In 2016, the EU passed the new General Data Protection Regulation (GDPR) legislation designed to protect the citizens’ rights online, as the cornerstone of the ‘Digital Single Market’. The GDPR should also have positive effects for business: by harmonizing and updating the patchwork of former data protection legislation, some of the complexity of compliance should be reduced.
However, the GDPR does not come without its pitfalls for any organisation that interacts with, and collects consumer data online – such your ecommerce business – and the penalties for failures are both severe and enforceable.
As a result, you should act now to ensure compliance by the time the legislation comes into force on 25th May, 2018.
This article outlines some of the key preparations for eCommerce businesses:
1- Reviewing relationship with suppliers
Many eCommerce businesses rely on third parties for example, to process online payments, or to fulfil orders, such as warehousing and shipping companies. These relationships involve passing on your customers’ personal data for processing. From May 2018, it will be your obligation as the organisation collecting the data, to ensure that these companies also comply with GDPR provisions.
Start by reviewing your relationships with subcontractors and asking about their GDPR preparations. Before May 2018 you will need new written contracts with each supplier, containing specific mandatory clauses about their data processing practices.
Bear in mind, that any business customers wishing to work with you in future – especially those that pass on any data to you – will require the same documentation and guarantees from your business.
2- Ensuring unambiguous consent for data collection and use
When collecting payments, you are already making an explicit request for sensitive data from your customer, such as their payment information. However, now they must also be told where their data will go and who is responsible for processing and storing it. You should re-draft your consent clauses with this in mind, using plain and understandable language.
Another new requirement is that these consent forms – electronic or otherwise – must now be kept as records. Your existing CRMs or database system may not currently facilitate this and customisations take time – so start to think about how to handle this now and discuss the requirement with your technology providers.
3- Implications for your marketing practices
Another ramification for the GDPR’s ‘unambiguous’ consent requirement is around direct marketing. Bought consumer data such as email lists already occupy a grey area that is about to get considerably murkier, and would well be avoided. Marketing data collected yourself should be reviewed to check that you used clear and careful opt-in wording. For example, a customer should generally agree to be contacted by you on one topic, via one particular marketing channel. If not, you should consider starting the process to get new opt-ins – using the opportunity to re-engage, present new offers and gather additional useful data.
The GDPR may have particular implications for those using systems that facilitate ‘profiling’ – gathering data on an individual from a multitude of sources, or via big data analysis. Some CRMs and other marketing systems now allow you to link from an individuals’ email to their social media profiles, or to use data gleaned from such sources to build up a picture of your customer’s preferences. Without consent to use this data either for direct communication, or even on which to base your marketing tactics, this may now be an area of dispute.
Since the consequences of this are significant to the burgeoning industry of those offering these sophisticated marketing analytics, there will no doubt be considerable ongoing debate as to the precise ‘dos and don’t’s in this area. You would be wise to keep an eye out if these are practices you intend to use.
4- Designing for Privacy
AFor larger businesses, the GDPR will require a specific named individual be appointed as Data Protection Officer. Although exempt from this, small businesses would do well to assign someone to oversee auditing and updating data protection procedures and documentation before May 2018. From that point, the GDPR requires businesses to maintain a record of their data processing activities, as well as all technical and organisational measures taken to ensure security.
The GDPR therefore encourages businesses to design for privacy – i.e. build privacy requirements into every new system and business process. A good way to begin is by drawing out a flow diagram which visually maps out the various data inputs, stores, transfers and processes. That way, you can ensure that your updated policies and procedures cover all aspects and can be distributed to those personnel, or suppliers, that access any part of your data chain.
5- Data breaches and the right to be forgotten
Most businesses are already familiar with the potential for a ‘data subject access request’. Designing for privacy means that systems should be built from the get-go so that extracting all data pertaining to a single individual, should they request it, can be done smoothly within the timescale.
The GDPR takes this a step further by granting individuals the right to be forgotten. This means that any individual can not only request disclosure of any data held on them but that it also be deleted entirely. Many existing systems facilitate suppression, to prevent further contact of an individual, but not complete deletion. Again, this should be investigated with technology suppliers.
Your policies should include a method to deal with any data breach, i.e. where personal data becomes insecure or inadvertently disclosed. This could be the result of human error by staff, a technical issue, or even a hack. The GDPR requires that the Privacy Commission be notified within 72 hours of any breach and of remedial steps taken. Any customer or data subject whose data has been compromised may also need be notified individually, should there be a risk posed to them because of the breach.
How will Brexit impact this?
The UK will still be an EU and single market member when the legislation takes force, making UK companies bound by it. In addition, even if the UK withdraws, to trade successfully in a data-driven global marketplace, UK companies would be wise to ensure compliance with what will be a new international benchmark.
Moving forwards…
More detailed suggestions for how to best implement GDPR compliance will no doubt emerge over the coming months, along with a blooming trade for legal compliance advisors. Those businesses dealing with very large amounts of personal data or undertaking big data analytics, would be well-advised to consider a professional audit.
That said, no eCommerce business, however small can afford to brush these changes under the carpet. Whilst fines of 4% of global turnover are potentially ruinous, perhaps more significantly, the GDPR’s provisions will become the new expected standards for data protection which both consumers and other companies will expect you to meet, in order for them to be willing to do business with you.
Don’t hesitate to talk to us at Blackwater Tech about designing for privacy – and how we can help to ensure your eCommerce platform, CRM and other systems are robust.
More info visit : ICO.org.uk, Official EU GDPR Portal
