eCommerce and the GDPR
Authors: Jamie Brandes, Tobias Keller, Yvonne Lazarowicz, Justin Ridl
We are all familiar with buying products online from various international sites and suppliers; all done from the comfort of our desks worldwide. With a few clicks, we can add a product to our virtual cart in seconds.
Whilst online shopping and trading has become the norm, we very rarely think twice about providing eCommerce platforms with our most intimate details. Our names, identity numbers, credit card details, addresses and contact numbers are sometimes all required for a single transaction. We are assured that our data is protected and securely held, and lulled into the idea that our data remains a secret between only us and the supplier; but what security is there really for your data, throughout this whole process?
We hear about online phishing and scams all the time, some of them scarily personalised: princes in far-off places looking to give us a stash of cash, lucky lottery winnings or distant relatives leaving us sneaky bequests. Our data is scarily available to those who know how to access it, despite sites assuring us that they are ‘securely’ storing our information. The web is a scary beast; and our data its easy victim.
By nature, eCommerce platforms handle massive inputs of personal data when taking online orders. Naturally, along with the wave of globalisation of business, had to come the wave of global regulation. The European General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018, leaving EU-based companies (and some who are not) exposed to hefty fines for non-compliance.
eCommerce will be no exception, and the GDPR imposes various requirements on companies dealing with the personal data of EU citizens; be it from a base in the EU, or outside of it.
It provides the data subject – in this case, the eCommerce customer – with various rights and entitlements, and imposes on the eCommerce supplier various duties and obligations. Given that the taking of payment online necessitates the storage of sensitive data, eCommerce platforms need to be wary. These platforms will now have to ensure that the data received from their customers is not only securely stored, but also easily accessible by the data subjects themselves. Furthermore, data subjects must be able to know exactly what the platform intends to do with their data at all times.
There will need to be a clear statement or policy made known and available to the data subjects, to let them know what will happen with their data and how it will be processed. Consent for the processing of data must be clearly given by the data subject, and absolute transparency about the processing of the data must be made known to the subject at all times. Simply ticking a box to say you’ve read the Ts and Cs, won’t fly anymore. Consent must be blatant and conspicuous, and clearly define the extent to which the data subject consents to the use of their data.
Data breaches will need to be monitored, and the data subject fully notified of the extent of the breach, within a 72-hour time period.
The burden of protecting data against phishing and data breaches online as well as the temptation to sell data to third parties, has therefore become quite substantial. How you collect, manage, store and process data is now more of a concern than ever in the eCommerce space. Failure to comply, may result in a fine of 4% of the platform’s annual turnover, or 20 million euro (whichever is higher).
What this all practically entails, is not entirely clear. But what is glaringly clear is that failing to prepare, is certainly preparing to fail in this instance. eCommerce providers are advised to get their data strongholds together fast; with the 25 May 2018 deadline looming.
If you would like to know more, Cognia Law provides a detailed and effective GDPR offering, including a full audit of your platform’s GDPR compliance. For more information contact Yvonne Lazarowicz on [email protected] or Justin Ridl on [email protected].
You can also follow us on Twitter and LinkedIn or visit us here: www.cognialaw.com