The EU General Data Protection Regulation is already enshrined in law and becomes a final requirement from 25 May 2018. The regulation applies to all organisations that deal with EU citizens whether or not those organisations are based within the EU or their web hosting is within the EU. It runs to 204 pages.
If you have 250 or more employees this briefing note does not cover some further essentials which you must implement with regard to your internal task allocations and responsibilities. You will doubtless have the resources to follow through yourselves. It is unlikely that either large or smaller businesses will need the use of ‘consultants’.
For smaller business operations the two principles of the regulation are very simple.
You should only collect data on individuals that is essential for the processing of an order or, if not essential, is justified and explained as to its use.
You cannot assume that the individual not querying your use of any data element or accepting a pre-ticked box is adequate for their implicit acceptance. There is no such thing as ‘implicit’ acceptance of the use of personal data.
For example, if you ask for a phone number you should explain that you may wish to call the customer if there’s a delivery issue. It may also act as an anti-fraud device so that you can call to check the delivery address. This is often specifically in the customer’s interest but you must explain it.
So you look at what data you collect and explain why you want any data that is not obviously essential to handling the order. That’s all there is to it.
The SafeBuy Team