As I’m sure you’ve already heard, on May 25 the GDPR comes into force in Spain, or according to its acronym in Spanish, the RGPD. To keep it simple: the new Data Protection Law of the European Union.
You could say that the GDPR is a law that “completes” the LOPD. It is much more demanding, as it seeks to ensure better protection and service to users, who will have all the power over the transfer of their personal information. In a word: it seeks transparency.
It will affect digital businesses, because nowadays everything is based on data. That is precisely why this law has arisen: to improve the storage, processing, access, transfer and disclosure of user or customer data records.
And you, as an ecommerce, are obliged to comply with it. That’s why it’s important that you don’t miss a single comma of the key aspects of the new law that we explain below:
Contenido del artículo
- What is GDPR and what are my digital obligations as of May 25, 2018?
- Assess whether you need to appoint a Data Protection Officer
- Identify who is responsible for the data
- What is the purpose of the processing of that data?
- Let them know who is going to have access to the data
- How long can I keep the data?
- Your client has control of the data
- Contractual obligations must be clearly indicated
- The client must be informed of everything
- The customer’s consent to the data processing must be on record
- What do I do with the lists and data processing I already have?
- GDPR and the right to portability
- The GDPR and your users: privacy and consent are key
- Your ecommerce forms adapted to the new data law of the European Union
- What are the penalties for not complying with the GDPR?
- Install this GDPR module in your Prestashop store
What is GDPR and what are my digital obligations as of May 25, 2018?
Here are some of the most important points about the new Data Protection Law, to later develop some in more detail. But above all, remember that if you have any doubts, it’s best to consult a lawyer – better safe than sorry!
Assess whether you need to appoint a Data Protection Officer
He or she will be in charge of handling them. If they are very large amounts, varied, sensitive data … needless to say, it would not be superfluous. He/she should also know the right way to protect them, such as through pseudonymisation and encryption.
Identify who is responsible for the data
The user or customer must know who is responsible for their data, as well as why and for what purpose it is being collected, since this is the person to whom they can turn to request the revocation of their data, for example.
And another very important point: if there is a security breach, and the data has been exposed, there must be procedures in place to notify customers of what has happened. And you have to be able to prove that the person responsible has been ensuring the security and privacy of that data.
What is the purpose of the processing of that data?
Always, always, you have to explain clearly to your customer for what purpose you are going to collect and process their data. And what is the legal basis for this processing. Once again, clearly!
Let them know who is going to have access to the data
That is to say, you must notify all the third parties (third party services) that will have access to this data: your hosting, associated companies if any, email platform with which you manage them, etc.
How long can I keep the data?
Make it clear how long you are going to keep their personal data (and for what purpose). You can’t keep them forever in your database, only for the duration of the processing of the data for the service offered. If there is no exact time limit, then explain the criteria you are following.
Your client has control of the data
One of the most important points of this new law is that users or customers should be aware of their rights regarding the management of their data and above all, be able to easily access the rectification or right to be forgotten.
Contractual obligations must be clearly indicated
If it is strictly necessary for them to give their approval to the processing of data in order to benefit from a service, you must clearly state this. Or to put it another way: if you do not provide your data, what is likely to happen, how does it influence or harm you within the service?
The client must be informed of everything
For example, one thing we usually do if we have ecommerce is a buyer persona. If you do this in an automated way, you must also warn that there are processes that can use their data for this purpose. Or the existence of any other automatic process.
In addition, you must always inform them if the objective or purpose of your data processing changes.
And you can only take the data you need: if it is not related to the service you are going to offer, you should not ask for it.
The customer’s consent to the data processing must be on record
You will collect the express and accreditable consent of the users. This point is developed below.
The Data Protection Agency offers you the free Facilita Tool for GDPR in Spain, aimed at companies that process low-risk personal data (personal data of customers, suppliers or human resources)
What do I do with the lists and data processing I already have?
This is another of the most important points and the one on which most doubts arise. I have been collecting customer and user data for months, years, am I going to lose them? Not necessarily. But you have to review your previous lists, as well as the data capture systems of the web and its associated tools.
Those customers who have already given you data under the LOPD, but do not comply with the GDPR guidelines in Spain, have to give their express consent to the processing of their data. Otherwise, you will not be able to use them.
For example, before May 25 you can send an email informing your customers of the new regulations, and indicating what data you have, what you are using them for, how to revoke them, etc. And they can tell you if they expressly accept these uses or not.
In the case of an ecommerce the same thing happens: if customers have already been told that their data will be used in the store and for what purpose – and most importantly, you can prove that you have their informed consent -, you don’t have to do anything. Otherwise, we’re back to the previous paragraph.
GDPR and the right to portability
Speaking of data you already have, the customer will be able to exercise the right to data portability as long as it is data that is being processed in an automated way. And in principle, only the data provided on the website will be ported, not the segmentations derived from subsequent processing of such data.
