As a seller, why should I worry about the GDPR?
The General Data Protection Regulation (GDPR), also known as Regulation (EU) 2016/679) is basically an upgrade of the current Data Protection Act, evening things out for all EU countries. It takes effect on May 25th, 2018. There is one big difference to the old Data Protection Act, though:
It doesn’t matter where you’re based, if you’re selling to people in an EU country, or have EU Citizens on your mailing list, it applies to you. That’s because it holds accountable anyone who has stored or is working with the personal data of EU citizens – UK, France, Germany, Poland, Slovenia, Greece…
As a seller, you’re holding Personal Data about your customers – This is called ‘A Lawful Basis for Processing’, because ‘processing is necessary for the performance of a contract to which the data subject is party’ – You need to work with and use their data to send them the products they have paid you for, which forms a contract. The act of entering into the contract and providing you with their data is permission to hold and process it.
You have then become responsible for keeping their information secure, so there’s a few things you’ll want to do as a minimum.
- Make sure you have good security – Keep your antivirus and firewall software up to date, don’t use default passwords for your accounts, device and software, etc. If someone else gets hold of that data and misuses it, you’ll be held responsible if it can be shown that you were the one that lost it. Don’t forget to check all the places the data could be stored, also – Accounts package, Warehouse Management software, email marketing…
- Keep everything up to date, not just your security software, so there is less chance of someone being able to find a way to get past your security. Make sure people aren’t taking copies home or saving them on their laptop to work on later.
- Ensure that any tablets or phones you and your employees use to access data on your accounts is secure too – Avoid public WiFi!
- Be careful about who is buying from you, too – Children can’t give permission to hold and process their data – Only their parent or guardian can. But different countries have different ages of consent, some as low as 13.
Each EU country will have an Independent Supervisory Authority, that will act to enforce the rules over data protection, and the one in your country will act as a ‘one stop shop’ for enquiries about any EU Citizen. If you have offices in more than one country, your main, or largest office will designate the ISA you deal with. Otherwise, if you’re outside the EU, the person making an enquiry would deal with their own ISA.
Can I still email my customers?
You can, but there’s been a change. You need people to explicitly give permission for you to message them, by actually answering yes. No longer can we send emails and just put “Unsubscribe if you don’t want to receive messages” along with a link. You’ll probably find services like Mailchimp are already on the way with tools and options, but it’s worth bearing in mind!
What can the customer ask for after the sale?
The GDPR gives EU citizens 2 rights:
A Right to Erasure
If someone contacts you, and can prove their identity, they can ask that you erase the personally identifiable information about them. But this only applies if you have suffered a breach and others have potentially gained access to the data you have been holding. Basically,if you have failed to protect it under the GDPR, they are allowed to be nervous about leaving their data with you.
A Right to Portability
A customer, after proving their identity, can ask for a copy of all the personally identifiable information you hold on them. This should be provided in a file format that is easy to read, such as a CSV, and it should probably have column headings, etc to give context. This should be provided within a reasonable period – Not right now, but maybe within a day or 2 – It’s worth telling the customer how long you expect it to take you, to keep them from thinking you’re holding out on them!
What’s the cost if something goes wrong?
The costs can be phenomenal – we’re looking at up to 4% of global annual turnover, or €20m, whichever is greater. You don’t want to get caught with a data breach!
The main things to remember are that you shouldn’t have to worry too much here – You should be keeping the information about your customers and orders safe anyway, there have been so many news stories about major companies getting caught out on security flaws and issues that you’re probably already aware and are likely to have taken many of these steps.
Don’t forget, if you’re outside the EU, bear in mind that you will run into it simply by selling to someone who is, so it’s worth a little bit of time and thought to avoid a large headache!
Talk to your IT team or give us a call if you have any concerns – We can offer help and advice. Most of it is common sense, but we’re here to help if you need it.