Let’s talk about GDPR and what you can do to prepare
The EU’s GDPR legislation, created by ICO, will be changing the face of ecommerce marketing and communications. Are you ready for it?
The aim is to align legislation with our methods of data collection and will apply to all businesses from May 25th, 2018.
The definition of personal data is often the subject of debate. However, to make it a little easier for us to unpick, GDPR has defined this as: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”
What does GDPR mean for my ecommerce business?
Some basics to be aware of:
- The deadline for compliance is May 25th, 2018
- The fines are for 1st Tier – 10 million euros or 2% of annual global turnover or 2nd Tier at 20 million euros and 4% of annual global turnover
- The fines are not allocated based on company size but on your ability to show that you were at least on the journey to compliance and had processes in place so it is really important to document all steps taken towards GDPR compliance and staff training
- You as the retailer are the Data Controller and are therefore liable even if one of your suppliers loses or mishandles the data
- You must notify the ICO of a data breach within 72 hours and in a high-risk breach you must tell the data subject or customer in a timely fashion too
- Behavioural or profiling data becomes personal data under GDPR if it can point to a real person
- Companies need to review the risks to data privacy before collecting any data
In short, this means that businesses must ensure that personal data is processed lawfully, transparently and for a specific purpose. Once that purpose has been fulfilled, the data is therefore no longer required and so it should be deleted.
Businesses will not be able to market to your database after 25th May 2018 unless you have the explicit consent to market to those individuals. If you cannot prove this data has been collected in line with GDPR’s standards you must regain that consent before the deadline or discard it.
GDPR also gives consumers the right to ask companies holding any data about them to delete it and also ask for a copy of their digital data.
What changes do I need to make
Whilst this might seem daunting and full of complexities, if you start organising the key changes you need to make now, it will make the transition to GDPR compliance more smooth. Here’s a list of what you can start doing immediately:
- Educate everyone at your business and ensure they understand the gravity of this legislation so that they can make adjustments within their department.
- There will be checks by the ICO to ensure that companies are meeting the standards laid down in the GDPR. It’s strongly recommended that an individual in your company is assigned as the GDPR ‘go to’ who can ensure all demands are met.
- Your ‘Head of GDPR’ should start working on the company’s legal policy with a lawyer that you put it into action thoroughly and can prove you’ve done so – there’s no option to pay lip service to this.
- Think about why you are collecting data and simplify it if possible so you mitigate your risk. Consider what data you have today and what of it will be subject to the new regulation, where is it stored, who has access to it internally and externally, how can it possibly accidentally or maliciously be exposed?
- When collecting data you need to unbundle consent, it needs to be opt-in and marked clearly. Think about how you will word this and show this on your website, and get in touch with your agency asap to make any changes. You need to list clearly how you will use that data and who it will be shared with, so you must list all your third-party suppliers as well (if you use them).
- You need to be able to be prepared to supply a customer with all the data you hold on them, including where and when you got their consent to market yourselves to them.
- The individual data record needs to be portable so a customer could make that data available to another retailer if they wish just in the same way as you can with your bank or energy account
More detailed information can be found on the ICO’s website here and we strongly recommend that you read it – ico.org.uk/for-organisations/data-protection-reform
What we will be doing as a Magento agency to ensure we’re also compliant with GDPR
Extraterritorial effect means our international partners need to be able to demonstrate compliance if they have access to the data we have too. So, for Diligent, because our Development team is off-shore, we will be ensuring that they comply to GDPR.
Any improvements to make the ecommerce ecosystem better in terms of security and transparency with consumers is fully welcomed by us. We support the GDPR movement and we are working hand in glove with our company legal team to ensure all elements of our business are compliant with GDPR.
If you have any questions about how we’ll be helping clients to improve security and privacy for their customers, call us on +44(0)207 7395745.