The GDPR and You as a CommerceHQ Customer

The EU General Data Protection Regulation (GDPR) is a far-ranging law that is in the process of going through substantive changes and will affect how the law is being implemented in the EU region and the rest of the world. Our customers who are both based in Europe or serve European customers should carefully prepare for the changes scheduled for implementation on May 25, 2018. We are providing some guidelines regarding what is changing and topics for your consideration regarding moving forward. However, the GDPR is a comprehensive law and this information being provided is not legal advice and we strongly urge you to consult with a lawyer to determine exact next steps for your particular circumstances.

Data Protection Officers
The GDPR requires that businesses appoint a Data Protection Officer (DPO). A DPO is a staff member who is responsible for ensuring that the regulation is being complied with. Not all companies are required to have a DPO. We recommend you research whether your company meets the criteria requiring a DPO.

Consumer Consent
When it comes to processing user data you are required to secure consent from the user whose data you want to use and/or share. The GDPR lays out clear instructions on what user consent means and it is much more specific than historical consent guidelines.
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

In order to comply with the new rules around consent, there are a number of things you’ll need to do. They include:
• Ensuring all your marketing materials, consumer contact forms and emails and online forms and requests for data, give your customers and potential customers, the option to share their data with you.
• You’ll also need to have reasons as to why you might use and store that data.
• Communications will also need to include details on how to request your information is deleted from your and your partner’s data bases.

You should therefore, consider the following:

1. Are you collecting personal information such that you need to obtain an affirmative opt-in consent?

2. How are you tracking and recording the affirmative consent action?
   

3. Have you adequately explained why you need the personal information you are asking for?

Personal Data Collection
The definition of personal data is very broad, it includes “any information relating to an identified or identifiable natural person.” Specific examples include name, an identification number, location data, an online identifier such as IP address or cookie data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Consider whether your user experience includes the collection of any data similar to the above. If so, you need to take appropriate steps in accordance with the GDPR.

Privacy Notice Requirement
A privacy notice is a public statement of how your organization applies data protection principles to processing personal data. The GDPR says that the information you provide must be:
• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and
• Free of charge.

Subprocessing
In the event you use third-party company to process personal information regarding your users, there may be certain requirements place on you to ensure they are properly protecting your users’ personal data. Consider whether this burden is yours or whether it falls on the third-party data processing company.

Parental consent
Under the GDPR, “processing of the personal data of a child” is only allowed by law when the child is at least 16 years old. If a child is under 16 years of age, companies must obtain consent from the child's parent or legal guardian to collect and process their data. Any collection of data from children under the age of 13 is prohibited.
Companies who seek consent must also “make reasonable efforts” to verify that parental consent is valid. However, it does not explicitly state how organizations are supposed to do this, only that it must be done by taking into consideration available technology. You should consider how in your circumstances what reasonable efforts are available to you.
Consider whether your current procedures stop the processing of data for users under 16 or alternatively require parental consent.
Third Party apps
The GDPR requires you to participate in the protection of user personal information not Generally speaking it is your users’ responsibility to review those third-party policies, however depending on your location, the location of the third-party and your users, there may be enhanced data protection requirements you need to be aware of.
Consider how by providing third party apps your compliance requirements may increase regarding user personal data.

Erasure requests
Under the GDPR users have what is known as the “Right to be Forgotten.” The right enables users to request the deletion of their personal data. It is not a universal right and there are some restrictions regarding a user’s right to have their data erased. You should, nevertheless, plan to have a procedure whereby you have the ability to delete all user data upon a qualified request.
The Right to Erasure applies in the following circumstances.
• The personal data is no longer necessary in relation to the purpose for which it was originally collected
• The processing was based on consent, and the user has now withdrawn consent
• The user objects to processing and there is no overriding legitimate interest to retain
• The data was being unlawfully processed
• The data must be erased to comply with a legal obligation

GDPR data requests
The GDPR introduces the ‘right of access’ for individuals to their personal information collected by you and starting May 25, 2018 users will have the right to request:
• Confirmation that their data is being processed;
• Access to their personal data; and
• Other supplementary information

Data breach notification
If you experience a data breach and the GDPR applies to you, then you might be required to notify affected users or specific regulatory bodies. Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach. You should think about putting together a data breach response plan for your business so that you are prepared for such an incident.
The GDPR requires that in the event of a data breach,
• You may be required to notify users and/or regulatory authorities of the breach.
• When notification is required, it must be done within 72 hours of awareness of the breach, unless there are legitimate reasons for a delay.

Consider whether you have a plan in place to issue the required notifications in a timely manner.

User access request procedures
The procedure for making and responding to subject access requests remains similar to most current data protection laws, but there are some key changes you should be aware of under the GDPR:
• In most circumstances, the information requested must be provided free of charge.
• Information must be provided without delay and within a month.
• Users must be able to make requests electronically as well as physically.

The following should be considered when determining whether you are in compliance with the GDPR.
• How are you storing the data and in what way can you provide it to the user in a manner this is easy for them to access?
• Do your current means of responding to user inquiries meet the standards of the GDPR.
• What other parties, if any, will you need to be in contact with in order to respond to a user access request?