The EU’s General Data Protection Regulation (GDPR) comes into effect 25 May 2018.
But what does this mean for e-commerce businesses, being known the fact the online shopping is using the most tools that might interfere with the rules.
What is GDPR?
GDPR is a new Regulation with European Union, that will force all companies that are based in or who do business inside the EU, to comply with strict new rules regarding the collection, storage and use of customer data.
All forms of customer data: photos, social media posts, IP addresses, bank details and any identifying numbers such as NI or SSNs are equally important. All all this data, regardless of origin should be opt-in only, stored securely and used only with the customer’s permission.
However, the GDPR rules are not set in stone. They have asked for a “reasonable” level of security to be provided, leaving a grey area as to if social media data should be treated the same as bank credentials. One thing is clear, users must give clear opt-in consent for their data to be stored and used in any way.
Pre filled consent checkboxes (for example in email subscription forms) and consent hidden in long T&C’s will be a thing of the past.
GDPR distinguishes three profiles when it comes to handling data:
- The Data Subject: The customer, user, employee, site visitor – anyone providing identifying personal data.
- The Data Controller: The businesses offering services or goods who control this data. They are responsible for the safe storage and use of the data, and need to state how and why the data is used.
- The Data Processor: Usually they are service providers, like ERP systems, Vibetrace, Ecommerce platforms, UPS and any internal teams employed to do similar work, such as an internal accounts team.
How will this affect e-commerce businesses?
The GDPR applies to all databases, marketing, sales, HR, accounting; Any way data is stored or processed, will fall under the new regulation.
Read more about these findings GDPR statement
Clear consent for marketing activities
As mentioned above, data subjects (customers/employees/users) must actively opt into marketing activities. Pre-filled checkboxes or consent below the fold or hidden inside TOS won’t work any more. Whilst this has been best practice from many marketers, what may impact some is the “Use of data for 3rd parties” checkbox, of which now must list the third parties that may have access to their data specifically.
All of the above will impact the marketing industry, especially when it comes to personalisation, profiling and any marketing activities that involve big data processing.
The right to be forgotten
It must be easy for customers to not only edit their data and remove consent to marketing activities but also to delete their information entirely from a system. Whilst many companies offer account deletion, it can be an extended process nowadays.
The process to remove data must be easily found, well documented and advertised for those looking to remove their personal data.
Immediate breach response
As of May next year, both controllers and processors of customer data will need to abide by the GDPR. For larger companies, a Data Protection Officer must be appointed, whose first responsibility is to report data breaches and misconduct to the ICO. Online businesses must have a stringent procedure to follow when a data breach is detected and report to both the ICO and data subjects within 72 hours.
Increased fines for non-compliance, breaches, and misuse
The transition may be easier for e-commerce companies operating in the cloud. Large entities will have the resources to commit to becoming fully compliant, and begun work on a solution when the regulation was announced over a year ago. Businesses that rely on in-house servers or custom-built software will need to hire a team to audit and test their security for weaknesses and put in place processes to protect the data from input to deletion.
How Vibetrace deals with GDPR will be presented into a dedicated page.