On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect. It establishes new rules at European level for all companies that collect personal data, whether from their employees (companies with over 250 employees) or their customers, or even their subcontractors, since the law introduces the notion of shared responsibility if a subcontractor fails to comply with this regulation.
The GDPR applies to any structure that collects personal data about European citizens. What is meant by personal data? Data that can be used to identify a person, such as a name, an email address or IP, as well as a cookie or photo.
European law states that “Everyone has the right to the protection of personal data concerning him or her”.
Impacts on online business
Certain provisions of the law involve major computer and technical changes, such as the request for consent when collecting data or the right to be forgotten. You therefore have a few weeks left to bring your site, forms and archiving systems into line with the legal changes.
The law insists on collecting only the data necessary for a particular purchase and clearly informing the customer of the terms of this collection: “Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed”.
Customers therefore have to give their consent when providing personal information, via a form. Furthermore, when the customer agrees to receive information, he must know exactly what the purpose of this registration will be.
Finally, the customer can, if he wishes, easily access the personal data collected about him. At his request, you will have to send it to him in a readable format.
Data should be kept for the duration of the transaction only. Inactive customers’ data should be deleted after three years.
Article 17 defines the right to erasure or the “right to be forgotten” in different cases, of which the following:
- The personal data are no longer necessary in relation to the purposes for which they were collected,
- The data subject withdraws consent on which the processing is based
- The personal data have been unlawfully processed etc.
Here are some other important points provided for by the GDPR:
- The e-merchant must be able to prove compliance with this regulation, by keeping up to date a “record of processing activities” referencing all the methods of data processing in terms of organisation, security and erasure.
- He must also ensure that efficient technical resources are used to ensure the ongoing confidentiality, integrity, availability and resilience of personal data. In the event of theft, he must alert the CNIL (French data protection authority) and customers affected within 72 hours.
Note: This article lists for you the main points of this new legal framework. However, we advise you to contact your usual legal advisor to establish and check your compliance.