Why should your e-commerce company care about GDPR?
Among regulations and strict laws, a fine of €20 million (or 4% of the company’s annual turnover) can be applied for any business that don’t respect the new General Data Protection Regulation (GDPR). If your e-commerce has any connection with European shoppers, this article is for you!
As online merchants sailing international seas, it is important to be aware that being away from the Europe’s borders are not an excuse if the e-commerce transactions involve European clients. The regulation completely changes the way organizations can manage the personal data of European citizens, regardless of whether or not the organization is established in the European Community.
The objective is to strengthen the right of citizens to protect their data and to make data processing easier for companies. To achieve this goal, the new regulation establishes a series of requirements, which until then were not considered in the daily life of organizations. The measure is expected to affect about 250 million internet users and the main changes are:
1 – Definition and expansion of the concept of Personal Data
Understanding terms is vital to define how the EU data protection law applies to any business. The GDPR established as personal data definition the isolated or associated (with other data), including genetic and biometric data is considered enough to identify a person.
2 – Reinforcement of local controlling authorities for each member country of the European Community. A highly trained staff will be responsible for receiving and investigating complaints and irregularities during the GDPR’s implementation;
3 – Nomination of a representative in the company to respond for the management of personal data. This representative could be a person (employee), a department or even third-party company. The professional will be responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that client’s personal data held by the company are in compliance with the requirements of GDPR;
4 – Notify the local controlling authorities of any breach of personal data within 72 hours. If the infraction poses risks to the holder, authorities should also be notified.
The new policies in data privacy organized by GDPR assure several rights for citizens, such as:
- Right to be excluded - When demanded by the client, organizations should delete all personal data of the applicant;
- Right to object - The person may deny the use of his/her personal data in certain situations, such as marketing campaigns, for example;
- Right to rectification of data - The person may request and indicate the correction and completion of incomplete personal data;
- Right to Portability - Citizens may request to transfer their data from one organization to another, without hindrance or bureaucracy;
- Right to transparency - Citizens can request information on the processing and storage of their data, including: retention time, contact details of the person responsible for the personal data in the organization, justification for keeping personal data stored;
- Children's Data Privacy - All personal data from children under the age of 13 years must have the consent of his/her legal guardian.
These are some of the several items defended by the new regulation. The European Union published detailed information with FAQs, the actual rules, articles, controversial topics and key changes in this link. If you have any questions about the transition of your e-commerce company and cross-border payments, BoaCompra’s experts will be happy to give any further assistance.
The most important topic to keep in mind is: authorities will be severe from May, 25th on, and the fine can reach the considerable amount of €20 million or 4% of the company’s annual turnover. Any fail or lapsus with SSL Certificate, consent forms or checking boxes, for example, can represent a huge loss and jeopardize the whole operation. Besides, it can cause an irreversible damage in the company’s image.