This article originally appeared on the Lerman&Szlak website.
Based on the presentation at the AMDIA – CACE event on Privacy at the University of San Andres, on November 8, 2018.
- E- Commerce
It is now my turn to talk about the repercussions of these changes in privacy legislation on e-commerce. In order to analyze the topic, I want us to think about how the changes affect a typical ECOMMERCE company.
Let’s think about a marketplace that sells different products (whether its own or third-party products), that does marketing in multiple digital media, that tracks and keeps a record of the consumer’s activities and preferences on its platform, and stores data not only such as name, surname, address, ID, telephone number, but also financial data, geolocation data (GPS, IP address), consumer preferences (which can often reveal sensitive data such as medical and health-related data, political affiliations, sexual preferences).
My idea is to be able to tell you how the change in legislation affects e-commerce in Europe and here, and what guidelines companies have to adopt to comply with the regulations and be able to continue growing and implementing their business plans based on this basis of protection.
- First guideline: Principle of PROACTIVE Responsibility
This is what the new legislation and the GDPR call the responsibility of companies for data processing.
This concept is fundamental because it establishes the basis that not only must one comply with the legislation, but one must also be in a position to prove to the regulatory entity that one is in compliance with the law.
Then compliance really does not become so tedious, nor so mysterious, nor so unfathomable, above all: if one complies with adopting the basic guidelines required by the legislation, and is in a position to prove that he did so, then he should not have problems with to the new changes.
What guidelines should be adopted?
- Fine-tune your Privacy Policies and Terms and Conditions. This is normally already found on e-commerce sites and platforms, in most cases, but it is something to sharpen the pencil with guidelines that we will see here.
- Take Appropriate Security Measures regarding the data and create Internal Security Documents. The most serious companies already do this, many times it is mainly a matter of expressing it in a formal internal document, defining security minimums, and defining the legal and technical responsible parties. document.
- Maintain appropriate contracts with all providers that process personal data (called DPAs, “Data Processing Agreements” or contracts with data processors). These contracts have to be in place, and are essential for both small and large companies. If all or part of the data is stored on servers of another company in the cloud (such as Amazon Web Services, for example), if we have an external provider to analyze our data (Google Analytics), if we have consultants or programmers who are available charge of the security or maintenance of our platform (this applies especially to startups).
- Taking into account the figure of the Data Protection Officer (DPO), which is established by both the regulations, will be an important figure to be able to show that one complies with the regulations, for certain types of companies (especially those that process large-scale data or process sensitive data)
- And in general, implement all Privacy by Design measures, that is, incorporate into the design process of the platform and the technological product, measures to comply with data regulations and be able to demonstrate that we do so.
That is the general picture, and I repeat, if we are aware that we have to comply with certain basic guidelines, that the global standard has risen and that by actually generating good documents (Privacy Policies, Security Documents, DPA Contracts with Suppliers), Think about Data Privacy Officer and implement privacy measures by design, then we are well positioned for what is coming.
- Now, all this with a clarification: if Sensitive Data is processed, such as data related to health, political affiliations, sexual preferences, biometric data, genetic data, then the above applies but we must also add special care that we must take, which are separate cases.
- Compliance checklist
- (1) Fine-tune the Privacy Policies and Terms and Conditions: What points cannot be missed?
- Identity and contact information of the Data Controller
- + Details of the Data Protection Officer
- PURPOSE: For what purpose we collect the data, and with what legal basis (we ask for your consent, the law authorizes us not to do so,)
- RECIPIENTS: Who will receive the data, and, if applicable, categories
- INTERNATIONAL DATA TRANSFER: If the data is going to be transferred to entities abroad, if there is cloud computing, expressly “whitewash” if the data is stored abroad and that the service operates like this
- TERM: Period in which the data is saved and CRITERIA to establish it
- RIGHT OF INTERESTED PARTIES: It has an educational purpose!!
- Right of access
- Right to Oppose
- Right to Erasure (“right to be forgotten”)
- Right of Rectification
- Right to data portability, to withdraw consent, to complain
- CONSEQUENCES OF NOT PROVIDING THE DATA: If the data is requested as part of a legal or contractual obligation, what happens if you do not provide the data, in general it is a worse user experience,
- AUTOMATED DECISION MAKING: For example, when profiles are created and why (to improve the experience, for quality control), if these serve to make automated decisions without human intervention, “whitewash” the procedure.
- Decision making is suitable if:
- It is necessary for a contract between the owner and the person responsible
- It’s by Law
- There is explicit consent.
- Decision making is suitable if:
- Identity and contact information of the Data Controller
(2) Appropriate Security Measures regarding data and creating relevant Internal Security Documents
- Which people have access to which information
- Error control
- Controls and backup copies
- Record of logs and incidents, internal procedures for this purpose
- Password policies
- User identification and authentication
- Malware prevention
- Encrypt
- Dissociate/anonymize data where possible
- Audits
- Data transmission protocols
(3) Maintain appropriate contracts with all providers that process personal data (called DPA, “Data Processing Agreements” or contracts with data processors)
For example, companies like Amazon incorporated DATA PROCESSING ADDENDUM
- Data confidentiality
- NO Use of the data by them for purposes other than those instructed
- Technical and organizational measures to respond to security incidents
- Notification of security incidents, taking responsibility for them
- If you use subprocessors and which ones – TRANSPARENCY
- Have certificates
(4) Take into account the figure of the Data Protection Officer (Data Protection Officer, DPO)
-Companies with +250 Employees (Europe)
– Large scale data processing
– Main activity of processing sensitive data
(5) Privacy by Design: Think about these aspects from the first moment, cooperate between areas of the company, do not wait to call legal at the last minute.
If we adopt these measures, organizing the resources we already have and accompanying our users, giving them security and transparency in the treatment, accompanied by experts on the subject, then we are in good conditions to comply with the legislation and ensure a successful transition.