GDPR - General Data Protection Regulation for online stores

May 25, 2018 GDPR , the EU General Data Protection Regulation, which introduces new requirements regarding data processing and data collection, will come into force. EU regulations are directly applicable in all European Union countries and do not require implementation in the national laws of the member states.

In IAI, the priority is always widely understood as safety of customers using our services

Safeguards measures used in IAI are, among other things, encrypting SSL connections, automatic system updates, servers monitoring, privacy policy. What is more, every customer can easily acquire their SSL certificate in the administration panel.

IAI is available in the SaaS model, we are a cloud software supplier and act as the person who processes data on behalf of users (online stores of our clients), being the controller of this data. This is a significant difference between the SaaS model and the license model, where the provider occasionally has any contact with personal data. This usually happens as a result of the necessity to carry out a service intervention. The contract for entrusting personal data for processing in the license model is made so that in emergency situations the controller of personal data has the right to access, constituting a kind of an addition to other contractual provisions concluded between the parties. The situation is different in the SaaS model, where a contract for entrusting personal data for processing is an indispensable element for the use of software in the cloud. In IAI we have special contract forms and we also remind clients that those who have not yet provided us with a contract in a paper form, should do it as soon as possible. It is only a formality, and can assure one's peace of mind.

We are a SaaS software provider, and due to contact with such confidential and sensitive data, there is a number of obligations and conditions imposed on us that we must meet so that the processing takes place in accordance with the current law. The GDPR entry into force tightens these regulations even more, but we are prepared for it. Being a software supplier in the SaaS model for many years, we are aware that our liability for violating the rules of processing personal data placed by users is at a much higher level than software providers in the licensing model. Beginning on May 25, 2018 the liability of IAI becomes a direct responsibility towards persons whose data is processed in the software supplier system in the SaaS model. This is better for our clients than for those using their own software, because they need to take care of all the details and levels of security themselves.

In addition, the GDPR provides even greater security to entities using the SaaS model, introducing a fundamental change in the way the data controller is responsible for security related to personal data. The existing regulations stipulated that the software provider must provide such protection, which is described in the executive provisions to the Act on the Protection of Personal Data. Until now, it was usually sufficient to meet the formal requirements, which were specified in the regulation of the Minister of Interior and Administration of April 25, 2004. on the documentation of the processing of personal data and technical and organizational conditions which should be met by devices and IT systems used to process personal data. However, these regulations have clearly become outdated and have not reflected what is happening in the modern world.

The GDPR entry into force has changed the binding model of responsibility for securing the processed data, consisting in the obligation to provide adequate protection to the character of the data being processed. An example that can be used here is the length of the password and how often it should be changed - the GDPR does not impose any solutions in this respect in contrast to the current regulations. After introducing the provisions of the GDPR, the technical and organizational measures will have to be selected in an independent way. In the selection of such measures, many factors will have to be taken into account, including: state of technical knowledge, costs related to implementation, assessment of the likelihood of a threat, the severity of a given threat and the specificity of the data being processed.

In IAI we have thousands of clients and over the last dozen of years of presence on the e-commerce market, we do our best so that our systems and internal procedures are at the highest level of security. Again in this respect, our clients are in a much better situation than those who use their own licenses and their own software - they all have to work out, our clients can simply rely on our experience and knowledge. Thanks to this approach, as a SaaS service provider we are able for our clients to meet one of the fundamental assumptions of the GDPR - principle of privacy by design. This means that thanks to our long-term approach, our system is also adapted to the approach to data processing in our systems, in a very specific market sector such as online stores.

What should every company implementing the GDPR in its online store know? How to prepare for the implementation of the GDPR, so as not to be surprised and not expose yourself to artificially inflated costs?

It is worth taking care of the traps set by self-proclaimed specialists and understand exactly what and how to prepare yourself to understand the ideas of the GDP and apply them in everyday practice. What actually remains to be worked through the online store is primarily:

