From May 2018 onwards, a new privacy law will come into effect in the European Union (EU) called the The General Data Protection Regulation (GDPR). If you’re running an ecommerce web store catering to the EU or are a business operating in the EU, you need to be aware of this new privacy law and its implications for your business.
As a NetSuite Solution Provider, we are committed to helping our customers comply with the GDPR, through our partnership with NetSuite and Oracle.
The General Data Protection Regulation or GDPR updates is basically an update to the existing data protection laws of the EU, which expands the privacy rights of EU citizens (in light of technology developments) and imposes new rules on companies, government agencies, non-profit organizations and any other organization around the world that offers products/services to EU citizens, or collects or uses their personal data. Any company that fails to achieve GDPR compliance will be subject to heavy penalties and fines.
The GDPR will regulate all data processing related to EU citizens and puts tighter restrictions on on data processors and data controllers. The data processing that will be covered under this policy includes the collection, storage, transfer or use of personal data, and related to the tracking of online activities of EU citizens. The GDPR applies to any organization that processes the data of EU citizens regardless of whether they are physically based in EU or not.
The purpose of the GDPR is to provide more rights to EU citizens and to provide better privacy protection for their personal data. So any company that collects their customers’ or visitors’ personal data or stores it anywhere must comply with the requirements that will be introduced in the GDPR. Some of the key ones include:
Expanded Rights of EU citizens – The GDPR expands the rights for EU citizens and provides them better control and ownership of their personal data. It also gives them the right to delete/restrict their data and the portability of that data.
Data Privacy and Security – The GDPR requires companies to implement appropriate levels of data privacy policies and security protocols, in order to prevent the loss/leak or unauthorized use of personal data. All companies collecting or handling personal data will have to document and maintain records of their security practices, conduct regular assessments/audits of their data security systems and take corrective measures if any lapses are discovered in those data security audits.
Data Breach Notifications – The GDPR also requires companies to report any data breach to regulators within 72 hours of learning about the breach. Along with this notification, they must provide all details about the nature of the breach and number of individuals affected by it. The company must also notify the affected individuals as quickly as possible, so they can take remedial action.
Data transfer across borders – For companies operating in multiple EU states, the GDPR mandates the appointment of a data protection officer to oversee their GDPR compliance. It also requires such companies to work with a supervisory authority in order to resolve any cross border data protection issues that may come up.
The GDPR will introduce increased fines and penalties for non-compliance to data protection laws, as compared to the previous Data Protection Directive. The fines will be determined based on the circumstances of each case. Under the GDPR, the supervisory authority can fine organizations up to 2% or 4% of their annual global revenue or €10 million to €20 million, whichever is greater. The supervisory authority can also direct companies to take corrective certain in order to improve their data security systems and processes, order them to remove certain data or even forbid them from transferring any personal data (in their possession) to other systems or countries.
Due to our partnership with Oracle NetSuite and our experience with the NetSuite platform, its APIs and the underlying data structure (thanks to our broad portfolio of NetSuite Customizations and data Connectors), we’ve developed a strategy to help our customers comply with the GDPR.