In any case, according to the GDPR, what you must do is provide the data “in a structured, commonly used and machine-readable format” (an Excel, for example; more commonly used than that, not much) so that the customer can easily transmit it to the person responsible for the other provider.
He even has the right to have “personal data transmitted directly from controller to controller where technically possible“.
The truth is that this is a complex issue, and we advise you to read these guidelines from the Data Protection Agency to get all the information you need.
The GDPR and your users: privacy and consent are key
As you may have seen in the previous paragraphs, the new data protection law relies heavily on customer consent to the use of their information, and transparency. So it’s worth dwelling a little on this point.
All information relating to the processing of your data must be accessible and easy to understand. And without forgetting that consent to the processing of data must be revocable at the time the customer so wishes. And in an easy way, without “dizziness”.
You must inform them absolutely everything you do with the information they are giving you: the user has the power. And for the user to be able to consent to something and for it to be legal, they have to be clear about what that something is. Only then will they be able to give you the express and specific consent that you ask for. No implied or taken-for-granted consent.
And very important: you must be able to prove that you have obtained this consent, in case you have an inspection. For example, it would be very important that you have in your email marketing platform with a record of all the consents acquired.
At a minimum, the data that should be included in this record would be, for example:
- date on which the consent was given
- the IP from which the consent was given
- the URL from which the consent was given
- the customer’s email address
- the customer’s name
In the event ofa security breach, and user data has been exposed, you must have procedures in place to notify them, within 72 hours, of what has happened, and be able to prove that you have been ensuring the security and privacy of that data.
Your ecommerce forms adapted to the new data law of the European Union
For proper compliance with the new law or GDPR, each form that has a specific purpose: subscription, information, etc., must be adapted to the specific collection and consent of such data, specifically informing the customer of its use.
You can no longer put the typical box to include the email and a button next to it saying “Send it to me”, “I want it”, because there you don’t explain anything. And remember that the basis of this new data protection law is transparency.
There can’t be checkboxes checked by default, you have to put a consent checklist. Normally at the end of the form, just before the customer submits their personal data.
Now let’s say you don’t have any forms, just a contact email for anyone who wants or needs to write to you. Then, as long as you are not asking for personal information, having a brief legal text in the signature section of the email will be enough (in which you must also state who is responsible for the data and the sections corresponding to the GDPR)
What are the penalties for not complying with the GDPR?
I’m sure this has been one of the first things you’ve looked at. And you may have noticed that the fines are much higher under the GDPR than under the LOPD.
Previously, penalties could be minor, serious and very serious. Under the new European data protection law, fines are divided into two ranges: serious and very serious, depending on the articles of the regulation that contain them.
Serious penalties can range from 600,000 euros to 10,000,000 euros and will be those related to:
- The obligations of the person in charge and the person in charge
- The obligations of the certifying authorities
- The obligations of the control body
The very serious sanctions can reach up to 20.000.000€ and will be those related to:
- The basic principles that concern the processing of data. Here the correct consent of the user is contemplated, that is why it is a point that we highlighted before and that is why it is so important to comply with all the requirements.
- The rights of customers or users. Another point on which we have insisted a lot: transparency, access to personal data, the right to be forgotten, to automated individual decisions…
- Transfers of personal data to a recipient located in a third country or an international organization.
In addition, each state is free to associate criminal penalties to such violations.
But you can not only be fined from the state: the user himself, if he has seen his data violated, may also file a complaint and you could get to pay compensation. An aspect that was not contemplated in the LOPD.
As you can see, you have a lot at stake and it is essential that you take the necessary measures to comply with the law.
Install this GDPR module in your Prestashop store
It has become clear how important it is that your ecommerce collects data properly. And we tell you how we can help.
Thanks to our prestashop GDPR modulewhich you can install in your online store, there will be a popup that will warn you of the entry into force of this new law, and that will take care of the technical part of the data processing:
- Acceptance of privacy conditions in the Newsletter form.
- Acceptance of privacy conditions in the Contact form.
- Acceptance of privacy conditions in the Registration form.
- Ability to delete customer accounts if there are no orders or invoices yet
- A record is kept with the necessary information of all consents obtained.
- If the customer had already given his consent to the old LOPD, when entering the store, he will be asked to also accept the GDPR, otherwise he will not be able to continue using the store.
- The customer will be able to check from their customer panel the date on which they gave their consent.
- The customer may request the deletion of all your data from the store (as long as there is no current order or any invoice issued, as this would not be legal)
Regarding the administrative and legal part, as we indicated at the beginning of the post, remember that if you have any doubts you should consult a lawyer. From the Spanish Data Protection Agency, you have a free consultation service where you can solve your doubts.
Like everything new, now it seems a lot of things, but let’s be positive: the good thing about all this is that whoever gives you their data, will be 100% interested in what you offer, so it is understood that the number of leads will be greater. Don’t you think?
For the moment, we will have to see how everything evolves, as there are parts of the GDPR that are a bit obscure or difficult to understand, and we will have to see how they are applied. We will have to wait for the first resolutions to really see the magnitude of the changes brought by this law.