GDPR Compliance for Ecommerce Store
What does EU’s General Data Protection Regulation (GDPR) mean for e-commerce businesses, and does it also affect businesses outside of EU.
What is the GDPR?
The GDPR is a set of regulations regarding the collection, storage and use of customer data that affect all companies doing business inside the EU. This not only applies to EU based companies but also any companies worldwide that have any customers/employees/users that are located within the EU.
The GDPR places equal importance on all forms of personal customer data: photos, social media posts, IP addresses, bank details and any identifying numbers such as NI or SSNs. All personal customer data regardless of origin should be opt-in only, stored securely and used only with the customer’s explicit permission.
The GDPR does offer some leeway in regards to “reasonable” level of security and usage of social data. But in all cases, the customer/user have to give their explicit opt-in consent for data storage and usage and pre-filled check-boxes and consent “hidden” within conditions/privacy texts are not allowed.
GDPR have three profiles for data handling:
- Data Subject: The customer, user, employee – anyone providing identifying personal data.
- The Data Controller: The businesses offering services or goods that will state how and why personal data is used and is responsible for the safe storage and use of the data.
- The Data Processor: This can be considered as all third-party suppliers where user data is involved and any internal teams employed to do similar work, such as an internal accounts team.
How will this affect e-commerce businesses?
The GDPR applies to all databases, marketing, sales, HR, accounting; Any way data is stored or processed, will fall under the new regulation. Here are a few key findings from the GDPR statement:
Clear consent for marketing activities
As mentioned above, data subjects (customers/employees/users) must actively opt into marketing activities, no more pre-filled check-boxes or consent below the fold. Whilst this has been best practice from many marketers, what may impact some is the “Use of data for 3rd parties” checkbox, of which now must list the third parties that may have access to their data specifically. All of the above will impact the marketing industry, especially when it comes to personalization, profiling and any marketing activities that involve big data processing.
The right to be forgotten
It must be easy for customers to not only edit their data and remove consent to marketing activities but also to delete their account and information entirely from a system. The deletion process must be easy to navigate, documented and advertised for those looking to remove their personal data.
Immediate breach response
As of May next year, both controllers and processors of customer data will need to abide by the GDPR. For larger companies, a Data Protection Officer must be appointed, whose first responsibility is to report data breaches and misconduct to the ICO. Online businesses must have a stringent procedure to follow when a data breach is detected and report to both the ICO and data subjects within 72 hours.
Increased fines for non-compliance, breaches, and misuse
With fines up to €20 million, or 4% of annual revenue, SME’s simply can’t afford to make mistakes. Data must be stored securely. Businesses must be responsible for how and where their data is stored, and this may be multiple locations for e-commerce companies utilizing third-party software partners. Encryption is a must and strict rules must be in place for data access.
As I finish putting these thoughts together, you may have come to the same conclusions; this is just the beginning of GDPR as an attack surface. As of May 25th fast approaches, it is worth considering similar risks that will manifest after enforcement begins. More orchestration between vendors and their customers will likely be required. Obligations, Urgency, and Attachments will be at the center of many engagements moving forward and will generate a ripe environment for compromise, absent suitable preparation and prevention strategies.