comply. Changes to regulations were triggered by an attempt to modernise EU data protection law. These changes aim to strengthen the rights of data subjects, in line with the concept of privacy: part of the fundamental human rights recognised in the EU. It’s not something that will be taken lightly and it’s not something your business wants to be caught out on.

Who will it affect?

The GDPR monitors the procurement, use, storage and removal of personal data. Whether you’re an individual or an entire organisation, the GDPR’s regulations are anticipated to have significant effects on businesses which collect data globally. It doesn’t matter where your organisation was established or where the activities take place – any business (in any country, industry or sector) involved in the procurement and handling of personal data of EU citizens will be affected.

What happens if you don’t comply with the GDPR?

Businesses should fear crippling consequences should they not comply. Website owners who do not observe these changes risk damaging their reputation (an organisation that goes against human rights can’t expect to be seen favourably!) As described in Article 83 of the GDPR, business owners who refuse to comply with the changes will face fines that are “effective, proportionate and dissuasive”. Fines are grouped into two categories and are executed on an individual basis. The first category entails a penalty of up to €10M or up to 2% of your global turnover. The second penalty can reach up to €20M or 4% of your global turnover.

What is “Personal Data”?

Now is the time for business owners to execute extensive analysis, and understand your next steps. For small organisations, effectively communicating your data handling processes to individuals should be fairly straightforward. For more complex businesses involved in the handling of data in a variety of ways, it’s best not to leave this transition process to the last minute.

Your first step when establishing your business’ involvement is to gain a strong understanding of what exactly “Personal Data” is. The OECD defines personal data as “any information relating to an identified or identifiable individual (data subject)”. Some categories of personal data include:

  1. Names, addresses, ID numbers
  2. Demographics - age, gender, income, sexual preference
  3. Behavioural data - web searches, purchase history
  4. Social data - your contacts, emails etc.
  5. Sensor data - biometrics, health tracking devices
  6. UGC (User-generated content) – photos, videos, comments, blog posts.

What does my business need to do now?

Consent is at the crux of the GDPR, so moving forward, business owners must attain consent from individuals for each and every use of personal data. Vague Terms & Conditions documents saturated with jargon need to be updated so that they are clear and concise. For more information on T&Cs and other legal information on your website, click here.

Organisations will be expected to clearly state their purpose for procuring personal data. In a similar realm, individuals have every right to deny providing personal information. Whilst it may be frustrating for business owners, it will be difficult to reject the product or service of an individual, based on the argument that their data is essential. From now on, an individual’s data is in the hands of the beholder, a regulation that businesses must respect. Organisations will also need to provide individuals with the capacity to withdraw data whenever they wish. Ensure you aren’t concealing this option on your website, in fact you’ll make everyone’s lives easier by using the same interface when data subjects wish to either handover or withdraw their personal data. The safest way to protect your business from changes to the GDPR is to ensure that users are agreeing to everything you do with their data.

Still in doubt?

The changes to the GDPR concern personal data only, not anonymous data. But business owners should be aware that any data that is traceable to an individual (for example, anonymous data that can be aggregated from multiple sources to reveal an individual’s identity) will be considered personal.

Please note: this blog post is intended to act as a guide only. We strongly advise business owners to seek formal, legal advice on the subject if you have any doubts. Working with a professional counsel will prevent you from taking any major risks, and will determine exactly how the GDPR will affect your organisation.

We can help!

For more of the latest information on what your Shopify store needs, contact us here. We’re experts in optimising your website’s content, making sure that business owners are communicating effectively with potential customers and thus protecting themselves.