It’s been almost six months since the European Union’s General Data Protection Regulations (EU-GDPR or simply GDPR) came into effect. On the very first day of the regulation’s implementation, the world’s largest companies, Facebook and Google, were hit with lawsuits accusing the companies of “coercing users into sharing personal data“. The fines totaled $8.8 billion dollars. However since then, it has been relatively quiet on the GDPR enforcement front. According to a global co-chair of the privacy and data security, Alex van der Wolk, “there was no expectation of a lot of enforcement right away, for regulators to come out shooting.” Clearly, even though things may have cooled down for issuing penalties and making examples out of violators for now, this message is one of ‘there is more to come’. But, time will tell, and it’s still best to protect your business rather than risking getting caught with your hand in the (data) cookie jar.
In North America, ecommerce business have generally not been taking these regulations seriously. Many North American ecommerce businesses and agencies have no idea about their roles in protecting their data and those of their customers. Many myths and misconceptions still circle GDPR; rumors are starting to circulate that small businesses and those that don’t reside or do business with the EU or the citizens that live in those countries are beyond the reach of GDPR enforcement. (Hint – they’re not.)
In this article below, we take a brief step back to refresh some very important points on GDPR. And if you’re looking for more GDPR information, stay tuned! VL OMNI will be publishing more guiding informational content over the course of the month to come in anticipation hotly anticipated webinar coming September 26th!
1. Let’s State The Obvious – What is GDPR?
Introducing the EU General Data Protection Regulation
GDPR is the most important change in data privacy regulation in past 20 years and became enforceable on May 25, 2018. It’s a regulation designed to give individuals more control over the data they give to corporations, and the responsibilities of the corporations around this data. The GDPR rules are now the new standard for the protection of online privacy, personal data, and consent. Because our lives revolve around data for almost everything we do from social media, banking information and personal data like addresses and credit cards, GDPR is a regulatory framework for all businesses that store, use, or otherwise touch the data of individuals. Those that handle this data are now under strict conditions to gather their information legally, and protect it from hacking and other misuses. This legislation not only has teeth (violators can be fined 4% of annual global revenue or €20 million for non-compliance — whichever amounts to more), it looks to lock down key areas of weakness and makes organizations accountable to their customers.
2. The Misconceptions — AKA Yes, GDPR Applies To You
There are a startling number of North American ecommerce businesses that seem to be under the impression that GDPR does not affect them if they are headquartered outside of the EU and do not do business with the EU or citizens of any of its countries. This is patently false: all businesses who collect, store, and/or process any data relating to an EU citizen must be secure — including third parties. What this means it’s not just your own business’ data that you need to ensure complies with GDPR, but your trading partners as well. The “EU citizens” language also reveals a complexity of GDPR that many are unaware of — that no matter where in the world the EU citizen lives, they are still protected by GDPR. That means that if I’m a holder of an EU passport but I buy goods from you while I’m visiting Toronto, Canada, you’re still on the hook for GDPR compliance.
And as for ‘data’? Data can be anything from a name, photo, banking details, and much more. The watchword here is Data Governance. If you are interested in understanding how to boost your business’ cyber security with data governance and enterprise data management, take a look at this excellent article featuring one of our expert webinar panelist, Guy Pearce.
3. Get In Shape and Comply
If your business is not already GDPR-compliant or haven’t done a deep dive to ensure you do not need to comply (which does require going through many of the GDPR-compliance motions), you are already behind the eight-ball. Take a close look at your data across your business, in all applications in your technology stack, and in all third parties that have access to any data that can be tied back to an individual. Businesses that need to be compliant with GDPR need to undertake data mapping — including any third parties that have access to that data — to expose compliance obligations. Documentation with GDPR is key: data flow mappings and the resulting risk management plans need to be comprehensive and detailed, and available in case of a breach or hack. GDPR compliance is not just at one-time measure. As your business evolves over time you must make sure your methods, applications and privacy policies are effective and compliant.
4. Consult the Experts
Still have questions? You should. GDPR is a complex and sometimes extremely confusing set of regulations that are difficult to understand and implement the right processes for compliance. This is not something you can implement within a day. Seeking experts who understand the legislation and the legalese will help you greatly understand your responsibilities and inform your business on best practices and due diligence. A great place to start is to join VL OMNI on September 26th for an in-depth honest webinar conversation entitled “GDPR Reality Check: How Will Regulations Impact My E-commerce Business” about GDPR based around your questions and how it impacts businesses lead by a panel of experts.
Our first panelist is Niall Tierney. An Intellectual Property Lawyer with over 20 years experience gained in Ireland, Niall has extensive multi-jurisdictional legal experience in European Union Data Protection law. Our second expert is Guy Pearce has served on private and public Boards in banking, financial services, retail and a not-for-profit over the last decade. Guy currently consults in governance and risk, and is the founder of CanadaGDPRCompliance.ca, which focuses on ensuring the right levels of oversight for GDPR compliance in Canada. As an industry thought leader, he has published numerous articles on various aspects of governance and risk, particularly in a digital context. Finally, VL’s own Robin H. Smith will speak to the implementation process from a business owner’s perspective and a broader data integration imperative perspective. VL OMNI became fully EU GDPR compliant in Q1 of 2018. We have revised our privacy and security practices accordingly to comply with and to support our customers and partners in complying with GDPR.
This webinar is not to be missed! This is your opportunity to ask questions that matter to you and leverage our panelist knowledge in the legal, risk profile, and implementation ramifications around GDPR! Register today!