Blog

Data is the currency of competitive advantage for business in the digital age, and its importance is only going to increase in the future. But as more businesses realise the value in capturing, storing and processing customer data, people are increasingly concerned with how their personal details are being stored and used. In Europe, this has led to the introduction of the General Data Protection Regulation, or GDPR. And if you do business with anyone who is a citizen of the EU, after 25 May 2018, you’ll need to ensure that you are GDPR compliant – or face a serious penalty.

GDPR aims to standardise the protection of personal data for EU citizens by giving them greater control over their data and ensuring that businesses also follow rules that safeguard this information. These rules apply to all kinds of data management and processing across all areas of a business – from marketing and customer service, to HR, whatever the nature of the business, and whether it’s b2c or b2b, bricks and mortar or online. So just about very organisation that does business with European customers is affected by GDPR, regardless of its geographic location. GDPR regulations will apply to the UK too, despite its plans to leave the EU in March 2019.

Data capture, processing, storage and transmission is, of course, at the heart of the eCommerce operating model, so all online sellers must make sure they have the systems in place to comply with GDPR legislation. There are many complex issues to consider on the journey to compliance, and these need to be properly researched and the appropriate legal advice sought. We’re not going to attempt to cover all the issues in this blog, but here are just a few thoughts that might help you to start mapping out a route to compliance.

The most sensible starting point is to ensure you have a thorough understanding of the systems and processes currently in place to manage and store customer data – for example, knowing the reasons for processing personal data in the first place and how this is conducted, where and for how long data is stored, and with which third parties the data is shared. With this understanding you will be able to prioritise the actions that need to be taken to ensure GDPR compliance.

It’s important that customers are able to easily communicate with you about their data, including provision of a simple way for them to request a copy of the personal data you hold, and a means to ask for removal of that data from your systems. GDPR legislation makes it easy for people to complain about non-compliant companies, and businesses should ensure that it is straightforward for customers to contact them with any questions about their data.

You need to be proactive with customers too, providing them with a comprehensive view of what they are agreeing to, (in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”), before they consent to give their information. Remember also that under GDPR, you need to explicitly ask customers for their permission to capture and manage their data, and that a standard pre-checked box may not be an acceptable way of doing this.

Establishing a process to deal with any data breach is another area that requires careful planning and collaboration across security, legal and executive teams. In certain circumstances, for example, GDPR rules say that a data breach must be detected within 72 hours and a “supervisory authority” informed. Companies may also need to notify customers that have been affected by a data breach “without undue delay”. For many businesses, this kind of response speed will be difficult to achieve, with some companies reporting that it currently takes up to five months to inform victims after a global data breach.

GDPR is forcing companies to rethink the way they operate. The complexity and cost of compliance may be challenging, but the alternative is to risk fines of up to 4% of revenue or 20 million Euros, whichever is greater, as well as irreparable damage to your brand and customer trust. Don’t leave it too late to get the advice and support you need to mitigate the risk of non-compliance.