Experts interview on the GDPR: What to know about May 25th, 2018?

Paylobby has talked to Fresh Compliance about the upcoming General Data Protection Regulation (GDPR) and what it means for e-commerce and online trading. The young Berlin-based consulting firm advises many digital economy companies on data protection and data security and finds a practical approach rather than scare tactics.

What do you usually first advise e-commerce customers with regard to the new data protection requirements for the deadline May 25th?

Fresh Compliance: In many cases, we first have to calm down the companies, as the media stirred a lot of panic. European online shops, especially, are often quite well established and have, for example, proper privacy policies and even in-house data protection officers. While it is true that the implementation deadline for the regulation has been set to May 25th, it will also apply to national legislators in the EU. Many have failed to fulfill their obligations to specify certain regulatory content. We believe that the national supervisory authorities will not immediately and mercilessly hand out fines. The principle of proportionality should be observed.

So, until May 25th, there is no obligation to reach a perfect data protection level?

Fresh Compliance: No, being in the implementation phase is enough. Of course, some points have priority. For example, the data subject rights, which guarantee the right of end customer to delete their user profile or know which data has been passed on to logistics partners and credit rating. The focus, also on the part of the supervisory authorities, is on the increased transparency obligations. The end customers should always know what happens to their data.

Which issues do you encounter more often in view of the GDPR in the e-commerce environment?

Fresh Compliance: In our experience, the topic of order processing is treated with a rather low importance in privacy policies. This can especially be a problem with payment service providers. If I offer an international platform with dozens of white label payment options, I cannot conceal this from the customer, but I must clearly identify this. However, I have to conclude an assignment processing contract or data processing agreement with the external service provider, if end customers’ personal data are transmitted in my assignment.

One often hears that consents with the GDPR are a matter of choice? What about interest-based advertising and tracking?

Fresh Compliance: In fact, consent can be a legal certainty provided that checkboxes are formulated in a simple and understandable language. But, the GDPR also recognizes other legitimations, most notably interest considerations and, possibly existing contractual basis with the end customer. In the preamble (*explanations from the legislator) of the GDPR, marketing is explicitly listed. Advertising tracking and analytics on the website still have their (legal) raison d'être. Again, what matters is that the user is informed about it and is offered an opt-out possibility, e.g. in the privacy policy.

You've talked about scare tactics, how do you assess the new ePrivacy regulation, which is also in deployment and implies many changes for all website operators?

Fresh Compliance: As things stand, the new "Cookie Law" will not come until 2019. There is a lot of lobbying and association work going on here. In contrast to the GDPR, the ePrivacy Regulation actually recognize - at least according to the current state of affairs - express consent as a means of choice, for example a visitor can choose to “allow cookies” in an online shop. Subsequent opt-outs would probably no longer be legally secure. We do not want to make any prediction, but on some points the ePrivacy regulation and the GDPR are diametrically opposed. Either way, the ePrivacy Regulation should not (yet) be in my operational scope. The goal for European companies is the GDPR.

In your opinion, what is often too short in data protection?

Fresh Compliance: First of all, data security, i.e. the core area of technical protection measures. Companies are confronted to completely new requirements by the GDPR, which are only known to people familiar with ISO 27001, BSI Grundschutz or PCI-DSS. For example, new proof requirements arise about the load capacity of systems. Depending on how worthy of protection my customer data is (risk-based approach), I will have to think about using a service provider for penetration test and vulnerability analysis. It is important that you can continuously prove that you protect the data. Checking once and then never again is not the right way.

And privacy management! It annoys us when this area is dismissed as a documentation topic. Often even by external consultants and self-proclaimed data protection experts. Similar to an information security management system, GDPR aims to understand data protection as a management task and to create rule-based processes. The aim is to create a corporate culture that no longer understands data privacy as a tiresome documentation topic, but rather as a risk-based business process that applies to every project. This awareness can only be created together with the management and a corresponding commitment to dealing with data protection risks.

What are the most popular mistakes on the way to GDPR?

Fresh Compliance: We sometimes experience that the CEO or CTO is named Data Protection Officer. This is a conflict of interest that regulators do not accept. A misunderstanding is also that the GDPR is not applicable. Even in the US and China, it can be relevant if EU customers are my target group. Facebook does not consider in vain to make the GDPR the standard.

 

Fresh Compliance is a young Berlin-based consulting firm focusing on data protection and data security. The goal of the founders is a practical and business-oriented consulting approach, in order to understand the Data Protection Regulation not as a problem but as a solution.