Let’s imagine a boutique in Chelsea, a chic Manhattan neighborhood. Let’s say that store gets 40% of sales from customers who stroll into its cozy space in a row of Georgian buildings. But the rest of its sales are online—to customers in London, Amsterdam, Munich and around the world. With the new European Union General Data Protection Regulation (GDPR) going into effect, the shop owners realize that their website would need to comply with the regulation, so they decided to tackle GDPR compliance in stages.
Begin Assessment
The shop began assessing their site’s distance from compliance by identifying key priorities. First off, the retailer had mailing lists of customers and shipping/order information; therefore, it identified recordkeeping and consent as key priorities to address.
Understanding What They Had
Next, the shop had to understand what information it had. This is easier said than done, since the shop is dealing with suppliers, customers and employees. The shop owners categorized the data they collected—such as customer names, credit card information and email addresses. Next, they looked at vendor and employee information (including Social Security numbers, addresses for payroll, and other data).
Getting the Privacy Policy Up to Date
Next up, the boutique had an existing privacy policy, but the owners realized that it had to be entirely rewritten, because the GDPR requires easy-to-understand, clear language. The shop owners worked with attorneys to clearly express when, how and, most importantly, why the shop was collecting any data.
Assessing Shop Procedures for Personal Data
Next, the shop owners conducted an assessment of how the shop could secure personal data, and how it could give customers the option to remove all data from the company’s records. This process was included in its policy.
The shop and its lawyers followed what the GDPR outlines as individual rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
New Practices
Then, the shop had to create new protocol and new systems for data collection.
Now, new suppliers, vendors and customers are no longer automatically included in email newsletters or other future communication.
All customers for the online store are directed to a new registration form where they indicate their consent preferences. Additionally, the default setting on the online store is set to opt customers out of any marketing email: They must affirmatively untick a box to be included in the list.
The shop continues to have customers opt-in to its services (like newsletters), and it should move forward, confident in its compliance.
Helpful resources:
The European Union GDPR Information Portal
https://www.eugdpr.org/
Free webinars
https://www.itgovernance.co.uk/webinars/eu-gpdr-webinar#missed
Compliance guide
https://www.itgovernance.co.uk/resources/green-papers/guidance-for-achieving-compliance-with-the-eu-gdpr
Video
https://www.youtube.com/watch?v=bRNsFM6cU58
Pete Salsich III has been General Counsel for Coolfire Studios, LLC (an entertainment content creation studio), Coolfire Solutions, Inc. (a mobile software development studio focused on the military and commercial enterprise), and MedAware Solutions, Inc. (a mobile software platform company focused on the healthcare industry). Since joining AEGIS, Pete continues to serve in this capacity.
