E-commerce businesses process large amounts of personal data, including contact details, payment information, and browsing history, requiring data protection. By implementing strong data protection practices and security measures like encryption and access controls, businesses could reduce the risks of breaches and cyberattacks. 

GDPR compliance for e-commerce businesses demonstrates commitment to protecting customer privacy, and encouraging continued customer relationships, giving businesses a competitive advantage over those that are not GDPR-compliant.

Here are seven actionable steps that may help e-commerce businesses navigate GDPR compliance effectively.

Conduct a data audit 

When deciding to work towards GDPR compliance in e-commerce, it is important to start by conducting a comprehensive inventory of data collection processes. 

The steps to carry out the audit could include:

• Identify all personal data categories collected, such as contact details, payment details, and activity logs, and the granular purposes this collection serves. Determining the retention period is important, as the GDPR does not allow indefinite retention.
• Review how and where personal data is collected and stored, whether on cloud servers, local databases, or third-party platforms. Regularly review third parties and minimize retention periods, with clear specifications on when data will be securely deleted. Additionally, document the security measures implemented to protect the data.

Access consent management

Access to customer data can be limited to authorized employees, IT administrators, and secure third-party providers based on a need to know basis.

Consent for cookies can be effectively implemented through a cookie banner, allowing users to manage or withdraw consent anytime. Use clear opt-in mechanisms for newsletters, cookies, and marketing, avoiding pre-checked boxes. Maintain consent logs for audit compliance, ensuring each data use has separate, revocable consent without affecting core services.

Review and update privacy notice

A companies’ privacy notice should be clear, easily understood, and transparent to ensure GDPR compliance and build customers’ trust. The privacy notice should clearly state:

• What data you collect and why (e.g., personal details, payment information, browsing behaviour),
• How data is being used,
• Explain purposes of data collection and processing, and
• How customers can exercise their rights, such as requesting data deletion or correction.

It is important to regularly review and update one’s privacy notice in order to reflect any changes in data collection, processing, or legal regulations to maintain compliance.

Enhance security to protect customer information

With the rise of cyber attacks worldwide, protecting  personal data is an essential aspect of GDPR compliance for e-commerce businesses. Customers trust businesses with sensitive information, payment details, address, and browsing history. Implementing good data security measures will help reduce data breaches. Implementing strong data security measures reduces breaches, while a structured response plan ensures quick recovery and minimizes damage.

To minimize security risks, e-commerce businesses may implement:

• End-to-end encryption: Encrypting sensitive customer data both in transit at rest may prevent unauthorized  access. This ensures that unauthorized individuals cannot read the data, even if intercepted, without the correct encryption key. It could be a standard protocol for all online transactions.
• Multi-factor authentication (MFA): Access control may require additional verification steps, such as one-time passwords (OTP) or biometric authentication. This process will reduce unauthorized logins.
• Regular security audits: This could be conducted to identify vulnerabilities through routine system checks. These assessments may help prevent data leak and ensure GDPR compliance.
• Access control & monitoring: Role-based access control (RBAC) which restricts users based on predefined role, to ensure that only authorised personnel have access to sensitive personal data.

Investing in robust data security could create a security plan which protects customers and also ensures GDPR compliance in all operations.

Offer employees training

Employees are first in line of defence when talking about data protection. Regular comprehensive GDPR training is important for e-commerce businesses. Breaches occur due to human error, such as mishandling sensitive data or falling for phishing scams. The employer is responsible for ensuring that employees are well-trained on data protection and compliance requirements.

Businesses should provide ongoing training and workshops to regularly update the employees knowledge on data protection, evolving threats, and regulatory changes to raise awareness within the organization.

Establish data subject rights procedure

Under the GDPR, data subjects have rights, including access, erasure, rectification, and objection to control of their personal data.

E-commerce must have clear procedures on how to handle and respond to these requests efficiently. GDPR compliance requires a response within one month-delays or non compliance can lead to fines.

To ensure compliance, businesses may:

• Appoint a data protection officer (DPO) according to the European commission or an internal team with the guidance of a DPO to monitor compliance and data protection issues. “It is much easier and cost effective” to appoint an external DPO.
• Create a clear and accessible process for handling data subject requests, such as an email address or request form on the website.
• Implement automated tools to manage and track data subject requests within the required time frame.
• Keep records of all requests to demonstrate compliance if audited.

Review third-party agreements

E-commerce businesses sometimes utilize third-party vendors, such as payment processors, cloud storage providers, and marketing platforms, to handle customer data. Therefore, it’s crucial to ensure these vendors comply with data protection regulations to safeguard customer information and avoid potential risks.

Under the GDPR, having a data protection agreement with a third party vendor is required  to comply with data protection regulations if the vendor processes personal data on your behalf.

