GDPR: new rules on data protection

16/05/2018
  • GDPR has arrived. This is an update of the legislation on data protection that you must know and comply if you sell online. Get informed!

  • The legal framework on data protection is changing in Europe in a very important way. GDPR is an update to this policy that you cannot overlook, especially if you have an online store or a web page. 


    You are surely concerned about this legislation and you have many questions, how about if we try to solve the  main of them? 

  • What is GDPR?

  • In these cases it is quite helpful separate the acronym GDPR, that stands for: 
    • General 
    • Data 
    • Protection 
    • Regulation
    It is a law promoted at Community level in order to create is a law promoted at Community level to create a new legal framework able to provide greater protection and legislate in a more evenly way throughout the European territory in the field of personal data protection.
  • What is GDPR about?

  • This law is enacted at European level and must be complied with by companies, business societies, freelancers, communities and associations of member states. 

    It is characterized by establishing some new requirements we must meet if we do not want to incur the illegality     in respect of data protection (even if we already complied with data protection, as the new legislation is more restrictive than the latter. It establishes a more thorough control of the use made of information. 

    It is important to highlight the European character of this law, since it expressly prohibits sending data collected outside the economic area of the community if it is not a country that offers full guarantees. Claims must be raised before the national authority concerned

    At procedures level, GDPR requires that there is a knowledge of the legal basis at the time of collecting the data

    In other words, the user has to be duly informed of the treatment that is going to be given to information. It will be also in a way that is clear, unambiguous and away from technical terms that can make a ragbag of its interpretation. 

    On the other hand, if we want to apply GDPR properly, we have to create two new figures for legal purposes within the company: one person in charge and another responsible for the data file (which may actually be the same person within the organization). 

    The responsable is the person or entity that creates the data base that collects personal information, or, at least, that decides on its use and management. 

    This figure, which was already planned in the organic law of protection of data, now has to appoint a manager in turn
  • The definition of the person in charge of the file does not left much room for doubt. It is: "the physical or legal person or  [...] who processes personal data on behalf of the responsible of the treatment" that is, from an internal company profile to an external legal service hired by itself. 

    Among their obligations we can find the notification to the relevant body (in the case of Spain, to the Spanish Agency of data protection) and the person affected of both the existence of data and where it has been stored. 

    A concept of great importance within the new legal framework is accountability or active responsibility. Basically, it means that anyone who manage personal databases of personal to provide all the means and measures that favour a legitimate use of them. 

    All processes and procedures must be audited internally. Maximum security measures must be taken, notifying the corresponding agency of any incident. Only strictly necessary data must be collected and used.

    All of this should ideally, be documented internally
    The new legislation focuses especially on alerts in cases of security violation, which must be notified to the corresponding body within a period not longer than 72 hours. 

    Those affected must be informed of this, when the risk is considered high, in a clear and transparent language that can be perfectly understood by them requiring no legal background, understanding the procedure to be followed. 

    It should be also stressed that GDPR is also extended to employees, not only customers. A confidentiality agreement must be signed with them, and, although that was partially collected in the old LOPD, assumptions and supports are extended to reach all data from the employee the company access (email control, company phones (, CCTV recordings...)
  • When does GDPR become effective?

  • In fact, it has already become effective since May 25,2016. Before scaring you, we must say that, although it has been in force for near two years now, a period of adaptation and waiting was established so that all those affected could adapt properly. 

    The effective start of the legal framework or, at least, the obligation to keep up to date is very near: May25, 2018. From this moment, all those who has not adapted the captation, treatment and management of personal data to the GDPR will be at risk of being penalized
  • Which are the fines provided on GDPR?

  • The truth is that penalties promise to be exemplary. It is expected that they move between 2% and 4% of the company´s annual turnover and 20 million euros, which are set as a maximum. 

    Obviously, these are fines of high quantity, which shows that the European Union begins to take the commercial use of the personal data seriously
  • What happens to data I had already stored?

  • Nothing in principle. Provided that it has been obtained the way the new Regulation requires (i.e.: with knowledge and explicit consent by the one who gives it) is not necessary to make a new notification. 

