GDPR for Ecommerce
On May 25th 2018, Data Protection legislation changes in the EU and this affects every online seller that sells to Europe, even if they’re not based in the EU itself.
I’ve gone through a lot of posts, videos and webinars and have done my best to construct an article designed for the multichannel online seller.
But first off, I must disclose that this is not official legal advice and it is still worth speaking to a GDPR specialist to ensure your business is 100% legal. The main aim for this guide is to give you a better understanding of the terminology used and help you address areas in your business that could be affected.
High-level of GDPR
So as an online seller, you’re likely to hold personal data of your customers and under GDPR are classed as the “Controller”. You are also likely to currently use this data with 3rd parties such as MailChimp, Shopify or Google which GDPR classes as “Processors”.
When GDPR kicks in, every citizen in the EU will have the right to ask the controllers (you) to take action on personal data held on them in the following ways:
Right to be forgotten
An individual may request you to delete all personal data on them without undue delay. This data is data held by you and the 3rd parties you use called “processors”.
Right to object
The individual may prohibit you using their data for certain reasons or actions. An example here is the customer does not mind you having their data for a warranty but does not want to be marketed too.
Right to rectification
Individuals may request incorrect or incomplete data to be completed.
Right to access
Individuals have the right to know what the data about them is being processed and how.
Right of portability
Individuals may request that their personal data being held by one organisation can be transported to another.
It is important to highlight that if you have to perform one of the requests above that it is your responsibility to action that as the controller and do your very best to ensure your processors comply too.
GDPR is important and even know the more you read into it the more it seems focused on tackling larger businesses like Facebook and Google, it is still legally binding for companies of all sizes.
The penalties are serious, and dependent on the level of infraction you could be fined up to 4% of your global turnover or 20 million euros, which ever is the greater.
It is also important to keep your records in order and companies could be fined 2% of turnover for not taking appropriate measures.
What Classes As Personal Data
GDPR classes any data that as personal that could be used to identify them, this personal data can include:
- Social Media Accounts
- Medical Info
- IP Addresses
- Bank Details
- Racial/Religion Information
The general rule of thumb is if it is personal to that individual then it is likely to be classed as personal data under GDPR.
It is also important to know that Parental Consent must be given to process any data for under 16’s.
Under GDPR, any situation where an outside entity gains access to user data without permissions of the individual (data breach) must be reported within 72 hours to the appropriate data protection agency.
The Useful Part – Areas To Address
The main role of GDPR is for data to be used for its intended and consented purpose. For example, if a customer purchases a product from you on eBay, that personal data should be soley used to process that order and should not be used then to market your website.
Here are some key areas an online seller will need to address in their business.
If you are emailing people on your mailing list, make sure your sign up form explains what you are using their data for in layman’s terms. Keep it clear and simple.
Make sure there are no pre-ticked boxes or anything classed as unclear and enable a double opt-in feature on your email marketing.
If you feel that your current mailing list may not be GDPR compliant then run an email campaign on your current list, explaining why and giving them the opportunity to resubscribe or be forgotten. You may not want to do this but if people are going to unsubscribe then they probably weren’t right for your mailing list in the first place.
Under GDPR you must have consent or a legal basis for processing data, such as where the processing of the data is necessary for the performance of a contract. (In this case we assume the processing of an order)
It is important with processing customers orders to make sure you have the knowledge of all the different parties (processors) you will transfer their personal data to in relation to this order.
Make sure all the processors are GDPR compliant, keep a record of their GDPR policy and the means of contacting them in regards to a GDPR request. Build a process, make sure the process is documented and keep yourself covered.
Make It Easy And Transparent
If you want to use someone’s data then you need to be honest about it and explain exactly what you want to do with the data. (eg. Market products to them, use it for market research etc…)
On your website, make it easy for an individual to contact you in regards to data requests by including a link on your website and email footer. Your company should have an appointed data controller who is responsible for making sure the requests are actioned.
Include in your privacy policies all the third parties you work with and how your customer’s data will be processed by using them.
The Legal Amount
Data you collect must be the minimal amount needed for its purpose and once it has served its purpose then the data must be deleted.
Basically, if you’re not going to use the data, don’t ask for it and once it has served its purpose, if you can’t justify keeping it, delete it.
The final takeaway
- Build a list of all your controllers (3rd parties you send personal data to)
- Make sure your controllers are GDPR compliant and you keep a record of their GDPR links and contacts
- Ensure your customer list is GDPR compliant and that the personal data you hold is being used with the individual’s consent
- Have a process in place for any requests you may receive, ensure this process is documented
- Only ask for data you need and make sure you explain what it is used for
- If you no longer have any use for the data then delete it
Here are some great links for further reading and if you have any information to add about GDPR please do comment below.