The GDPR: 80% of UK companies face “major challenges” for compliance by May 2018
October 2017 by Oxatis
The race against time has already begun: the new General Data Protection Regulations, defined in 2015 to strengthen consumer protection at European level, will come into effect as early as 25th May 2018. Non-compliance with the GDPR will result in severe financial penalties. These are part of a general policy in the European community to harmonise data protection across the European area. A survey has revealed that, just 10 months before the GDPR compliance deadline, 80% of respondents said they face major challenges*. The GDPR is a major issue for all the players in e-Commerce.
The RGPD, a major step and a real challenge for all companies
The new European regulation applies to any company that collects, processes and stores the personal data of European nationals, whose use can identify a person. All economic entities (companies, charities, administrations) must begin to implement the measures necessary to comply with the rules.
The major change resides in the requirement to justify all the data processing carried out (collected during the creation of accounts, newsletter subscriptions, navigation preferences, and so on). For example, when a customer unsubscribes from a newsletter or changes the phone number on their customer account, the company must prove that the change has been made and to provide details of the processing (hours, IP address, and so on). At the request of the individual and at any time, his/her data may be deleted, modified or restored. The objective is to give consumers control of their identity and the commercial use of their personal information.
Finally, an enhanced protection for e-buyers!
Consumers must clearly understand for what purpose their data will be used on e-Commerce sites, and the scope of their consent must be clearly defined. Modern e-Commerce marketing techniques (retargeting, product suggestions and so on) must be explicitly accepted by individuals. They must also have direct access to their personal information. In practice, they can request the portability of their information (order data, wish lists, etc.) and obtain double opt-in consent for their children.
In case of a data breach, the user will be informed within 72 hours by the company, and the responsibility may lie with the subcontractor responsible for the leak, or with the host if the latter has been hacked. To ensure that these new rights are respected, the legislator has made it possible to pursue collective legal action through official representative bodies.
VSBs and SMEs - Implementation of the GDPR in e-Commerce
By May 2018 all companies will have to comply with the new regulations. Implementation of the necessary measures implies thorough understanding of both the obligations and the means to achieve them.
The e-Commerce sites will have to ensure the highest possible level of data protection. To guarantee the security of their customers’ personal data, e-merchants must deploy technical measures and comply with strict rules regarding, for example, the implementation of a register of consent; retention of data; securing transactional mails; encryption of passwords and so on. A Data Protection Officer (DPO) will be appointed to ensure the implementation and monitoring of these actions.
We are entering into an era of total accountability for the company, a necessity with regard to the more than 64% of UK companies who have not begun their GDPR implementation for May 2018**.
Let’s not forget that thousands of hacks target all the major players in e-Commerce every day. Data security and technical infrastructure are the major challenges for the web world. According to new government figures, around 46% of UK businesses have now suffered a digital attack. With 5.5 million companies in the UK, that suggests around 2.5 million may have been targeted successfully by hackers, with £174.5m records breached in September 2017*** alone.
A binding framework for companies with major short-term impacts
Penalties for failure to meet the obligations imposed by the regulations are financial and indexed to the global turnover of the company. They can reach 10 to 20 million euros or 2 to 4% of turnover, whichever is the highest sum. A new concept is emerging: "Privacy by Design", a guarantee of quality and reassurance for entrepreneurs seeking optimal security of customer data. A site designed in "Privacy by Design" ensures that no module has been added to the site structure and that the solution has been developed with data protection as a prerequisite at every stage of the website’s construction.
Actinic, Europe’s leading e-Commerce solutions provider, is actively involved in these processes for its 10,000 European e-merchants. Unlike customized e-Commerce technologies or OpenSource, its SaaS model allows it to integrate privacy directly into the design and operation of Privacy by Design (IT) systems and networks. It thus guarantees reassurance to every customer of your VSB/SME, and prioritises the protection of the privacy and data of Internet users, in compliance with the GDPR.