You have probably been inundated in the last few weeks with email messages about GDPR. On May 25, 2018, a new set of privacy rules was officially implemented in the European Union (EU). The new rules are known as the General Data Protection Regulation (GDPR). The rules apply to almost all businesses who sell on a global basis. It specifically mandates how merchants handle private information of customers and may affect you even if your business is not located in the EU.
What Is It All About?
The charter states: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” The main intention is to protect customer privacy. The implementation of the GDPR backs this intention with consequences for those who don’t follow the new rules. This includes fines up to four percent of a company’s total global revenue. The GDPR is about keeping private data private. In order to comply, procedures must be implemented to ensure no private details are shared. The rules give customers the right to exercise control over their information, including the ability to change, monitor and even delete it at any time. To address that, GDPR urges companies to provide pseudonymization, anonymization and encryption of all data. Anonymization is the process of encrypting data or removing it so that it can never be directly linked to a specific customer. Pseudonymization first anonymizes and separates the data and then provides a way that it can be recovered if necessary. An example of this would be a system that provides a customer one identifier for their browser and then a second identifier for their location. These two identifiers will not be linked to the customer unless they are put together with their separately stored date of birth.
Why Are American Businesses Affected?
Although these rules were created in the EU, they affect companies doing business in any of the member countries and its scope doesn’t end there. In the eCommerce world that we live in, customer data can be shared in a matter of seconds with businesses outside the EU in North America, Asia, Africa and anywhere else that is connected to the internet – which means just about everywhere. Since the GDPR intends to protect the data of all EU citizens anywhere they happen to be, any U.S. company that holds personal data of their EU customers are subject to follow the GDPR. American companies that have EU-based buyers must either comply with the GDPR or cease selling and/or services to EU-based customers.
In general, your business will be subject to the GDPR if:
• You deal in information as a commodity.
• You obtain personal data from EU customers and store it or use it elsewhere.
• You have dealings with one or more EU countries.
How Does GDPR Protects Consumers
• Wide reach. The GDPR requires compliance from all companies that process the personal data of EU citizens regardless of where these citizens may be living or transacting business.
• Severe penalties. If a company fails to comply with the GDPR, it could be fined as much as $23.5 million dollars or 4% of its total global revenue. This provides significant incentive for businesses both large and small to take the necessary measures to be in GDPR compliance.
• Strong and easy-to-use consent mechanism. Consumers must be able to say “yes” or “no” to whether a company is allowed to retain or share sensitive personal information. Consent must be given in a way that is easy to understand and accessible. The company’s purpose for keeping the customer data must be transparent, and there must be an easy-to-use procedure in place should the customer wish to reverse consent at any time.
• Mandatory notification about data breaches. If any incident occurs that has the potential to compromise customers’ rights and freedoms, official notification must be given within 72 hours of discovery. Customers must be told about the breach “without undue delay.”
• Description of consumer rights. When an EU citizen provides their personal data to a company, they have the right to get copies of the data as well as a description of how the company is using it. In addition, they have the right to erase their data or move it to another service provider.
• Systems designed with data protection in mind. The GDPR insists that new company systems be designed with data protection as one of their core principles instead of attempting to retro-fit existing mechanisms to protect consumer privacy.
• Protections for children. The GDPR is designed to protect the privacy of children, who can often be particularly vulnerable to breaches. For this reason, parental consent must be obtained before a company can ask for the personal data belonging to a child under 16.
How To Comply
Chosen Payments wants you to help you achieve compliance if you accept orders on an international basis. Protecting customer data should always be a priority but now it is more important than ever. Here are a few ways you can comply:
• If your website contains a form in which the customer gives permission for their information to be shared with third parties, make sure the box is unchecked. The customer must be the one to take this action, not you.
• If you have lists of subscribers, make sure that all participants have given explicit permission to be on that list.
• Be sure that everyone on your staff understands the GDPR and how it affects your customers.
• Document all customer information including where you got it, how it has been used and who requested it and why.
• Have a procedure in place for erasing customer data that is clear and is available in a machine-written format as opposed to handwriting.
• Have a procedure in place for quickly handling customer requests related to the GDPR. You have one month to comply with a request.
• Clearly state to customers why you are retaining their data and what you will be using it for. They should be able to refuse at any time.
• If you process the data of children under 16, you must get a parent or guardian’s permission.
• Have a plan in place should a data breach occur. Determine how you will notify customers and who will be responsible for doing so.