Buying and Selling Online: How the GDPR Affects You

The European Union (EU) took a huge step in influencing how the world does business online by adopting the General Data Protection Regulation (GDPR) in April 2016. As you may know, the regulations were fully implemented a little over two years ago. Whether we all know it or not, the GDPR has made a significant impact on how companies view data privacy.

In the most general terms, the GDPR is designed to protect consumers against two things. First is the misuse and abuse of their personal information by companies and organisations who collect it. Second, it is intended to reduce the likelihood of data breaches by forcing companies to be more responsible with the data they possess.

If you own a business or operate a non-profit that collects personal information for any reason whatsoever, you are required to comply with the GDPR regarding all of your customers who live in the European Union or the European Economic Area (EEA).

You absolutely must comply if you sell online to customers in the EU or EEA. Even if your business is located outside one of the two areas, you must comply if you do business inside. And yes, the GDPR even affects you as a consumer. You may not own a business, yet you buy online. The GDPR impacts what you do.

Basic Tenets of the GDPR

The basic tenets of the GDPR are rooted in privacy. For purposes of clarification, the legislation identifies three parties in the data protection equation:

Collector – An organisation (whether for-profit or not-for-profit) that collects personal data from users.

Processor – A third-party organisation that controls and processes data on behalf of the collector.

Subject – The person whose data is collected and processed.

Regulations stipulate some simple ground rules designed to protect subjects. For starters, data cannot be processed without a subject's informed consent unless there is a legal basis for doing so. The law allows for only a few exceptions. Once given, consent may be withdrawn by the subject at any time and for any reason.

Subjects themselves have a number of rights specified under the GDPR:

Access – Subjects have the right to access their own personal data upon request. Collectors and processors must furnish it without delay.

Transparency – Subjects have the right to receive that data in a clear, concise, and transparent way.

Elimination – Also known as the right of erasure, subjects can request that all personal information pertaining to them be eliminated from collector and processor computer systems. Both must comply.

Objections – Finally, subjects have the right to object to the use of their personal information for marketing and related purposes. They can object to their information being used autonomously as well.

There is more to the GDPR than these general provisions. From a consumer standpoint, they have the right to control their own personal information. They have the right to determine how it is used by organisations and their third-party processors. But understand that consumers wishing to exercise said rights must actively do so. Organisations will not go out of the way to help.

Ramifications for Business Owners

Two years on and it is not clear whether business owners and other organisations have mastered all of the implications of the GDPR. The complex nature of the regulation suggests a high likelihood of some organisations still not in full compliance. Small businesses and not-for-profits are especially vulnerable right now.

What must be understood is that the GDPR does not apply just to organisations within the EU. That is perhaps the biggest misunderstanding of this entire thing. Any organisation that collects and processes information on EU citizens and residents are required to comply. How compliance is enforced beyond the EU's borders is another matter altogether.

The best bet for organisations is to work with a data privacy consultancy capable of running a complete audit and coming up with effective solutions. It should be noted that one of the provisions of the GDPR requires companies to prove, on-demand, that they are complying. Regular audits are a very helpful tool for doing so.

Audits can show a company where it is complying and where it is not. They can help a company develop written policies and procedures for maintaining compliance day-to-day. Such a collection of documents would serve as proof should a company ever be called on to prove compliance.

When the GDPR was first announced back in 2016, it was hailed as one of the most important pieces of legislation for consumer privacy in EU history. Such claims may have been overdone at the time, but we now see just how much of an impact the legislation has had on the way organisations operate online.

Whether you are a buyer or seller, the GDPR affects what you do online. Whether or not it is good depends on your perspective. The one thing we do know is that it's not going away.