ca. 30 Minuten
nach Wunsch auch mit VideocallMay 25, 2018 - this date has been marked in red on the calendar by many trading companies, because on this day the new EU General Data Protection Regulation (GDPR) comes into force. Generally speaking, this is a Europe-wide harmonization of data protection requirements. The handling of personal data will be standardized across Europe. Since the demands on data protection in Germany were very high before, at first sight, no special explosiveness seems to lie in this topic. However, if you look at the newly established fines and criminal proceedings, the whole issue is already much more explosive – up to 4% of annual turnover, or 20 million euros, are the maximum possible fines.
As a Commerce Intelligence Company and service provider to brands and retailers, minubo is also affected by the new EU General Data Protection Regulation. How, and to what extent, we will clarify in this blog article.
Essential Points of the GDPR for minubo Customers
The new EU General Data Protection Regulation is primarily about the handling and processing of personal data – this includes name, address, telephone number, etc.; data that provides concrete information about the respective person. The essential topics from our point of view for our customers, which are regulated by the GDPR, are the following:
- End customers must agree to the data storage:
- It is no longer just about the registration for newsletters, which was already handled in a very restrictive way in Germany. Tracking, retargeting or other on-site analysis tools must also be explicitly agreed to by customers, whether they are a registered customer or a guest customer. When collecting the data, it is now also necessary for customers to actively agree to the privacy policy and this must be available as proof. Not to be forgotten are the contact forms, callback functions and the like – here again the storage of personal data must be pointed out.
- The right to be forgotten must be guaranteed:
- According to the new GDPR, customers have the right to revoke their consent to the storage of their data at any time and to become "forgotten". That means they can demand the deletion of their data. This proactive deletion or anonymization of personal data, as well as the deletion on request of the customer, must therefore also be technically possible. Many shop system providers have just announced or extended their solutions with appropriate features.
- The way data is collected and processed must be regulated and documented:
- To do this, commerce companies must create a directory of procedures in which to record the technical and organizational measures that protect the personal data of every related process - both internally and when working with external service providers. Specifically, they are required to make data protection agreements with service providers who process data on their behalf ("Order Data Agreement"). Also, building and disclosing a plan in the event of a data breach becomes a requirement and part of a privacy management system.
- Also new: There is now an obligation to announce to the respective supervisory authority before the 25th of May 2018 who has been appointed as data protection officer of the company.
(Note: This should not be seen as sufficient legal instruction for dealing with the new GDPR, but as a compact overview of what we consider essential issues!)
Is minubo GDPR Compliant?
minubo is affected by the new EU General Data Protection Regulation in two ways: as an independent company with its own marketing and sales processes, and as a service provider to brand and retail companies that work extensively with personal data. At this point, we would like to focus exclusively on our role as a service provider and explain what measures are being taken in this context at minubo.
Important for this classification: minubo itself does not collect personal data from the end customers of our customers!
We are an order data processor (within the data handling process of a commerce organization) and receive data from systems that our customers use to collect personal information – such as Google Analytics, the shop system used, their ERP or CRM system. We collect all this data in a data warehouse and keep it available for analysis or other operational measures of our customers.
As an order data processor, we have to complete GDPR-compliant order data agreements with our clients – minubo customers. We also share the same responsibility with our service providers: even with subcontractors who minubo engages to provide the best service to its customers, minubo must make GDPR-compliant agreements.
All in all, the new EU General Data Protection Regulation for minubo as a service provider for brand and retail companies means that we have an obligation to pay attention to, and to draw attention to, data protection-compliance – and especially to GDPR-compliance – agreements. And we also take on this responsibility!
GDPR Measures at minubo
At minubo, we are also working hard to implement the requirement of the new EU General Data Protection Regulation so that all relevant key points are clarified and implemented as of the 25th of May 2018. In concrete terms, this means that we will send our new GDPR-compliant agreements for order data processing to all our customers from April onwards. We are also in close communication with our service providers and we are working on the renewal of future GDPR-compliant agreements.
In addition, we are currently working hard to further develop the data protection organization at minubo and to implement new requirements, such as the privacy impact assessment. Our list of procedures will also be updated and our privacy policy will be revised to meet the new requirements of the EU's General Data Protection Regulation in time for May 25th.
Another aspect is the further development of our interfaces to legacy systems, such as Salesforce Commerce Cloud, Pixi and many more – with this, minubo wants to make it possible for our customers to fully utilize the GDPR features, also in connection with minubo, and thus assert the right to forget their customers in a completely automated way.
We are Prepared!
The new EU General Data Protection Regulation and the associated requirements and obligations should not be taken lightly. In addition to the heavy fines, the authorities now have a duty not only to consistently track reported violations, but also to proactively audit companies for compliance with GDPR requirements. Particularly large trading companies should therefore be prepared for such proactive reviews by the supervisory authority. But even small retailers cannot rest in the shadow of the big retail giants too much, because the authorities must investigate any signs of a violation of the new EU General Data Protection Regulation.
minubo is prepared! With the new EU General Data Protection Regulation, we remain true to our mission as a Commerce Intelligence Company to help brands and retailers make rapid, sound and, above all, data-driven decisions based on a holistic database, both strategically and operationally.
If you as a minubo customer have further questions about the procedure and the measures taken, your Key Account Manager will be available for you at any time.
