The GDPR will come into effect in May 2018, but what effect will it have on e-commerce?

First of all, what is the GDPR?

The GDPR places parity of esteem (equality) on all forms of data: photographs, bank details, names, addresses, posts on social media, IP addresses, or any identifying numbers such as National Insurance or Social Security Numbers, etc. That means all customer data irrespective of the source has to be opt-in only, securely stored and used only with the permission of the information’s owner. Pre-filled consent checkboxes and consent concealed within lengthy T&C’s will be consigned to history.

GDPR differentiates three key issues when it comes to handling data:

The Subject of the data: which could be; a client, an employee, or simply the end-user, basically anyone furnishing identifying personal data.

The Controller of the data: That is, the companies offering services or goods that are dealing with personal data and are responsible for the safe storage and any use of that data.

The Processor of the data: for e-commerce, this is all third-party providers such as ERP systems, MailChimp, Shopify, or UPS. Including any other internal units employed to do similar work, such as an accounts department.

E-commerce companies don’t have to be large either to come under the auspices of the GDPR, all companies do. Now, while there may be some leeway with regard to SMEs, this is mainly to do with fines etc. The handling of data sets is sacrosanct regardless of resources.

How will this affect your e-commerce businesses?

Clear consent for marketing activities. End-users must actively opt-in to marketing activities.  There are no more pre-filled checkboxes or consent ‘below the fold’. A further impact may come from third-party checkboxes, where you must now list the third parties that will have access to customer data.

The right to be forgotten. The GDPR also stipulates that it must be ‘made easy’ for patrons. It should not only edit or remove their data or consent related to marketing activities. But also to delete entirely their account and any personal information from a system. While many businesses offer account deletion, it can be an extended process. For example, Amazon’s policy of having to call an agent before account deletion is opposed to an online process. This process must be advertised, easy to navigate, and well documented.

Instant breach response

In May, when the GDPR comes into effect, both controllers and processors of client information data will have to abide by the new regulations. A Data Protection Officer (DPO) is appointed, in the case of larger companies. It will be a  primary responsibility to report breaches of data or misconduct to the Information Commissioners Office (ICO). SMEs shouldn’t ignore this and think a DPO doesn’t apply to them. There must be someone responsible for this, with processes in place to deal with breaches. When a breach of data is detected it is reported to both the ICO and all data subjects within 72 hours.

Outsourcing some elements that control customer information, such as payments, marketing, or IT, will no longer absolve an organisation of its responsibility for data security. That’s because each section of the supply chain includes the handling and storage of customer information. This too must be secure. This includes third-party cloud services.

All organisations should share internal procedures information. This is so that everyone in a chain is compliant with the new GDPR legislation.

Increased fines for non-compliance, breaches, and misuse

To ensure compliance with these new regulations, the GDPR sets out fines of up to €20 million, or 4% of your annual revenue. This is why SME’s cannot afford to make mistakes. Companies will be responsible for how and where any data is stored. This may be a multitude of locations for e-commerce businesses utilising third-party software partners. Encryption is no longer optional and stringent procedures must be in place for data access.

This evolution may be easier for e-commerce businesses operating in the cloud and larger organisations will have the resources to become fully compliant, enterprises such as Shopify, and Dotmailer may well have begun work toward a solution over a year ago when the regulation was first announced. Companies that use in-house servers or custom-built software may need to appoint someone to review and test their security systems for weaknesses. They may need to put in place procedures to protect from input to deletion any all information stored.

If you have more questions about GDPR, speak to a member of our team today or follow us on social media, to stay up-to-date with the latest GDPR information.