This post is for educational purposes only. It is general information and a general understanding of the law, not to specific legal advice. Our blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your country or state.
WHAT IS THE GDPR?
The GDPR will force any company in the European Union, and those who do business inside the EU, to comply with strict new rules regarding the collection, storage and use of customer data.
The GDPR places equal gravitas on all forms of customer data: photos, social media posts, IP addresses, bank details and any identifying numbers such as NI or SSNs. All customer data regardless of origin should be opt-in only, stored securely and used only with the customer's permission.
However, the GDPR rules are not set in stone. They have asked for a “reasonable” level of security to be provided, leaving a grey area as to if social media data should be treated the same as bank credentials. One thing is clear, users must give clear opt-in consent for their data to be stored and used in any way. Prefilled consent checkboxes and consent hidden in long T&C's will be a thing of the past
GDPR distinguishes three profiles when it comes to handling data:
The Data Subject: The customer, user, employee - anyone providing identifying personal data.
The Data Controller: The businesses offering services or goods that will state how and why personal data is used and is responsible for the safe storage and use of the data.
The Data Processor: This can be considered as all third-party suppliers such as Shopify, ERP systems, MailChimp, UPS and any internal teams employed to do similar work, such as an internal accounts team.
How will this affect e-commerce businesses?
The GDPR applies to all databases, marketing, sales, HR, accounting; Any way data is stored or processed, will fall under the new regulation. Here are a few key findings from the GDPR statement :
Clear consent for marketing activities
As mentioned above, data subjects (customers/employees/users) must actively opt into marketing activities, no more pre-filled checkboxes or consent below the fold. Whilst this has been best practice from many marketers, what may impact some is the “Use of data for 3rd parties” checkbox, of which now must list the third parties that may have access to their data specifically. All of the above will impact the marketing industry, especially when it comes to personalisation, profiling and any marketing activities that involve big data processing.
The right to be forgotten
It must be easy for customers to not only edit their data and remove consent to marketing activities but also to delete their account and information entirely from a system. Whilst many companies offer account deletion, it can be an extended process (i.e. Amazon’s policy of placing a phone call to an Amazon representative before account deletion rather than an online process) and this process must be easy to navigate, documented and advertised for those looking to remove their personal data.
Immediate breach response
As of May next year, both controllers and processors of customer data will need to abide by the GDPR. For larger companies, a Data Protection Officer must be appointed, whose first responsibility is to report data breaches and misconduct to the ICO. Online businesses must have a stringent procedure to follow when a data breach is detected and report to both the ICO and data subjects within 72 hours.
Increased fines for non-compliance, breaches, and misuse
With fines up to €20 million, or 4% of annual revenue, SME’s simply can’t afford to make mistakes. Data must be stored securely. Businesses must be responsible for how and where their data is stored, and this may be multiple locations for e-commerce companies utilising third-party software partners. Encryption is a must and strict rules must be in place for data access.
The transition may be easier for e-commerce companies operating in the cloud. Large entities will have the resources to commit to becoming fully compliant, so companies such as Shopify, and Dotmailer will have begun work on a solution when the regulation was announced over a year ago. Businesses that rely on in-house servers or custom-built software will need to hire a team to audit and test their security for weaknesses and put in place processes to protect the data from input to deletion.
Shopify has taken steps to ensure they are compliant by May 28th, including:
Appointing a Data Protection Officer.
Adding a Data Processing Addendum to terms of service.
Delivering GDPR training to key teams to ensure future Shopify developments are compliant.
Implementing a Data Protection Impact Assessment process.
For further information, please read Shopify and the GDPR here
However, each merchant, in GDPR terms is considered the Data Controller and therefore responsible for the collection and safe storage of their customers' data. This will also include gaining consent from customers and visitor to use their data in a GDPR compliant way.
We have more posts below on the topic of GDPR.