Bold Commerce's very own Security Architect, Paul, dives into the world of GDPR and explains what eCommerce store owners need to know to protect themselves and their customers.
[I am not a lawyer, the information in this post is not legal advice, and the actions we’re taking may not be right for you or your company to take. If you’re not sure if GDPR applies to you, you should contact a lawyer to confirm. Though GDPR most likely applies to you in some way]
It should go without saying an individual’s privacy and the personal data they give a company should be treated with the utmost care and respect.
With the General Data Protection Regulations (GDPR) coming into effect May 25th, these beliefs will now have the support of the European Union, and will hopefully encourage other countries around the world to fall in line.
How it will affect your online store
As a store owner, you're responsible for the compliance of every app you have on your store.
Not only will it give you the opportunity to attract new/larger customers as you'll be seen as a trusted company, you'll avoid the large fines you might have to pay if one of the apps you're using is non-compliant.
We want you to know that this is a serious topic around here, and that you're safe with us.
Bold is committed to being fully GDPR compliant before the deadline. You can even check out our plan for compliance below.
In this post, we'll also talk about:
- What is GDPR anyway?
- Data protection explained
- Does GDPR apply to you?
- Bold's commitment to merchants
- Our plan for compliance
- Guide to GDPR resources
Let's get started...
GDPR is the latest iteration of privacy laws trying to limit the frequency and scale of data breaches.
It also puts boundaries on the who, when, and why companies may lawfully interact with your personal data. What’s unique about this legislation is the risk of significant financial penalties if found noncompliant.
Penalties can be as high as 4% of your annual global revenue, or €20 million (whichever is greater).
The new regulations are targeting the collection, processing, storage, and disclosure of personal data for individuals within the European Economic Area , with goals of:
- Improving the accountability and transparency of organizations interacting with this data
- Controlling the scenarios, duration, and security measures in which data may be lawfully interacted with and stored
- Limiting the transfer of personal data out of the EU to only countries and organizations who have also implemented adequate privacy and security measures
- Enshrining the ownership of an individual’s personal data and the rights the individual has to their data
These regulations are not limited to just companies in the EU though.
This means if a European user decides to buy something from your U.S. owned, hosted, and operated store, you will have just received their name, email address, shipping address, and anything else you need to charge for and ship a product. This means GDPR would apply to you, too.
Controllers and processors
In previous privacy laws, the company choosing to collect personal data has been entirely accountable for the privacy and security of that data. Now, it’s both the original company as well as any companies they partner with who process data on their behalf. Here's how it works:
If a Merchant installs Bold’s App on their store, that Merchant has employed Bold to perform the function provided by the app, making the Merchant a “Data Controller” and Bold a “Data Processor”.
If Bold’s app is hosted by another company, like Google Cloud Platform (GCP), Google then becomes a “Data Processor,” and also must comply with GDPR. This will then apply to any companies Google has employed as well.
By enforcing GDPR compliance from Controller to Processor and to any Sub-Processor’s who may be involved, they all become accountable for the personal data they touch.
No more lengthy legal documents that only make sense to people who’ve passed their LSAT’s!
(As necessary this information may also need to be in a Data Processing Addendum or Agreement between Controllers and Processor, or Processors and Sub-Processors, certifying their security and privacy measures are compliant with GDPR.)
As you can see from above, this is kind of a big deal.
With only a few weeks to go, you should be looking into whether GDPR applies to you and your business. Here’s a couple question to ask yourself:
- Do you currently or will you have customers, partners, contractors, vendors, etc, based in the EU?
- Do you or will you have access to any personal data on behalf of your customers, partners, etc, which may be for an individual in the EU?
If you’re still not sure, it’s best to speak with a lawyer.
The changes we’re making to our processes, apps, and services to meet GDPR will improve our handling of personal data, regardless of an individual’s country.
Not only are we committed to being fully compliant by the deadline, we're also ensuring any companies we partner with or employ are as well.
This means if you’re part of the European Economic Area, or Canada, Argentina, Japan, or anywhere else on Earth (and currently, just limited to Earth), we apply the same level of care to your personal data.
Responsible handling of an individual’s data is important to us.
We’re in the midst of a company-wide initiative to investigate all locations and scenarios where personal data may be collected, processed, retained, and disclosed. Each instance is being scrutinized to ensure:
- Personal data is being collected and processed only as instructed by the Data Controllers (such as a merchant using one of our apps), or expressed consent is knowingly provided by the individual
- Data retention policies and enforcement methods are in place to only retain personal data for the length of time required to fulfil the purpose, complete the transaction(s) for which it was collected, or as required by law
- Reasonable security measures are implemented to protect the confidentiality, integrity, and availability of any personal data we come in contact with
- Processors engaged by Bold who may interact with personal data also meet GDPR requirements
As part of our GDPR initiative, we’re making sure each of the Data Subject’s Rights are well understood and processes are put in place to assist if a user feels it necessary to act.
We've also been implementing the use of Data Protection Impact Analysis during the initial design of new apps, services, and significant features we've been developing
If GDPR does apply to you, here’s are a number of great resources to get you started.
- EU’s Primary GDPR Page
- An easy to read resource for browsing the complete legislation
- GDPR Wiki page. It provides a great overview, but for specific compliance advice it’s best to speak with a lawyer. (Note: this page is only as accurate as the submitter and editors).
- The UK’s Information Commission Officer has provided a thorough page to becoming GDPR compliant
- ICO’s 12 step guide for GDPR compliance
Lastly, if your store uses MailChimp, they've created some GDPR friendly forms that can help you create a signup form to collect consent that will help you adhere to the new regulations.