    If it has not been done legally, it is necessary to make a new notification to users, asking them their express consent and informing them of the planned data treatment. 

    And in any case, what changes is how you are going to collect data from your customers in the future. If before you could apply for the subscription of your clients or the transfer of data as the email address without more legal trouble, now it is essential that customer accepts its transfer and treatment in a tick box created for such purpose. 
  • EXAMPLE: If an user must leave us his email in order to comment on our blog, the acceptance of the transfer of that email address must be done and the treatment we are going to give through the acceptance of a legal text that explains it. But, worse still, we will not be allowed to send emails from
    abandoned cart to users who have not registered, which puts on a tightrope all retargeting strategies in force so far. 
  • How should I adapt my website to the new GDPR?

  • All interaction made between the user and the website in which there is data exchange, either a purchase or promotional mechanics, should be subject to this new legal framework. 
  • Here are some steps you need to follow to ensure a correct observance of the rules: 

    • Adapt forms eliminating all automatic opt-ins. From now on, the user must denote direct and proactive willfulness to complete the purchase or subscription. In addition, in the form an informative clause of the treatment which is going to be data is compulsory.
  • Update he Privacy Policy in order to reflect:

    -Expressed mention to the fulfillment of the GDPR. 
    -See what information you are collecting and for what purpose is to be used (under no circumstances it can be used for other than the purpose exposed). 
    - Indicate if there are third parties who may have access to data and, if so, inform about who they are. 
    - Specify the identity of the person in charge of personal data. 
    - Inform users of their right of correction and abandonment, as well as point out the process for exercising their right to disappear from our database. 
    • From now on, cookies policy cannot be accepted tacitly or implicitly (the classic message of "If you continue browsing means you agree..."). From this moment, a button to accept this policy must be set
    • It registers the data of those users who accept cookies by means of a database. This is basic in case of a possible complaint or audit, since data must be submitted in order to justify that it is being adapted to the GDPR. 
    • Add a check box to your contact forms. It is important that the user expresses his consent directly. 
    • Add a link for further information in the event that the user wants to do so. You will have to detail in depth: 

    - The purpose of the data 
    - Legitimacy of data 
    - Recipients of data 
    - Rights of data 
    - Additional information 

    • Detail who is responsible for data on your legal terms page, with a physical address and a website through which users who wish further information or remove their details may contact
    • In the case of pages managing profiles, as eCommerce, you must allow users to access their data and modify or delete them if so desired. 
    • Make sure that your hosting or server is safe and meets GDPR (European regulation on data protection). European servers tend to be so. In the event that your server is in NorthAmerica, it must be in the "Safe Harbor" list
    • If you use external applications of Analytics, CRM, mail managers, etc. make sure that they meet GDPR. 
    • Double check the wording of your legal conditions and cookie policy. This information must be clear and intelligible
  • What about you, have you already adapted your eCommerce to GDPR? What steps have you followed? Do you still have questions? Share them with us!

  • Images | Unsplash, Fotolia. 

Miguel Nicolás


Miguel Nicolás O'Shea is a life-long copywriter (more than 15 years working in agencies) and a specialist in Search Marketing (SEO and PPC). From now on, he will contribute with his online marketing experience to Oleoshop, publishing regularly.

search posts

Last posts

This website stores data as cookies to enable the necessary functionality of the site, including analytics and personalization. You can change your settings at any time or accept the default settings.

cookies policy

Essentials

Necessary cookies help make a web page usable by activating basic functions such as page navigation and access to secure areas of the web page. The website cannot function properly without these cookies.


Personalization

Personalization cookies allow the website to remember information that changes the way the page behaves or the way it looks, such as your preferred language or the region in which you are located.


Analysis

Statistical cookies help web page owners understand how visitors interact with web pages by collecting and providing information anonymously.


Marketing

Marketing cookies are used to track visitors on web pages. The intention is to show ads relevant and attractive to the individual user, and therefore more valuable to publishers and third-party advertisers.