Personal data helps companies understand their customers, target their prospects and personalize their offers. But customers are more and more wary of the ways in which companies use their data, and both their participation and the quality of the data they provide suffers.
To gather quality data and build loyalty among increasingly demanding customers, today's companies must create a relationship of trust by fully complying with personal data protection rules. Aptly, the goal of the new European personal data protection regulation (GDPR) is to standardize and reinforce personal data protection throughout the European Union. It stipulates requirements and imposes heavy financial penalties, but offers consumers a real measure of confidence.
The GDPR: An Opportunity for Trust and Growth
Personal data collection and use are already regulated by the French Data Protection Act of 1978. However, certain rules still aren't being followed by some companies. A few labels, indicators of trustworthiness and transparency, do already exist that let companies distinguish themselves from the competition in terms of personal data protection. These certification and labeling procedures began in anticipation of the coming European Data Protection Regulation(GDPR).
The GDPR will go into effect on May 25, 2018, with the goal of reinforcing the rights of individuals and the obligations of companies. All organizations that process or store personal data, as well as their subcontractors, suppliers and service providers, will be affected by this reform. Violation of the regulation is punishable by fines of up to 20 million euros, or 4% of total revenue.
By reinforcing and standardizing data management requirements in the European Union, the GDPR will result in improved transparency and trust in the digital world. For e-commerce companies to develop quality services based on data exploitation, users need to trust them, and they must retain control of their own personal data.
Like any regulation, companies may consider compliance with the GDPR a costly and difficult exercise. But, rather than a burden, it should be seen as a new opportunity for growth and a way to truly stand out.
What are the new requirements for e-commerce companies and websites?
Companies can continue to innovate, as long as they follow the rules of the game. They will need to keep a log of all personal data processing, and must document all steps taken towards compliance. Depending on the context of the data processing, its purpose and its risks, companies may also need to implement “privacy by design” measures. These consist of integrating personal data protection principals, both upstream of designing a data processing method and throughout the life cycle of the data. Companies must also notify the CNIL within 72 hours of any personal data security breach that may present a risk for individuals, as well as notifying the parties concerned as quickly as possible. The regulation also applies to companies located outside of the European Union that offer products or services to individuals located within the EU, or whose business involves tracking or profiling these individuals. Lastly, designating a DPO or Data Protection Officer (internal or external) — a guarantee of good data protection governance — is required for companies whose main business involves processing large quantities of sensitive data or the automated tracking of individuals.
What new rights are granted to individuals?
With the advent of Big Data, respecting privacy has become more and more of a commercial concern, and will soon be essential for any company that wants to stand out from the competition and win customers' trust. In fact, the new regulation supports individuals by placing customers at the center of their own personal data protection. The goal is to allow customers to retain control of their data and make it easy for them to exercise their rights of access, rectification, objection, data portability and deletion at any time, unconditionally. Current legislation is already clear about the modalities for exercising these rights, but the European regulation expands them and shortens companies' response times to one month from receipt of the request for access (rather than two months). The right to data portability also allows individuals to request that their data be transferred to another service provider. Individuals can already request that their personal data be deleted, but the GDPR takes if one step further with “the right to be forgotten.”
According to the CNIL, fewer than 10% of all companies currently think they will be ready in time for the GDPR. To adopt the new requirements, organizations will have to double their efforts. Some may need to change or rethink their customer processes if they want to continue collecting, analyzing or using data in compliance with the coming regulation. Companies will also need to be vigilant in choosing their technological partners, to make sure they are using solutions that are in compliance with current and future regulations.