General Data Protection Regulation for ecommerce. Reach Digital - 18 december 2017

Transcription

1 General Data Protection Regulation for ecommerce Reach Digital - 18 december 2017

2 GDPR for ecommerce This document is intended to determine the recommendations and responsibilities for an ecommerce merchant to adhere to the GDPR regulations. 1 The GDPR legislates common sense for Personal Data. The GDPR is created to protect the personal information of every persoon in the EU. The GDPR is a single legislation that will apply to all member states of the EU. The GDPR will enforce heavier penalties when data breaches occurs. 1 This is not a legal document. This is provided as a technical interpretation of the guidelines.

3 Inhoudsopgave 1. Roles 2. Personal Data 2.1. Personal Identifiable Information is not equal to Personal Data 2.2. Giving consent for Personal Data 2.3. Right of access 2.4. Right to erasure 3. International companies 4. Breaches 5. Penalties 6. Data Minimisation 7. Pseudonymisation 8. Record keeping 9. General summary 10. GDPR for Magento

4 1. Roles The main new part the GDPR are the responsibilities of the Data Processor. The Data Controller (merchant) already has a lot of these responsibilities. Data Processor Hosting : Processes data on behalf of the Data Controller Services like Cloud Providers Has direct statutory obligations May be subject to direct enforcement Data Subjects Natural person / customer For the scope of GDPR: This is a citizen or resident of an EU member state. The natural person is the rightful owner of the personal data not the organization holding it. Data Controller Merchant The organization that collects data from EU citizens or residents. Determines the purpose, conditions a means of processing personal data Existing DPD obligations (UK) Data Protection Officer: Directed by a company engaged in regular and systematic monitoring of individuals on a large scale Works independently to ensure that an entity is adhering to GDPR regulations Penalties exist when a company doesn t have a DPO. A DPO is required when certain criteria is met This role has existed since 1979 in Germany Data Protection Authority National Authority tasked with the protection of data. They have the powers to enforce

5 2. Personal Data Any information relating to an identifier or identifiable natural person (data subject). Sensitive Personal Data Race Ethnicity Sexuality and Sex life Philosophical beliefs Examples: Name Date of birth Address Mobile device ID Social media posts Photographs 2 Trade union memberships Health Genetic & Biometric Data Gene sequence Fingerprints Facial recognitions Retina scans 2 There are some IoT devices that could collect become sensitive. For example: Heart rate monitors.

6 2.1. Personal Identifiable Information is not equal to Personal Data Personal Identifiable Information is Personal Data Personal Data is not always Personal Identifiable Information. Examples: A photograph of a landscape is not Personal Identifiable Information, but is is Personal Data. An IP-address alone is Personal Data (but isn t in the US, so definitions differ from country to country)

7 2.2. Giving consent for Personal Data Giving explicit consent for Sensitive Personal Data Freely given: Data Subjects must give consent without detriment Specific: The consent must be intelligible Sensitive Data Collection is different from Personal Data that a Data Subject must give Explicit Consent: Checking a box that clearly states how data will be used. Informed: The purpose the data will be used for Unambiguous: clear affirmative action to signify consent. This will happen in de form of a message that is easily readable to the customer where it dives consent to the customer. A child is required to obtain parental or guardian consent for any data processing activity.

8 2.3. Right of access 2.4. Right to erasure Data Subject may obtain confirmation that their data is being processed and gain access to the data itself. Data Subject may request erasure of their data when there is no compelling reason for it to be retained. Data should also be erased when the Data Subject withdraws consent. Data should be stored as long as it is needed and then it should be removed.

9 3. International companies This Regulation applies to the processing of personal data of Data Subjects who are in the Union by a controller or processor not established in the Union If you target the EU you are required to follow GDPR. - EU Office - EU Currencies - EU Languages - EU Domainnames If you offer a service that doesn t explicitly target the EU, you are not required to adhere to GDPR.

10 4. Breaches As soon as the controller becomes aware that a personal breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and where feasible, not later than 72 hours after having become aware of it. Article 33, paragraph 1 There is one mayor caveat to this: Unless the personal data breach is to result in a risk to the rights and freedoms of natural persons. This means that in general all Personal Data breaches must be reported. In case of a breach the following information should be provided to the supervisory authority: - Categories of data - Approximate number of Data Subjects concerned - The likely consequences of the breach. - Any measures to mitigate the effects

11 5. Penalties When data is breached a penalty can be given: GDPR talks about the penalties as Effective Proportionate Dissuasive A fine up to 20M or 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. This is the most heavy claim that there is available, but there are smaller fines when for when example the obligations of the data controller aren t met : - Smaller fines: Up to 10M or 2% of gross worldwide turnover - Audits: Regular periodic data protection audits - Warnings: A warning in writing in cases of first and nonintentional non-compliance.

