On the 28th May 2018, the General Data Protection Regulation (GDPR) will officially replace the existing EU Data Protection Directive, including new infringements of fines up €20 Million or 4% of worldwide annual turnover. But what is GDPR and how will affect e-commerce businesses?
What is GDPR?
First adopted in April 2016, GDPR is the European Union’s (EU) new data privacy law. In short, GDPR will aim to give the consumer more rights over their personal data. For instance, when GDPR comes into full effect, there will be a requirement to allow “explicit” and “unambiguous” consent for companies to use their data to be used for different purposes. This means companies will now have to be very clear as to what the consumer is giving consent to and what their details are going to be used for. This new Regulation also aims to give consumers more clarity about what information being held is used for specifically and for which time periods.
GDPR will affect data processors, who handle data on behalf of their customers and data controllers, who own the customer relationships. However, perhaps one of the most important aspect of GDPR is that it will affect any company that has dealings with European customers, whether they are a EU based company or not.
Will Brexit affect GDPR?
In short, no, Brexit will not affect GDPR. While it’s still unclear on what the law will be after Britain leaves the EU, you can expect it to largely stay the same as the GDPR principles that are currently in place now. Furthermore, if your store has customers outside of the UK and in the EU, you will still need to comply with the EU GDPR. It is also important to note that the UK is expected to leave the European Union on Friday 29th 2019, ten months after GDPR will come into action. So as long as the UK is in the EU, if you are a UK based e-commerce business, you will still need to compliant.
So, how will it affect e-commerce?
GDPR will affect every business small or large, and the penalties for non-compliance are huge. The biggest industry to be affected by GDPR will be the finance sector, but that’s not to say that your e-commerce business will not be affected by the changes. GDPR will affect every business that will have business with EU customers. Therefore, precautions and new procedures must be put in place to ensure full compliance.
One big way it will affect e-commerce is consent. In e-commerce, email marketing is a very effective tool and one that every e-commerce business will use to interact with their customers. Under the new GDPR, clear affirmative consent is needed from the user and pre-ticked boxes are no longer permitted. The ICO also confirms that when obtaining consent requests, they must be:
- Unbundled – separate from other terms and conditions
- ‘Opt-in’ not ‘Opt out’ – you will now to ask customers if they want to be contacted for marketing purposes, rather than asking them if they do not
- Granular – consent much be given to each marketing activity
- Named – the consent request must name every organisation and third party that will use the data
- Documented – a record of when, how and what the user has gave consent to must be kept
Access to data
Granting access to data is also a massive step in how GDPR will affect e-commerce businesses. Customers will now be given access to their personal data and businesses must have procedures in place to deliver this to their customers quickly. However, what is classed as personal data under GDPR is broad. Anything from a consumers IP address to their email address can be classed as personal data, alongside anything that can be directly or indirectly refer to the data user.
What can you do to prepare?
So now that we have established how your store can be affected: what can you do to prepare for it? The GDPR is due to come into effect on the 28th May 2018 and stores must be compliant by that date. Whether you are a large enterprise or a small business will decide the level of punishment you will receive. ICO treat smaller businesses differently from large enterprises.
On the ICO website, they have prepared twelve steps for you to take now. This can be:
- Awareness – make the relevant staff aware
- Information you hold – start to document what information you hold, where it came from and who you share it with
- Communicating privacy information – review your current privacy procedures and put in place changes in time for GDPR implementation
- Individuals rights – check your current procedures to see if they cover all the rights individuals are entitled to, including how you would provide data to customers easily and in an widely accessible format and how you would delete personal data
- Subject access request – check what procedures you have in place to allow your customers access to any information they request
- Legal basis for processing personal data – check what type of data processing you use, identify what legal use you have for it and document it
- Consent – review how you are seeking, obtaining and recording consent
- Children – if you are storing data about children (usually defined as anyone under 13 years old) then you now need parental consent so consider how this will affect your business
- Data Breaches – have the correct procedures in place to detect, report and investigate any data breaches
- Data protection by Design and Data protection impact assessments – find out how Privacy Impact assessments can be used for your business
- Data protection officers – designate a data protection officer or someone to take responsibility for data protection and how this officer will interact with other departments/staff
- International – if you determine where your most important decisions are made about data processing, then this will be where you supervisory authority you will come under
You can find out more information about these steps here:
It is important to point out that while these are good guidelines to follow, as an e-commerce business the best way to prepare for GDPR is to be totally transparent! GDPR is designed to make e-commerce better by making it clearer for your customers. By showing your customers what information is being stored and what its being used for, your customers may feel more confident when visiting your store. Try to see GDPR as an opportunity for you to increase your brand image and not a set of rules and regulations you must abide by!