GDPR Is Just Around The Corner: What Does This Mean For ECommerce
“If you break it, you pay for it.” That used to be something you’d only hear in brick and mortar stores. Soon, a similar warning could apply to any eCommerce business that collects or handles consumers’ personal data. We’re about to enter a new era of data responsibility.
ECommerce businesses deal with a lot of data: they process everything from customer data to locational and behavioural data. Personal information is shared with retailers or service providers every time a customer or user goes online.
So it was perhaps inevitable that new data privacy laws like the General Data Protection Regulation (GDPR) would be introduced to deal with the consequences of all this data sharing. GDPR is an EU regulation that comes into force on May 25, 2018. It will introduce more transparency, strengthen existing data protection requirements and introduce greater penalties for data security breaches.
Here’s what marketers in the eCommerce industry need to know.
What will you have to do?
GDPR has unique consequences for eCommerce companies precisely because you receive so much data via email marketing and sales orders. Some of the ways brands and retailers will need to maintain data after May 25 are as follows:
- Opt-In: you must obtain consent from consumers before collecting their data, no pre-ticked boxes or other pre-selected options will be allowed. And you must separate out consent requests from any other terms and conditions.
- Granular: GDPR is clear that if customer data e.g. an email address, is to be used for multiple marketing activities, you’ll need to seek approval for each of them separately. You must keep records to show when, how and what the individual consented to. Also the GDPR places additional obligations on companies who profile and monitor behaviour of EU individuals.
- Privacy Agreements: You need to be really clear from now on about what happens to customer data. Where does it go, who is responsible for what happens to it, including the storage and processing of data, in particular when it comes to payment details. Signed privacy agreements will be needed for all third party vendors who have access to your data.
- Application Security and Data Breach Notification: In-depth assessments will be required for high risk areas and all applications containing personal data will need to be secured. Everything you do with EU personal data will need to be registered, including where data is stored. GDPR will require organisations to report certain data breaches to data protection authorities and to the affect data subjects, in some cases.
How this will affect consumers?
Under the new regulation, consumers can find out how companies are using their personal data – which is why keeping those records is so key.
Consumers will have the right to access, correct, restrict or delete information that is held on them. GDPR will also change the way that consumers consent to having their data used for advertising or marketing purposes.
Under the new rules, consent must be clearly requested and freely given before you can collect or use a customer’s personal data. Consent must also be as easy to withdraw as it is to give.
Because consumers will start to see a difference in how companies ask for consent and communicate what they are doing with their personal data, this means that for eCommerce businesses, the challenge will be to convince customers or leads to continue sharing their data.
Start thinking about what benefits can you offer them if they do so?
How to ensure GDPR readiness?
The introduction of GDPR should be viewed as an opportunity. Get it right and you could improve customer service, inspire greater consumer confidence, and steal a lead on your competitors, both literally and metaphorically.
Individuals can now ask an organisation for any data that relates to them, find out what it’s being used for, ask for a free electronic copy, or request that it all be deleted. To make sure that you’re able to respond to those requests, ask yourself these four questions now.
1. Can your systems cope?
Do you have a system, software or tools that can cater for these demands? You may need to appoint a Data Protection Officer to handle requests and compliance issues.
2. Are your policies and opt-in processes up to date? You’ll need to update your privacy policies or change disclosures for the likes of email marketing. What changes will you need to implement to obtain the necessary consent from customers or leads? Look at incentives or rewards you can use to obtain consent such as discounts or competitions.
3. What about third-party tools and assets? Are you using third-party apps or themes on your site or do you use third-party cloud services? You’ll need to ensure that any sub-processors are GDPR compliant.
4. How to retain or update current data?
There’s still time to preserve important data that can aid and inform decision-making. It may be possible to anonymise it and retain your most valuable consumer data. Assess the private data that you currently retain. Have you obtained explicit consent for it? Where and how is it being stored? Are you retaining useless personal data that could be deleted? Who can access it and are there any potential security issues? These are the key questions that you’ll need to answer.
How to prepare for compliance breaches?
Data breaches can result in fines of up to 4 percent of your annual global turnover or €20 million yet that’s not the only consequence. The last thing that any eCommerce site wants is the damage to its reputation and loss of custom that would result from a data breach.
GDPR requires that any data breach be reported to the DPA within 72 hours and that any affected parties are notified, unless the data is encrypted or it doesn’t identify individuals. Encryption is an obvious option to investigate.
Carry out a data security audit to search for any weak points or potential issues. Check for any vulnerabilities in your data flow, looking at how data moves within and beyond your organisation.
Familiarise yourself with the demands of GDPR by reading guides like this one. Training can help you understand how GDPR will affect everyday marketing processes or data retention policies.
Remember that knowledge is power. The best way to avoid compliance breaches is to know what you need to do to be compliant.
So you have read all of above and are confident that you are GDPR ready, well done! Now it’s time to get back to focusing on how you can optimise your eCommerce strategy? Check out our blog ‘3 Signs That Your Ecommerce Conversion Strategy Is Broken (And How To Fix it)’ to find out more broken conversion strategies and some key things you can do to fix it.