What Does the General Data Protection Regulation (GDPR) Mean for E-Commerce Businesses?
The GDPR will come into effect in May 2018, but what effect will it have on e-commerce?
First of all, what is the GDPR?
The GDPR places parity of esteem (equality) on all forms of data: photographs, bank details, names, addresses, posts on social media, IP addresses, or any identifying numbers such as National Insurance or Social Security Numbers, etc. That means all customer data irrespective of the source has to be opt-in only, securely stored and used only with the permission of the information’s owner. Pre-filled consent checkboxes and consent concealed within lengthy T&C’s will be consigned to history.
GDPR differentiates three key issues when it comes to handling data:
The Subject of the data: which could be; a client, an employee, or simply the end user, basically anyone furnishing identifying personal data.
The Controller of the data: That is, the companies offering services or goods that are dealing with personal data and are responsible for the safe storage and any use of that data.
The Processor of the data: for e-commerce, this will be all third-party providers such as ERP systems, MailChimp, Shopify, or UPS for example, including any other internal units employed to do similar work, such as an accounts department.
E-commerce companies don’t have to be large either to come under the auspices of the GDPR, all companies do. Now, while there may be some leeway with regard to SMEs, this is mainly to do with fines etc. The handling of data sets is seen as sacrosanct regardless of resources.
How will this affect your e-commerce businesses?
Clear consent for marketing activities. End users must actively opt-in to marketing activities. There will no longer be pre-filled checkboxes or consent ‘below the fold’. A further impact may come from third-party checkboxes, where you must now list the third parties that will have access to customer data.
The right to be forgotten. The GDPR also stipulates that it must be ‘made easy’ for patrons, to not only edit or remove their data or consent related to marketing activities but also to delete entirely their account and any personal information from a system. While many businesses offer account deletion, it can be an extended process (Amazon’s policy of having to call an agent before account deletion as opposed to an online process, for example). This process must be advertised, easy to navigate, and well documented.
Instant breach response
In May, when the GDPR comes into effect, both controllers and processors of client information data will have to abide by the new regulations. In the case of larger companies, a Data Protection Officer (DPO) must be appointed, and whose primary responsibility is to report breaches of data or misconduct to the Information Commissioners Office (ICO). SMEs shouldn’t ignore this and think a DPO doesn’t apply to them, there must be someone responsible for this, with processes in place to deal with breaches. Everyone must have a rigorous procedure in place when a breach of data is detected and report to both the ICO and very importantly, all data subjects within 72 hours.
Outsourcing some elements that control customer information, such as payments, marketing, or IT, will no longer absolve an organisation of its responsibility for data security. That’s because each section of the supply chain includes the handling and storage of customer information, and this too must be secure. This includes third-party cloud services.
Organisations need to ensure that information is shared with regard to any internal procedures so that everyone in a chain is compliant with the new GDPR legislation.
Increased fines for non-compliance, breaches, and misuse
To ensure compliance with these new regulations, the GDPR sets out fines of up to €20 million, or 4% of your annual revenue, which is why SME’s cannot afford to make mistakes. Information must be securely stored. Companies are responsible for how and where any data is stored, and this may be a multitude of locations for e-commerce businesses utilising third-party software partners. Encryption is no longer optional and stringent procedures must be in place for data access.
This evolution may be easier for e-commerce businesses operating in the cloud and larger organisations will have the resources to become fully compliant, enterprises such as Shopify, and Dotmailer may well have begun work toward a solution over a year ago when the regulation was first announced. Companies that use in-house servers or custom-built software may need to appoint someone to review and test their security systems for weaknesses and put in place procedures to protect from input to deletion any all information stored.