What is GDPR? What You Need to Know About the General Data Protection Regulation

Disclaimer: We encourage you to seek legal advice and review the GDPR yourself, as it’s ultimately your responsibility to ensure you are compliant with the GDPR. This post should not be taken as legal advice.

What is General Data Protection Regulation (GDPR)?

The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will impact how businesses process and handle data, coming into effect from 25 May 2018.

Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of citizens of the EU.

Implications of the GDPR

Australian businesses need to determine whether they need to comply with GDPR, and if so, take steps to ensure their personal data handling practices comply with the GDPR.

Consent

This may include adjusting how you collect data—GDPR requires you to clearly request consent when collecting data.

This might mean adjusting forms like your newsletter subscription form or user registration form to ensure shoppers are explicitly accepting your terms and conditions and privacy policy.

While Neto plans on updating our standard website design themes to more explicitly request acceptance of a website's terms and privacy policy, and we have published tweak documentation to help merchants retrofit their existing themes, it is ultimately the responsibility of every merchant to ensure they are compliant. We cannot guarantee that just because you’re using an up-to-date theme, you are compliant.

Data portability and the “Right to be Forgotten”

The GDPR requires every business to allow any EU citizen (whom the business is storing personal data pertaining the EU citizen) to:

• Demand a copy of the data you have on them.
• Demand the deletion/anonymisation of this data.

Neto has the ability to both give merchants this data and anonymise this data, on request. This request needs to be made to Neto, by the merchant. In the event of a request, we will provide the merchant with the requested data.

Keep in mind that when shoppers make these requests, they are not just talking about the data that Neto hosts. You will need to review all places where you store personal data, such as any analytics tools you may use or any third-party integrations.

Again, it is your responsibility to ensure you are compliant. Neto cannot provide additional advice on acquiring or anonymising data from external parties.

Additional implications

There are many implications to the GDPR and we have not summarised them all. For example, there is a good chance you will need to update your Terms & Conditions and/or Privacy Policy. We encourage you to seek legal advice and review the GDPR yourself.

What is Neto doing about the GDPR?

We take our responsibilities under the new GDPR legislation seriously. That's why we have undertaken a program of work to assess what effort is needed to be compliant with GDPR.

Here is a quick summary of the work we have done:

• Articulated Neto’s position and commitment to meeting the needs of GDPR.
• Conducted an extensive audit and classification of data within our platform.
• Conducted an audit of 3rd party services that may impact Neto’s ability to satisfy GDPR.
• Our Product and Engineering teams have identified the necessary changes/improvements that need to be made. We are currently working on tools that will automate data portability and anonymisation. We have also published tweak documents to help you collect consent in a more compliant way.
• We are updating our own privacy policy to address items relating to GDPR.
• We have updated our “way of working” to incorporate privacy by design whereby all initiatives are assessed for impact on privacy.
• We are conducting privacy by design education within all parts of our business.

This post was updated on 24 May 2018 to reflect the availability of the relevant tweak documentation.