Disclaimer: We encourage you to seek legal advice and review the GDPR yourself, as it’s ultimately your responsibility to ensure you are compliant with the GDPR. This post should not be taken as legal advice.
What is General Data Protection Regulation (GDPR)?
The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will impact how businesses process and handle data, coming into effect from 25 May 2018.
Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of citizens of the EU.
Implications of the GDPR
Australian businesses need to determine whether they need to comply with GDPR, and if so, take steps to ensure their personal data handling practices comply with the GDPR.
This may include adjusting how you collect data—GDPR requires you to clearly request consent when collecting data.
Data portability and the “Right to be Forgotten”
The GDPR requires every business to allow any EU citizen (whom the business is storing personal data pertaining the EU citizen) to:
- Demand a copy of the data you have on them.
- Demand the deletion/anonymisation of this data.
Neto has the ability to both give merchants this data and anonymise this data, on request. This request needs to be made to Neto, by the merchant. In the event of a request, we will provide the merchant with the requested data.
Keep in mind that when shoppers make these requests, they are not just talking about the data that Neto hosts. You will need to review all places where you store personal data, such as any analytics tools you may use or any third-party integrations.
Again, it is your responsibility to ensure you are compliant. Neto cannot provide additional advice on acquiring or anonymising data from external parties.
What is Neto doing about the GDPR?
We take our responsibilities under the new GDPR legislation seriously. That's why we have undertaken a program of work to assess what effort is needed to be compliant with GDPR.
Here is a quick summary of the work we have done:
- Articulated Neto’s position and commitment to meeting the needs of GDPR.
- Conducted an extensive audit and classification of data within our platform.
- Conducted an audit of 3rd party services that may impact Neto’s ability to satisfy GDPR.
- Our Product and Engineering teams have identified the necessary changes/improvements that need to be made. We are currently working on tools that will automate data portability and anonymisation. We have also published tweak documents to help you collect consent in a more compliant way.
- We have updated our “way of working” to incorporate privacy by design whereby all initiatives are assessed for impact on privacy.
- We are conducting privacy by design education within all parts of our business.
This post was updated on 24 May 2018 to reflect the availability of the relevant tweak documentation.