Here are steps that could be considered to manage risks associated with third-party vendors:

• Identify all third party vendors that process customer data and assess their data security measures.
• Ensure that all vendors handling personal data have existing supplier agreement, outlining responsibilities, security measures, and data processing activities.
• If a vendor transfers data outside the EU/EEA, ensure they follow GDPR requirements
• Regularly review vendor policies, conduct security audits, and ensure that the vendors comply with GDPR requirements.

Conclusion

By implementing these seven actionable steps, e-commerce can mitigate risk, protect customer data, avoid penalties, and build trust.

Hiring an external DPO officer in the absence of an internal data protection team or to advise and provide competent GDPR support to the internal DPO, will ensure  proper compliance in line with the GDPR, and gain a competitive advantage in the market.

The post Seven Actionable Steps to Achieve GDPR Compliance for E-Commerce Businesses appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

LLMs and personal data

The Hamburg Data Protection Commissioner discusses whether Large Language Models store personal data. It distinguishes between an LLM as an AI model, (eg, GPT-4), and as a component of an AI system, (eg, ChatGPT). The mere storage of an LLM does not constitute processing. Thus, data subject rights cannot relate to the model itself. Claims for information, deletion or correction can rather relate to the input and output of an AI system of the responsible provider or operator. 

To the extent that personal data is processed in an LLM-supported AI system, the processing operations must comply with the requirements of the GDPR. This applies in particular to the output of such a system. Similarly, any training that may violate data protection regulations does not affect the legality of using such a model in an AI system. See the full discussion paper here.

The most recent clarifications by the French CNIL on the deployment of Generative AI systems and the official EU AI Compliance Checker might be useful for your organisation. The latter also recommends that you obtain expert legal advice before using AI solutions.

Privacy notice

The UK Information Commissioner encourages people to check how an app plans to use their personal information before they sign up. It is far too easy to just click “agree” when installing a new app. But signing up often involves handing over large amounts of your sensitive personal information, especially with apps that support our health. An organisation that values your privacy will make its privacy notice easy to understand and set out how it will use your personal information, with whom it will be shared, what are the security measures, and whether your data will be deleted when you stop using it. 

CCTV

The operation of CCTV in gym facilities, on the one hand, should aim to ensure the protection of the facilities in question while on the other hand, it should respect the right of customers and employees to protect their privacy, reiterates the Cyprus data protection authority. CCTV can be permitted at a gym entrance/exit, parking space, reception, (only the cashier), and general perimeter of the gym property. 

It is not allowed in the areas where persons exercise, kitchens, restrooms/ changing rooms, and offices. Audio recording is not allowed under any circumstances. Video material must be accessible only from a device which is located within the premises of the gym and to which only the director and/or an authorised person has access. Access to said material, from a personal device and on an ongoing basis, is not permitted. 

More official guidance

EU-US DPF: The EDPB has published the EU-US Data Privacy Framework FAQ for European individuals and businesses: how to benefit from it, how to lodge a complaint and how this complaint should be handled by the EU and US authorities. It also includes what to do before transferring personal data to a DPF-certified company in the US, (data controllers or processors), and self-certification of US subsidiaries of EU/EEA businesses.

DPIA: Industry professionals and interested parties are invited by the Latvian data protection authority DVI to share their thoughts and provide real-world examples of the Data Protection Impact Assessment. It is a procedure by which, through risk inventory, analysis, and evaluation of prospective outcomes, (identifying severity and likelihood), the organisation can identify potential dangers to natural persons that may occur from planned data processing. The DPIA also includes the identification of measures to prevent possible risks. The draft guidance can be read here, (in Latvian).

AI projects sandbox: The Danish data protection authority has selected two AI projects for examination in its sandbox project. One wants to develop an AI insurance assistant for structuring and summarising accident claims, (to determine the degree of injury more quickly than today). The other one is a public-private innovation to develop a solution that will ease the documentation burden for employees in health and care. 

Social media monitoring

According to Privacy International, social media monitoring, or SOCMINT, is becoming more common and standardised but is still mostly uncontrolled and inconsistent. One of the most vivid examples is fraud investigations by the UK Department for Work and Pensions. Alongside covert surveillance tactics, the department’s staff guide has an entire section on “Open Source Instructions” on the use of publicly available information.

However, such invisible monitoring goes against or beyond individuals’ reasonable expectations and their possibility to anticipate intrusive examination. 

GDPR in practice

The Fundamental Rights Agency recently published the report “GDPR in practice – the experience of data protection authorities”. All the improvement areas directly or indirectly target the availability of human, financial and technical resources. In particular,  underfunded and understaffed authorities are obliged to prioritise complaints handling over other regulatory tasks that the GDPR has entrusted to them – such as promoting awareness and providing advice, undertaking their own investigations and external cooperation. 