  1. Determining how to implement the GDPR - does the shop do it yourself by designating an employee or team responsible for implementation, or is it better to use a specialized external company? There is no clear answer to this question. It is a fact that not many small and medium companies have internal competences to implement the GDPR and large enough to choose those that probably will lead the company through the nuances of new documentation and new rules. Therefore, it is worth considering commissioning the implementation of the provisions of the GDPR to a consulting company, but it is worth reviewing the offers of these companies very carefully, having your own critical opinion and not being under pressure of the price.
  2. The next stage of implementation should be to create a work schedule. It can indicate the scope of work and deadlines for the implementation of individual stages of implementation of the GDPR. Such a schedule will allow to determine which of the tasks will be the most time-consuming and costly, as well as allow to check whether the actions taken are timely and you will be able to complete all the work within the prescribed period (May 25, 2018 the GDPR becomes effective). The schedule will also help in determining which work to start and with which tasks the company may have the most difficulties.
  3. When creating procedures and documentation for the GDPR, it will be necessary to review the processed data and the processes of processing within the company in terms of:
    1. extracting own and entrusted data sets for processing,
    2. basics of data processing,
    3. determining the purposes of processing - are they specific, explicit and legally justified,
    4. minimization of data (whether all processed data is necessary to achieve the purposes of processing), here we reach two assumptions of the GDPR, i.e. privacy by design and privacy by default, stating that data must be processed only to the extent necessary and the entire software design and development process is to be used to secure data. For companies using SaaS solutions such as IAI, it's a huge advantage because they do not have to worry about it. Stores using their own software with each change or addition of a new function will have to document that they operate according to these rules. However, it is worth checking whether in other programs - for example CRM or ERP, we do not store and process unnecessary data, which would be contrary to the privacy by default principle.
    5. checking if data is correct and current - if not, removing or updating them. In this topic it is worth consulting a lawyer who specializes in the protection of personal data.
    6. checking if the purpose for which the data has been collected continues if not, then deleting this data. However, for the data needed to carry out the transaction and then used for tax documentation, this point is of little importance. You may have to slightly modify the content of the consent clauses for sending newsletters or other messages sent electronically to a client by posting information about the data processing, the purpose of the processing and the data of the controller of personal data, as well as about the recipients' rights.
    7. checking if data is protected against loss, destruction or damage properly - review of IT systems, in particular for confidentiality, integrity of accessibility and resilience of systems, the ability to quickly restore the accessibility and access to personal data in the event of a physical or technical incident. While in the case of data stored in IdoSell Shop systems, the online store does not have this problem, because it IAI is responsible for it, yet various data is stored in the office or warehouse. It is worth spending a moment and checking this data, if only for your own safety and peace.
    8. Updating the regulations of providing services, information clauses, clauses of granted consents and forms of granting consent, here the entries will be rather standard and it will not require more effort than adding entries to the standard "check-box" for consenting to the processing of personal data, store's terms and conditions or privacy policy.
    9. Execution of the information obligation, including information on profiling, unless of course this will take place as part of the activities carried out by the online store.
    10. Verification of consent by the parent/guardian of a child under 13 years old, again if there is a real suspicion that the purchase is made by a child below this age.
  4. Conducting a risk assessment, it is not mandatory for all entrepreneurs, but it seems necessary for online stores.
  5. The significant change introduced by the GDPR is the obligation to have a document, in which the purposes for which personal data is processed and the contact to the person or persons who are the controllers of this data are included. It does not have to be a paper document, it can be a plain text document or spreadsheet. You should enter (by ordinance or resolution) written documents such as: data protection policy or modify privacy policy if it is already existing, register of processing activities/categories, general description of technical and organizational security measures and risk assessment. As you can see, although these are not complicated formulas, there are a few of them, and even for that reason it is worth thinking about commissioning them to a specialist.
  6. The next step is to authorize employees to process data and processing it on command.
  7. Of course, it is necessary to train all employees (regardless of the form of the contract) with data protection rules. It is worth preparing a certificate that they have obtained such information and will apply to it. It should also be strictly demanded, especially in the first weeks after introducing the GDPR, that this information becomes a habit . Please also bear in mind that everyone is required to report violations. Do not be feel offended by employees or subcontractors if they report such a violation to you. After reporting it, nothing bad will happen, not reporting it would be much worse. We will have 72 hours to complete the application.
  8. Conclusion of entrusting of personal data agreement, but in the case of IAI, this issue will be resolved by a standard agreement and provisions in the IdoSell Shop Terms and Conditions. The last step is appointing a Data Protection Supervisor among the crew who will be in charge of monitoring of the GDPR Principles, especially those described in the point 7.

All this information show the amount of work is to be done when creating the GDPR documentation. Thanks to this, as potential clients of the law firm, each store can realistically assess the scope of the proposed works and their valuation. It is certainly not worth saving on these works, but it also makes no sense to overpay.

Due to the many requirements to be met and the regulations to be followed and, most importantly that they are to some extent discretionary, a company with many years of experience and experience with this particular software model is an ideal entity that can be entrusted with the processing of its data. IAI is professionally prepared to meet the requirements of the GDPR, is able to provide the highest level of security, adequate to the relevant circumstances. It is possible thanks to the existing technical back-up of the company as well as qualified staff. Measures, among others, which IAI will use, include encrypting data and monitoring them continuously.

Rafał Malujda
solicitor / patent agent
malujda.pl

This website will be updated together with the appearance of new circumstances regarding data processing.