With the implementation of data privacy legislation such as the General Data Protection Regulation (GDPR), being familiar with related terminology is more crucial than ever.
The term “data subject” refers to a person that a business collects information about. This information can be anything from a name and/or home address to payment details.
Understanding data subjects is essential for e-commerce companies since they need to have a plan in place to handle a Subject Access Request (SAR) in GDPR if any crop up. They also need to put together a data subject access request process to stay compliant with privacy laws.
Before you build a policy, it helps to have a firm grasp on the language of data privacy.
For example, there are strict rules about charging a DSAR request cost. But you first need to know what this term means. This understanding could make a big difference to your business if you ever need to deal with it.
Let's look at some of the terminology and what it all means:
Data processing: The GDPR, which governs European Union (EU) enterprises, is all about data processing and any actions that rely on the data collected. This includes organizing data and/or storing it in a customer database.
Data subject: As we've explained above, a data subject is a person whose data you're collecting.
Data controller: The individual or entity managing personal data processing.
Data retention period: The amount of time you keep data, whether you're processing it or not.
All of these phrases tie in with GDPR rules, so you need to know what counts as data, who you're collecting it from, why you need this information, and how you'll comply with the law.
Privacy policies aren't optional. You must have one if you collect personal information from users, even if it’s only a single detail.
Although you can include a section on data privacy, T&Cs are different. They inform customers about cancellation policies, the conditions of sale, and copyright protection.
It's also necessary to work out which rules apply in different situations. For example:
GDPR applies throughout the EU and deals with data processing.
The California Consumer Privacy Act (CCPA) is only relevant if you collect customer data in California.
Protection of Personal Information (POPI) is the equivalent regulation in South Africa.
Lei Geral de Proteção de Dados (LGPD) works similarly in Brazil.
That can be tricky because, for example, a retailer with clients in California and France will need to make sure they've covered everything in both the GDPR and CCPA.
Business owners with a lot on their plates can find it hard to make time to dive into the complexities of privacy laws, even though compliance is vital to safeguard a company.
Answer a few questions about your business, website or app.
Let them know where you're based.
Identify the types of personal data you collect or process.
Pop in your email address.