The General Data Protection Regulation (GDPR) is coming in across the EU next year and it’s going to have an impact on almost every business. GDPR matters for ecommerce firms because they collect plenty of data every time someone places an order, signs up to a newsletter or conducts customer research. So if you’re an online retailer you need to be really prepared.
GDPR was designed to strengthen the rights of the individual when it comes to how their data is collected, used, and stored. It’s going to replace the existing directive around data protection and, following a two-year transition period, comes into force on 25 May 2018. It will apply to all businesses trading within the EU, so even if you’re based outside of the bloc but target countries within the union, you will need to comply.
But how do these regulations affect e-commerce businesses? Here are three key ways your business will be affected when complying with the new rules.
Recognising and acting on breaches
Firstly, GDPR places a greater emphasis on the security of the data you’re holding. After high profile cases of data leaks, it should come as no surprise that consumers are worried about how their personal details are stored. From May 2018 you will need to have processes in place to recognise data breaches should your website be attacked. Furthermore, you’ll need to inform individuals that have been affected. For many ecommerce businesses, it means setting new protocols and either making a new hire or working with an established IT security firm or highly security conscious Data Processing partners.
Implementing the right to be forgotten
Under GDPR individuals will have the right to be forgotten. That means should it be requested, you’ll have to remove all traces of the person from your database. The way to request the right to be forgotten will need to be accessible to the average user and simple to complete. If it’s not an option you already include on your website and various forms of communication, it’s something that you’ll need to update over the coming months to ensure you comply. Again, talk to your partners about what this means practically for your business and how you will specifically action such requests. It’s all about ensuring that personal data is removed and not necessarily about completely deleting all traces of all data about a customer.
Gaining consent for marketing activities
For e-commerce businesses, their database of leads and past customers is invaluable. But how you build your databases could be about to change. You’ll now need to gain explicit consent from each individual who is yet to buy from you, to be part of your marketing activities.
Remember that electronic forms of marketing fall under a separate agreement – PECR – which is due for an update in 2019. This means that you can legitmately continue to digitally market to customers who’ve purchased from you as long as you’ve given them a chance to opt-out at the point of purchase and continue to give them a chance to opt-out in every digital marketing communication (email, SMS etc.). But when it comes to Direct Mail marketing, you need to be clear that you’re processing their data using legitmate interest if you wish to re-market to them without consent. And you absolutely can’t, in our view, use legitmate interest to market to non-customers via Direct Mail. So consent is needed there. Many of our clients have opt-in forms speicfically related to Direct Mail catalogues and brochures. This ensures you only send such marketing to people who really want it and given the cost of Direct Mail these days, why would you want to send it to a bunch of people who show no interest?