SDM 3.0

The German Data Protection Conference published the updated Standard Data Protection Model – a method for data protection advice and testing based on uniform objectives, Data Guidance reports. In particular, the model transfers the legal requirements into technical and organisational measures required by the GDPR, which are detailed in the catalogue of reference measures. The SDM is aimed at both the supervisory authorities and those responsible for processing personal data. 

EHDS

In the next couple of years, patients, healthcare providers, and authorised researchers within the EU will start using the European Health Data Space, for which a DLA Piper legal blog provides the standards on the electronic health record system. Interoperability and the logging component are two essential components of the software that make up this records system. Further requirements for conformity can be read in the original analysis.  

More legal updates

Dark patterns: The Canadian Privacy Commissioner with other counterparts conducted a review of over 1000 websites and apps, and found that nearly all had at least one deceptive design element that potentially violated privacy requirements. This includes complex and confusing language, interface Interference, nagging, obstruction, and forced action, (tricking users into disclosing more personal information to access a service than is necessary). When two or more deceptive design patterns are used together, they can become more effective.  

HBNR: Starting in July, the amendments to the US Health Breach Notification Rule went into effect. These now underscore health apps and similar technologies not covered by Health Insurance Portability and Accountability. HBNR requires vendors of personal health records and related entities to notify individuals, the Federal Trade Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to notify such vendors and related entities. 

Rhode Island became the nineteenth US state overall and the seventh state in 2024 to enact a comprehensive privacy law, The Future of Privacy Forum sums up. The law will take effect starting in 2026. The law includes familiar terminology and core obligations, such as controller/processor responsibilities, rights of access, correction, deletion, portability, express consent for processing sensitive data, and disclosure requirements, but lacks data minimisation requirements or an obligation for controllers to recognize universal opt-out mechanisms. 

Enforcement decisions

Smart cameras in Turin: The Italian regulator Garante sent a request for information to the Municipality of Turin on a new video surveillance system that, reportedly, would also use AI. It would allow municipal police to understand in real-time whether it is necessary to intervene in an emergency or for safety reasons. The Municipality was given 15 days to clarify the advanced features of the camera, and also send a copy of the technical documentation, and the purposes and legal basis of the processing of personal data.

Personal details on the intranet: The Finnish regulator ruled that a company, (a bus operator), did not have the right to publish 300 employees’ personal phone numbers on the intranet. The company argued it is important for drivers to communicate with each other while working. On their work phones they can only call predefined numbers, and sending text messages is blocked. The regulator argued that using a work number between drivers should be a prior communication method. In addition, employees’ data may only be processed by persons whose job duties demand it, such as supervisors or HR. 

Local government data: The UK Information Commissioner issued the London Borough of Hackney council with a reprimand following a cyberattack in 2020 that led to hackers gaining access to and encrypting 440,000 files. The data included residents’ racial or ethnic origin, religious beliefs, sexual orientation, health, economic data, criminal offences, and other data including basic personal identifiers such as addresses. Hackers also deleted 10% of the council’s backup. The systems were disrupted for many months with, in some instances, services not being back to normal until 2022. 

Drugstore visitors’ tracking

The Dutch data protection authority, (AP), has imposed a fine of 600,000 euros on the parent company behind drugstore Kruidvat. The company, (AS Watson BV), tracked millions of visitors of Kruidvat.nl, without their knowledge or permission, and was able to create personal profiles noting which pages they visited, which products they added to their shopping cart and bought, and which recommendations they clicked on.  In the cookie banner on Kruidvat.nl, the boxes to agree to the placement of tracking software were checked by default. Visitors who wanted to refuse them had to go through several steps. 

More data on the use of third-party tracking technologies in the health and care sector can be read here. 

Background checks: The province of British Columbia and the Privacy Commissioner of Canada have joined forces to investigate Certn Inc., a business that provides landlords with tenant screening services. They will look at whether Certn complies with the requirements of both the federal Personal Information Protection and Electronic Documents Act and the Personal Information Protection Act of British Columbia, (where the company is based). In particular, it will look at whether the data it gathers, uses, and discloses for tenant screening is sufficiently accurate, complete, and up to date. 

Data security

Differential privacy: The latest US NIST cybersecurity insights discuss protecting trained models in Privacy-Preserving Federated Learning. The techniques must be combined with an approach for output privacy, which limits how much can be learned about individuals in the training data after the model has been trained. 

Differential privacy is the most robust known type of output privacy. To protect against privacy threats, techniques for differentially private machine learning incorporate random ‘noise’ into the model during training. The training data cannot be later recovered from the model because the random noise prevents the machine from remembering details from the training set.

