European privacy rules are changing. The existing Data Protection Directive will soon be replaced by the Data Protection Regulation. Although based on similar principles, the Regulation will mean changes to some existing rules and the introduction of some new ones.
Details of the Regulation haven't been finalised yet, but a draft is already available. It's likely to come into effect in 2018. So webshop owners need to be preparing for the changes, such as stricter rules on getting consent for processing personal data. Mentioning data processing in your terms and conditions and inviting your customers to tick an acceptance box will no longer be enough: you'll have to obtain explicit consent. The 'safe harbour' concept has also been ruled invalid, meaning that you'll have to be much more careful about using service providers outside the EU (e.g. US cloud service providers).
In certain countries, some national rules are changing before the new Regulation comes in. That's the case in the Netherlands, where there has been a statutory requirement to report data breaches since 1 January 2016. There's likely to be a similar requirement right across Europe by 2018.
In the eyes of the law, a data breach is any incident that involves the loss of personal data or the unauthorised processing of personal data. 'Personal data' is any information that can be linked to a particular individual and 'processing' is doing almost anything with such data, including collecting it, accessing it, editing it or passing it on to someone else.
So, while most of us think of a data breach as a serious incident where a hacker steals information, the law takes a broader view. Legally speaking, losing a USB stick with your mailing list on it is a data breach. So too is sending out an email with lots of customers' addresses visible in the 'Cc' field. Even losing all your customer records in a fire is a data breach.
Webshop owners and people who provide services to them – such as hosting firms and data centre operators – have to take appropriate steps to prevent data breaches. Appropriate steps include putting sound procedural, technical and physical security in place. You should be looking to create a culture within your organisation where privacy is taken into account in every business activity and new processes are designed with privacy in mind.
If, in spite of everything, a breach occurs, the incident has to be reported to the data protection supervisor. In addition, the person or people whose privacy is affected have to be informed. Fortunately, it will usually be your service provider that has to do that. Nevertheless, any report is bound to impact on your customers' confidence in you, so you have a strong incentive to work with your service providers to make sure that everything possible is done to minimise the risk of a breach.
In the context of data protection law, you (the webshop owner) are the 'data controller', and any service provider who handles data on your behalf (your hosting firm) is a 'data processor'. You have a legal obligation to formalise that relationship by entering into a processing agreement, which makes it clear which of you is responsible for doing what to protect your customers' privacy.
In principle, that situation isn't affected by the introduction of mandatory data breach reporting or any of the other provisions of the new Data Protection Regulation. However, if you already have an agreement, it needs to be updated in line with the changes. And if you don't yet have one, you need to arrange one as soon as possible. The Dutch Hosting Provider Association makes a model agreement available to members.
The changes to the data protection rules influence your choice of hosting provider mainly insofar as they accentuate the situation described in the article on keeping your webshop secure. The changes make it more important than ever that you have an active policy on privacy (and, by extension, on security). A passive approach to privacy and security simply isn't good enough.
For practical reasons, you have to delegate a lot of responsibility to your hosting firm and other service providers. However, a responsible webshop owner doesn't delegate responsibility for something as important as other people's personal data without first checking that the service provider is able to discharge that responsibility properly.
Will your hoster be ready for the Data Protection Regulation? Are they all set for mandatory data breach reporting? Are you still legal, now that the safe harbour agreement is legally invalid? These are questions you should be asking sooner rather than later.