With the General Data Protection Regulation now in full effect, the way companies do business with European Union citizens has been changed big time. However, the ramifications of the regulation reach far beyond the borders of the EU’s 28 member nations.
An Ovum survey has revealed that 70 percent of global IT decision-makers expect to increase spending to meet data protection requirements to avoid the hefty fines of 20 million euros (or 4 percent of total global revenue) and other possible implications for noncompliance. These would include damage to brand reputation and consumer trust. The investment for compliance is only a part of the cost of doing business if brands want a share of the $4 trillion-plus global ecommerce sales predicted by 2020.
Chris Rence, Digital River’s Data Protection Officer (pictured), indicated recently to eWEEK that he believes that the compliance landscape is getting significantly more complicated and that protecting consumer data and maintaining compliance in an ever-changing e-commerce environment is essential to global success.
In the following series of data points, Rence explained what e-commerce enterprises need to understand about their compliance standards and the steps they must take to protect their customers’ data.
Step No. 1: Know how you process and store consumer data
One of the key purposes of GDPR is to give consumers more control over their data. This includes things such as understanding the purpose for processing their personal data, transparency on how long it will be stored, and details about when and where their data is shared with third parties. Without a complete understanding of your company’s current practices, it will be impossible to make necessary changes to comply with the regulation.
Step No. 2: Define your data controller or processor status
This is one of the most critical early steps you will take on your GDPR compliance journey. Your business will have varying obligations depending on whether you are a data controller (independent data controller or joint data controller), data processor or any combination thereof. Once there is a common understanding on your GDPR designation, you should outline each obligation that applies to you.
Step No. 3: The rise of the Data Protection Officer
In some cases, GDPR designates that it is mandatory for businesses to appoint a Data Protection Officer (DPO), including when processing activities require regular monitoring of data subjects on a large scale. A DPO can inform, advise or train employees, act as the contact person for supervisory authorities, and otherwise guide your business on GDPR matters. Regardless of your requirements under GDPR, a strong business practice is to appoint a DPO–their hands will be full as the data protection environment promises to grow in complexity.
Step No. 4: Assess your reasons for processing data
Your business must have a lawful reason for each data storing and processing activity–such as but not limited to consent, legitimate interest or contractual necessity. Complete an assessment of each of your data processing activities. Where you intend to rely on legitimate interest, a formal “legitimate interest assessment” should be completed and approved by a senior and/or executive leader.
Step No. 5: Be ready to respond to a data breach
Under GDPR, it’s mandatory in certain situations to detect and notify a “supervisory authority” within 72 hours of a data breach. This could be challenging as a recent Ponemon Institute report showed 69 percent of information security and compliance professionals believed their organizations would have trouble meeting GDPR’s time limitations. Being able to detect and communicate a breach this quickly is a big leap for many companies, but is something that must be planned for.
Step No. 6: Develop or purchase a tool for handling consumer access requests
GDPR is intended to make it easier for consumers to send companies “access requests,” including right to access, erase, edit, export, restrict, or object to the processing of their data. Each request needs to be evaluated individually for proper handling. Consider a “privacy tracker” tool that can capture requests, log actions and potentially allow businesses to respond to consumers. This is one area where data controllers and processors need to work together to ensure each consumer request is honored.
Step No. 7: Update privacy, security and incident response policies
Update your company’s external privacy policy that it utilizes with its end-consumers as well as the company’s internal privacy policy that addresses how employees of the company handle personal information of the end consumer. Align these with the requirements of GDPR. Both need to be updated, not just one.
Step No. 8: Train employees from the mailroom to the boardroom
Complying with GDPR should be a partnership across your company from the mailroom to the boardroom. Provide internal training and ample opportunity for employees to ask questions they may have regarding the regulation and speak to how it may influence the way they interact with and handle personal data as part of their day-to-day responsibilities.
Step No. 9: Stay one step ahead of other regulations
GDPR complements other incoming regulations from across the globe related to consumer protection obligations, the current and upcoming “cookies” law, the network and information security directive, contract law, and payment card industry requirements, among others. Coming soon will be other big data privacy directives in Japan and China that must be adhered to for the continued success of your global ecommerce business.
Image: The Cube