Only a few hours away until the General Data Protection Regulation principles will come into force. This means that you still have a short amount of time to check the GDPR compliance of your ecommerce business with all the EU’s requirements.
In this post, we will try to provide in a nutshell the most necessary information about the looming legislation on controlling and processing personal data of your users. As well as to include useful links where you can examine how GDPR works in detail. You will also find a short GDPR checklist at the bottom of this post that can possibly help you avoid huge fines after 25th May 2018.
GDPR: Roots And Fruits
In 2010, the European Commission set out a strategy to strengthen EU data protection rules and revise the EU’s 1995 Data Protection Directive and the 1998 UK Data Protection Act that are both now outdated.
They had conducted a survey among EU citizens which emerged that, 61% of users are anxious about their personal information privacy ecommerce websites hold, and more than half of their concerns (55%) were about fraud when shopping online.
According to the survey, 75% of respondents would like to be able to request and delete their personal information online whenever they want. And over 90% of people wanted to have the same data protection rights across Europe.
During 6 years, the European Commission had been elaborating the principles of user data protection and efficient methods of their implementation into the worldwide Internet. And finally, in 2016, GDPR passed by the EU parliament. Let us consider these principles generally.
- Legality, justice, and transparency
- Adequacy, relevance, and limitedness
GDPR seeks to minimise irrelevant personal data and to pseudonymised users data that you hold. You should collect only the data that you are planning to use in your email marketing, cold emailing and get rid of unnecessary or passive contacts.
The personal data you hold should be accurate and up to date. To ensure this, your customers must have an opportunity to change their personal information whenever they want. They can also request information about their personal data your company processes and exercise the right to be forgotten.
- Storage limitation
You should not hold personal data longer that this is needed for your processing purposes. Anyway, controllers have not set time limits for data retention so far. So this principle should be considered in the light of the ‘right to be forgotten’.
- Integrity and confidentiality
You should never share or sell the personal data of your customers’ other people or companies without the data owner’s consent. All companies are responsible for their databases and should take a proper care of their security.
GDPR Personal Data List
In the law, the term ‘personal data’ is defined as ‘any information relating to a living, identified or identifiable natural person.’ These principles apply to all public authorities which hold and track data of any EU citizen.
Therefore, GDPR concerns you if:
- You customers and potentials are European Union citizens
- Your email subscribers are from EU
- Your database for cold email marketing consists personal data of EU residents.
It does not matter if your ecommerce website was built using WordPress, Magento, WooCommerce or Joomla, or you have developed the site in your own CMS. GDPR is only about your users and the security of their personal data.
What is ‘Personal data’ under GDPR:
- A name;
- An identification number;
- Location data;
- Cookie identifiers;
- Online identifiers;
- Biometric data;
- One or more factors specific to the “physical, physiological, genetic, mental, economic, cultural or social identity” of the subject which can help identify their person.
GDPR principles have generated a lot of buzz because of the large fines for non-compliance. The largest fine can be up to 20,000,000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. This is why a majority of large companies decided to spend more than million dollars on GDPR compliance.
But you should remember that every situation is unique, so the size of a fine will be estimated on the one-to-one basis.
Generally, there are two main reasons your retail company can be fined: a mass leak of personal data and violation of sensitive personal data.
Data Protection Specialists
This is a must-have step you should start with (if you have not done this already). Your ecommerce company should have a Lawyer/Solicitor who is au fait with all GDPR details and will take care of your customers’ data protection. In case you hold and process sensitive data with a high risk of disclosure, or you are expecting a mass violation of data, you need to hire a Data Protection Officer.
Among their responsibilities are responding customers’ complaints and monitor your ecommerce website GDPR compliance, especially if your company is testing new solutions, forms, marketing emails, developing a new website interface or app.
Also, your data protector officer (or specialist) is required to notify the ICO of data-breach notification within 72 hours if this is a systemic failure, hack attack, or any other problem that may lead to serious consequences for your customers’ security.
Is GDPR a good thing for Ecommerce?
General Data Protection Regulation can, and will have a positive effect on the online retail sector. Inasmuch as this can enhance customer confidence and loyalty, as well as increase trust in the payment process. This is why we recommend you inform your customers that you will take care of their personal data non-disclosure in the best way.
GDPR Ecommerce checklist
There is a huge number of requirements and details in the primary GDPR document. But we have tried to include the most necessary into this checklist. Look at this to find out if you have not missed anything to implement into your website, emails, contact forms, and every consent form.
Data Protection Specialist
- As a data processor, you have hired a data protection specialist or data protection officer if you are processing sensitive data.
Consent Compliance Checklist
- Your consents are written simply and clearly so that your customers can easily understand what and for what their personal information will be processed, as well as a clear understanding of what they have agreed too.
- Your consent forms are explicit. These don’t contain pre-ticked boxes or any another consent by default.
- Your ‘answer button’ with a positive consent is not highlighted by another colour.
- Your consent form is prominent and separate from the Terms and conditions section.
- You have named your organisation and third parties in the bottom of your form.
- You have pointed out that your customers can refuse this consent.
- You have explained how your customers can withdraw their consent.
- If you expect or know that within your online customers could be children, your consent form contains age-verification and request for the parental-consent.
You can also find several options how to create a GDPR-friendly consent form template here.
To get more detailed information about the requirement to contents, please, look at the United Kingdom’s ICO GDPR Consent Guidance.
- You have pointed out on your website how your customers can request their information you hold, change or withdraw their data from your website.
- You have added the instruction how your customers could report you as a violation of any GDPR principles that affect them.
- You have pointed out that you don’t penalise your customers for withdrawing their consent.
- You keep a record of when, where and how you received the consent of each of your customers.
- You keep a record of what exact information your customers provide you with.
- You have already scheduled when you are going to apply a regular check that the relationship, the processing and the purpose have not changed.
- You have already scheduled in what period of time you are going to refresh your user data.
Be sure that you don’t send your customers’ personal data, including email addresses, names, users ID’s, location data, transaction ID’s, IP addresses, to Google Analytics at the code level. Read this Google article to find more.
Users have got used to clicking positively on most consents, unfortunately. This is why we would recommend you create an additional re-consent popup to make sure that your customers understand what data they leave.
- Your team of data protection specialists need to prepare a risk assessment – a document where they should point what specific data the company collects, how and for what it processes these.
- You gave analyses your risks, found potential weak points, and predicted your action if something would go wrong.
This document needn’t be uploaded to your website, but this could be a strong legitimate basis for your actions when you receive a complaint.
Let us compile a GDPR summary
Today, GDPR is still very much in its early stages and will evolve in time. Nevertheless, this is now common courtesy toward your customers in terms of a global trend to business transparency.
- Let your customers decide what kind of personal information they can leave.
- Help them know what and for what reason their data can be processed.
- Let them know how they could request their personal information, withdraw their consents or unsubscribe.
- Please, use simple language when you speak to your audience – there is no need to ask your copywriters to use thousands of useless juristic terms which no one understands.
- Redesign your consent forms.
- Target your email marketing audience carefully.
- Draw up the responsibilities for your Data Protection Officer. Activate their separate email address.
- Keep a record of any user information you received and process.
We know this requires time and resources, which we hope you have already in place by now. But your hard work and effort to become compliant will gain customer trust.