Starting from May, 2018, the new EU regulations controlling the EU citizens personal data acquisition, storage, transfer and erasing come into effect. How will this affect every merchant working in the European market and why?

On the April 14, 2016 European Parliament has adopted GDPR (General Data Protection Regulation) – legislative act that provides security of each European Union resident personal information. Unlike the previous act of 1995, the new regulations are not just mandatory but also extend the rules that protect personal information to the whole entire world, namely to any individual or legal entity that one way or another collects information about Citizens of the EU.

This means that almost every Internet-merchant that provides its services on the territory of the European Union falls within the scope of this law. E-commerce websites collect at least name, surname, address and e-mail of the buyer. Companies that have a PCI DSS certificate and permission to collect and store payment card data are obliged to additionally adjust their steps of information processing to the requirements of the European Parliament. Even such a seemingly innocuous process like getting an email address of a client for newsletter is also tightly regulated.

EU Parliament

What will change under the new rules.

The GDPR is about 90-page (and this is only an English version) document detailing the procedure for collecting, storing, transferring, accessing and deleting personal information of EU entities. Each merchant is recommended to read the text of the Regulation carefully, however the text below is a shortened list of innovations:

1. Extraterritoriality – the Resolution of the EU Parliament is an integral part of the legislation of all EU countries, and it also applies to any person collecting personal information of EU legal entities.

2. Penalties and fines – new rules impose fines for non-compliance with the Resolution, up to 4% of the annual turnover of the company or 20 million EUR.

3. Consent to Placement – any company influenced by this resolution must specify the User Agreement in accordance with the GDPR.

4. Notification of information leakage – both processors and data centers are required to notify the user and regulatory authorities of any possible and confirmed threats to access to personal information from third parties within 72 hours.

5. Right to access, transfer and “right to forget” – every EU citizen is now the rightful owner of personal information and has the capability to request the company processing it about the ways the information was used. Additionally according to the GDPR, the data processor guarantees the storage of personal data in a convenient electronic form, so that at the user’s request the data can be transferred to another processor or completely removed from any media if necessary. Thus, the company takes user data “for rent” and undertakes to return them on the first request.

6. Data Protection Officers – under the current legislation, the information processing company is obliged to report on its actions to the local Data Protection Authorities which, considering the external economic orientation of many companies, were represented as a bureaucratic routine. According to the new rules, the company is obliged to appoint a data protection officer only if the legal entity acts as a data center or processor with constant control and monitoring of stored information, as well as in areas with a high percentage of fraud. This specialist can be appointed both from the state of the company and outsource, and reports to the company’s top management only. Also his combined position can not be related to the information.

What actions should be taken by companies?

Despite the apparent complexity of fulfilling the requirements of the GDPR, it should be understood that firstly, before these regulations will come into force, there is still almost a year and this is a sufficient period for the company to consult with a lawyer and outline a plan for compliance, and secondly, most of the rules do not differ too much from those that previously existed and provided your company does not store customer data in public access somewhere on Google.Disk, the changes are likely to be only nominal.