Global IT outage: A Reuters analysis briefly explains the latest cyber outage when CrowdStrike’s software update caused Microsoft Windows to crash. Companies such as CrowdStrike employ cloud-based solutions for virus scanning, early warning systems for possible cyberattacks, and barriers against hackers accessing company networks without authorisation. This time, a conflict appeared between CrowdStrike code and the Windows operating system’s code, which is why certain PCs crashed even after they were rebooted. 

Big Data

Chromebooks: The Danish data protection authority has assessed that 52 municipalities are now complying with its order from January to stop passing on the personal data of school children for unauthorised purposes to Google. There have been adaptations to the contract that ensure that personal data will only be processed following the instructions of the municipalities. The Danish regulator has also asked for the EDPB’s opinion on a final assessment of the data processing chain in the municipalities’ use of Google’s products, (including for maintenance of infrastructure from the supplier’s side).

Oracle reaches 115 mln privacy settlement in the US. The digital files of hundreds of millions of people reportedly containing where they browsed online, where they did their banking, bought gas, dined out, shopped and used their credit cards were allegedly sold by Oracle directly to marketers. The company also agreed in future not to gather user-generated information from URLs of previously visited websites, or text that users enter in online forms other than on Oracle’s websites. 

The post Data protection digest 5-19 Jul 2024: LLMs and personal data, social media monitoring, differential privacy appeared first on TechGDPR.

To understand the differences between both vehicles, let us look at semantics.

Privacy Policies

A policy, as expected in the ISO management family of norms, like ISO 9000 for the management of quality and ISO 27000 for the management of security, intends to outline and specify a set of standards within an organisation. It helps to clarify the company objectives and set out the best practices that staff and other stakeholders should observe to reach those objectives. 

Hence, a privacy policy is a document that outlines the organisation’s approach and best practices regarding privacy and data protection, setting the organisation’s privacy goals and strategies and defining the means of achieving them. This policy can reference other internal documentation about privacy and data protection practices. These might include handbooks, guidelines, standard operating procedures, manuals, job-aids, etc.

The format of the privacy policy will follow the organisations standards, however, it should include at least (1): 

• the purpose of the policy, setting out the organisation’s privacy goals and delineating how the policy is meant to help the organisation achieve them;
• the scope of the policy, and to whom it applies;
• the risks and responsibilities, setting out the roles responsibilities regarding privacy and data protection within the organisation and clarifying how violations of the policy impact compliance and the business and how might be sanctioned by management, including the disciplinary actions if staff is found to fail the fulfillment of those responsibilities.

The privacy policy must be published and communicated within the organisation, in order to ensure that all employees and stakeholders are aware of its responsibilities. Alternatively, this policy may be referred to as the data protection policy. 

Privacy Notices

Therefore, the “privacy policies” published by organisations on their website in order to provide transparency for data subjects regarding the processing of their personal data, are not a privacy policy per se, as a privacy policy is an internal document that organisations use to structure their internal governance in privacy and data protection. A privacy notice is what actually organisations publish on their website. 

A notice is a disclaimer. It is purely a way of communication that transparently informs the reader. Therefore, a Privacy Notice is a notice that data controllers use to fulfill its duty to inform data subjects and transparency obligations.

The common elements of a privacy notice are:

• information about the organisation and its contact details, including the Data Protection Officer (DPO) contact details when applicable;
• description of the personal data that is being processed by the organisation, how it will be used, for what purposes and for how long;
• the legal bases for processing, when applicable;
• information about the recipients that the organisation may share personal data; and
• information about the data subject rights and how to exercise them, including the information about the existence of automated decision-making, when applicable;
• Information about the international data transfers and safeguards in place, when applicable.

For instance, articles 12 to 14 of the GDPR outlines what information a data controller must provide to data subjects with regards to what data they process (data points), why they need those data (purposes), how they legitimise their use (lawful basis), what rights can be exercised in relation to that processing, for how long they will retain the information, among other details.

The privacy notice may also be referred to as a privacy statement or even privacy policy, although the latter is not adequate.

In a nutshell, a privacy policy is an internal instrument that will outline the organisation’s approach and best practices regarding privacy and data protection. The target audience is internal: the organisation’s staff and stakeholders and it constitutes a data protection governance tool.

Meanwhile, a privacy notice is a notice that organisations use to provide transparency about the processing of personal data to data subjects and comply with the information obligations set in privacy laws and regulations. The target audience is external to the organisation: the data subject whose personal data is being processed by the organisation.

(1)IAPP. Privacy Program Management. P. 78.

The post The differences between Privacy Policy and Privacy Notice appeared first on TechGDPR.