On May 25th 2018, a new law gets introduced – the General Data Protection Regulation (GDPR). This affects the handling of data pertaining to everything from medical records, online activity and financial records, for all European customers. It applies to all businesses that provide products or services in Europe. For companies that are not GDPR compliant, there can be some serious repercussions including hefty fines up to €20 million (or 4% of annual revenue).
A little more about GDPR
GDPR was passed in the EU parliament in 2016 and was built upon the 1995 Data Protection Directive. Its primary purpose is to give individuals the right to access, correct, delete and restrict processing of their data. It aims to protect personal data of individuals by enforcing higher levels of transparency in how companies collect, store and use personal data of individuals.
GDPR categorizes people into the below three players:
1) The Data Subject: This is your customer, user or employee – essentially anyone that provides personal data
2) The Data Controller: This is you – the business that is offering goods and services in the European region and the one responsible for explaining how the personal data of the Data Subject will be stored and used
3) The Data Processor: These are your tools – including your ERP solution, eCommerce platform, marketing software, shipping solutions and more – that have access to some or all of the Data Subject’s information.
The main aim of GDPR is to protect the rights of individuals by instilling a practice to be more transparent about how their data is collected, stored and used.
To be GDPR compliant, there are two questions you should always ask yourself:
1) Is this information necessary and do we need to collect it?
2) Have we informed our customers and prospects of how we are collecting, storing and using this information?
Common practices that are not GDPR compliant
Pre-checked boxes or implied consent
Its a common marketing practice to use a form that pre-selects the ‘Subscribe to Newsletter’ box for the user. Users would usually have to opt out of the box in order to not be added to the mailing list. Looks something like this:
Don’t do this.
Make sure that the box is left unchecked and that the user has to manually opt-in to your mailing list in order to receive your online communication. Also, ensure that the description clearly states what the user is signing up for. A good example would be something like this:
This includes landing pages! If you have a landing page for collecting leads, your leads need to manually opt-in for newsletter subscriptions in order for you to be able to continually email them. They may not be added to your mailing lists after signing up.
The takeaway here is to avoid assuming that your customers would like to hear from you and to make sure you have explicit (manual opt-in) consent from the ones that you are communicating with.
Gathering too much information
As a rule of thumb for contact forms as well as GDPR compliance, gathering too much information is bad practice. You must have heard multiple marketers tell you that the more information you collect, the better. However, research shows that having multiple-field, information-rich contact forms can deter someone from filling out the form at all! On top of that, if you have not explicitly mentioned why you are collecting every piece of information in that form, you are not GDPR compliant.
Instead, make sure your contact forms are concise, request only the information that you absolutely need, and ensure that you have outlined the purpose of this information explicitly somewhere on your eCommerce store.
If you want to gather additional information, consider making some fields optional. Allow your customers to make the decision on whether they would like to give out that information or not. This will also help improve your conversion rates!
Hard-to-read or non-existent cookie and privacy policies
– Who is collecting the data?
– What data is being collected?
– What is the legal basis for processing the data?
– Will the data be shared with any third parties?
– How will the information be used?
– How long will the data be stored for?
– What rights does the data subject have?
– How can the data subject raise a complaint?
Retaining information after a customer has left you
As per the GDPR, if a customer requests for their personal data to be corrected, restricted or deleted, you must comply within reasonable time. Also, your eCommerce site needs to have detailed information on how a customer can request for these changes including who they can reach out to and how the request will be processed.
This can be a little bit of a grey area with eCommerce, since in some countries, stores need to maintain order information for certain periods of time for various purposes including for taxes. Per the GDPR, personal data should not be retained for longer than necessary and should be deleted when it has served its purpose. We would recommend that you, along with a lawyer, decide as a company what this looks like for your company and define your ‘reasonable time’ before the GDPR goes into effect on the 25th of May.
The GDPR also introduces new rights such as the Right To Be Forgotten (RTBF). If a customer requests to have their data deleted after completing business with you, you should be able to comply with this request within your defined reasonable time.
Third Parties and how they affect your GDPR compliance
Most eCommerce companies use external software and/or work with third-party companies for various purposes such as marketing, legal work and customer service.
While it is the responsibility of the software companies to ensure that their software is GDPR compliant, it is your responsibility to make sure every aspect of your business, internal or external, is compliant by GDPR standards.
When sharing Date Subject information with external firms and agencies, it is recommended to set terms and conditions that explicitly outline what information will be gathered and the purpose it will be used for. It is also recommended to have explicit terms on the safe storage of this information including who will have access to it, where will it be stored and what is the process of deletion after the work is completed.
GDPR is a serious change in how eCommerce stores conduct business and in the integral marketing practices that have been around for the last decade. We highly recommend to prepare for these changes, if you have not already.
1) Ensure that your data collection and marketing processes are well laid out and GDPR compliant
2) Consult a data protection officer and a lawyer to make sure that your privacy and cookie policies are compliant
3) Make sure that you have informed and trained your team on GDPR in order to avoid inconsistencies and errors
2) Guide to data protection by Information Commissioner’s Office
4) GDPR Rules for Business and Organisations by European Commission
Have a question about GDPR and eCommerce (or Sage eCommerce)? Send us an email at firstname.lastname@example.org and we would be happy to address your concerns!