On 25 May 2018, the General Data Protection Regulation (GDPR) will take effect and replace the current European regulations. The GDPR will standardise the processing of personal data across the EU and apply to all companies and institutions operating in the EU that work with data such as names, addresses, bank data, birthdays, photos, etc. Since nearly every company nowadays comes in contact with personal data, the implementation of these regulations is essential for every shop owner.
The most important facts about the GDPR
Although the GDPR brings higher standards of privacy protection, the new regulations can pose challenges to companies when it comes to their implementation. Infringements of the new regulation could result in fines of up to 20 million euros or 4% of the company's global annual turnover. The concrete measures that a company must initiate are very different and depend on several factors. Here we have summarised the most important changes to the law:
GDPR: What every shop owner has to know
- Consent is mandatory: If a company wishes to collect personal data that is not absolutely necessary for the fulfilment of a contract, the consent of the person concerned must be obtained in advance, e.g. by using a checkbox.
- Accountability: A company must be able to demonstrate compliance with legal principles where necessary. To ensure this, a company needs a functioning data protection management system in which responsible persons and processes are defined and recorded.
- Right to take data with you: The law stipulates that customers must be allowed to take or pass on their own personal data to another recipient.
- The right to be forgotten: According to the law, every person has the right to have their collected data deleted. The GDPR obliges companies to delete the data immediately if necessary. This should happen, for example, if a data subject files an objection or data processing has not been carried out lawfully.
- Record of all processing activities: With the introduction of the GDPR, a company is obliged to create a record listing all the processing activities carried out. The record should provide information on persons responsible, the purpose of the data collection and deadlines for the deletion of data.
The GDPR is of course not limited to these 5 points, but contains many other important regulations, e.g. newsletter dispatch or obligation to report data protection violations. Our free whitepaper, produced in collaboration with Trusted Shops and C3 Media, provides you with important tips so that your online business is prepared for the change.
We created a supplemental wiki article that is equally relevant for shop owners, developers and agencies that answers the most important questions regarding Shopware and the GDPR: