May 2018 represents an important milestone in the protection of personal data in the European Union’s implementation of the General Data Protection Regulation (GDPR). This directive will replace existing data protection rules and aims to ensure transparency and accountability for those utilising personal data, including cross-border B2C ecommerce logistics. Ultimately it aims to set a new, legally enforceable standard for consumer rights by obliging organisations to actively protect personal information. Already this initiative is seen as a potential market differentiator for Europe, helping to increase user confidence that personal information will not ended up in the public sphere and to highlight the nature of an organisation’s business processes and practices related to data.
Any company that stores or process personal information about EU citizens, whether resident in Europe or not, must be compliant with GDPR.
What constitutes ‘personal data’ is wide reaching, ranging from citizen ID numbers and home address to IP information or cookie data. GDPR makes it considerably easier for individuals to bring private claims against data controllers when their privacy has been infringed, and allows data subjects who have suffered non-material damage to sue for compensation. GDPR is particularly applicable to cross-border ecommerce B2C logistics providers operating in Europe. The process of B2C ecommerce involves the transmission of multiple attributes related to both buyer and seller, along with information relevant to items purchased, primarily to enable cross-border clearance, tax collection and final mile delivery.
For cross-border ecommerce logistics there are several steps that companies can undertake to review their GDPR preparedness.
The documentation of what personal data is retained and who has access to it should be the central part of their internal information audits. Privacy notices for customers and suppliers should also be thoroughly examined and data privacy procedures reviewed, ensuring individual rights, including consent and deletion, are firmly established.
While some cost will inevitably be involved adapting to the new regulation, such expenditure will certainly be significantly smaller than the potential impact of non-compliance. To emphasise the seriousness with which this issue is taken, fines of up to €20m or 4% of global income (whichever is higher) can be applied to companies found to be non-compliant. Additionally, the protection of personal data is often seen being representative of a company’s general data strategy, with leaks having the potential of severely damaging industrial reputations.
Though the above may sound rather negative, there are distinct advantages in application of GDPR.
A good data strategy is reflective of good business practices, increasing customer loyalty and confidence. Scandals involving customer data have become common place in the media, with consumers increasingly aware of the importance of this issues. GDPR will increase consumer confidence in European companies, thus positivity impacting local markets. Due to the nature of B2C cross-border ecommerce stricter personal data protection policies will see consumers bring their business to retailers and platforms they know are legally bound with the latest legislation to protect their data. One recent survey noted that of those US companies aware of GDPR, about 85% of believe that it will put them at a competitive disadvantage compared to their EU counterparts while Australia is currently examining the possibility of implementing its own GDPR over the coming years.
Though there has been much discussion on the possibly effects of GDPR, there remain many myths and rumours as to the difficulties of implementing it.
Education is one of the key factors in removing such problems. The majority of GDPR requirements relate to processes and system changes, placing them within reach of even small companies. For many operators, staff need to have access to information as part of their daily duties, however data training policy’s should be updated to reflect the new regulation, informing staff of their role in GDPR compliance and how to protect themselves in the course of their jobs. A lack of GDPR qualified staff has been listed as one of the largest barriers to compliance both in the US and EU, however the appointment of a data protection officer with appropriate knowledge, support and authority will help alieve the majority of problems on the ground.
The world is still in the process of adapting to its new digital environments with GDPR being representative of legislation trying to catch technology. Though much is said about the rapid growth of B2C cross-border ecommerce it is important to remember that this growth should take place within a safe and controlled setting for consumers and suppliers. Adaptation to the new regulation may cause issues in the short to medium term however the policy is ultimately aimed, and enforced, to protect end users rights and to increase confidence in participating companies. GDPR is bound to be met with great interest internationally and its duplication in different markets around the world can be expected over the coming decades.