12 6. Data Minimisation Protection by Design and by Default. The objective is to always protect the data. Where? How many locations does that data need to exist in? Does it really need to be in all those systems? Personal data shall be adequate, relevant an limited to what is necessary in relation to the purposes for which they are processed. It tries to battle Data Maximization Store as much data as you can. What purpose? Is the data being used solely for the purpose it was provided for? We see it being used for something different. To promote something different or market another product. What Data? Determining if someone is above 18 years or older requires to you ask for their birthday, but after knowing that someone is older, you do not need this information anymore after that. How Long? Signing up for a competition is required, the data is stored as long as the competition runs, storing the data is later not longer necessary

13 7. Pseudonymisation Pseudonymisation means the processing of personal data in such manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. It does significantly reduce the risk in case of a breach. There should be no impact on the individuals them selves. This is the common sense part of the GDPR. Encryption: Encrypted data can be leaked, but without the private keys the individuals aren t harmed. Encryption at rest and Encryption in transit Hashing: Data can still be compared, but can t be unhashed. Masking: Replacing all or parts of the data. Partial data addresses do not leak the complete address Aggregation: So rather than individual records, rolling it up in to a non-identifiable aggregation of that data helps. Indirect references: Without direct references

14 8. Record keeping Each controller (and where applicable, the controllers representative) shall maintain a record o processing activities under its responsibility. Name and contract details of the controller The purpose of the processing The categories of data subjects and categories of personal data. Categories of recipients to whom the personal data have been or will be disclosed. Any transfer of the data to another country or international organization Time limits for erasure. Technical and organizational security measures. Exceptions The Record Keeping obligations shall not apply to an enterprise or an organization employing fewer than 250 persons. Except: If the processing likely to result in a risk to the rights and freedoms of data subjects. If the processing is not occasional The processing includes special categories of data: Sensitive personal data or Genetic and Biometric data

15 9. General summary Are you in Scope: Establish wether GDPR affects your business Understand your data: What do you have? Where is it? Whose is it? Data Minimization: Retain only that which is adequate, relevant and limited. Pseudonymisation: Protect the data that you have to the full extend possible. Protection by Design: Begin with this at the inception of the business concept. Common Sense: GDPR is regulating things that already make sense!

16 10. GDPR for Magento Please note again: This is Reach Digital s interpretation of the information available on the subject. This is not legal advise. Magento does not store Sensitive Personal Data, but does store Personal Data. This means that you do not need Explicit Consent to store data. To store Personal Data, a Magento shop needs Consent that is: Freely given, Specific, Informed. Unambiguous Magento currently offers a way to inform customers about current Cookie policies, the texts should be amended to also create the GDPR consent. Right to access: When a customer requests for access, it should be possible to provide all information to the customer. It currently is possible export all the information from Magento. There are no automatic systems in place to provide this functionality. Customer Service representatives can export this information manually. Right to erasure: When a customer requests for erasure, it should be possible to delete all information from Magento. By default it is possible to delete a customer completely, but it is not possible to delete order information. When a company is larger than 250 people you need to track all your information that is send to other companies or companies outside the EU. Magento EE Admin Logging does track some of the transactions. Magento Order Comments track basic connection information. All connections that use API s (Shipping, Payment Service Providers, Marketing tools) should include extensive logging and keep those logs for a long time. You are not allowed to send information to new services the Data Subject hasn t given consent to. For example: If

17 you never asked for consent to send Upsells via , you aren t allowed to. A system should be build to upgrade a customer to the latest Data opt in when the customer visits the site. You are required to host your Magento shop on a Data Processor -compliant server / organization. This doesn t mean that you *need* to store information in the EU. We expect Hosting companies we do business with to adhere to the GDPR rules. Data breach impacts should be minimized. Encryption, Hashing, Masking, Aggregation, Indirect references.: Take security seriously, if you don t design with security in mind you re doing it wrong. Magento 2 EE s database separation is a great example of the Indirect References. Magento 2 offers top notch password hashing.

18 Conclusion The new regulations seem to be a reasonable step forward in the always changing digital landscape. With the the recent breaches like the Equifax hack 3 it becomes more and more clear that companies don t even implement the most basic measures. We expect that there will be fines when large sums of personal data is leaked, but we expect the larges companies to be fined first before the regulators go after smaller companies. The legislation isn t in effect yet, we ll have to wait how heavy the penalties will be. Questions? Paul Hachmang paul@reachdigital.nl Reach Digital info@reachdigital.nl KvK Veenderveld 5, 2371TV BTW NL B01 3 Information is taken from: Roelofarendsveen IBAN NL03KNAB