In 2018 a vast change is coming to the world of eCommerce. By the end of May 2018 the entire European Union will experience a big change in the regulation of data protection and privacy called GDPR, and it will definitely influence all eCommerce businesses.
What is GDPR?
The EU General Data Protection Regulation – GDPR is the most important concern for businesses in the beginning of 2018. In a nutshell, GDPR is designed to reinforce data privacy and protection. This means that businesses which hold any data on European Union citizens are subject to GDPR with a chance to receive huge fines for not adopting the regulation on time. Up to 4% of your company’s annual turnover can turn into fines for not fully implementing specific parts of the GDPR regulation.
The reason behind this regulation is to protect sensitive information and ensure that it would be stored safely. Research shows that only 43% of European companies store their customer data in dedicated databases or CRMs. That leaves us with 47% of companies in which data is stored in unsafe papers, spreadsheets or email softwares.
What kind of data are we talking about?
Most businesses store some kind of data about their customers or users and GDPR applies to all personal data. This includes sensitive information such as phone number, address, photo of a user, bank account and lots of other information that e-systems usually require during the registration or payment process.
Email addresses, cookies, IP addresses, device identifiers and online identifiers are also considered personal data and some other factors such as order history may be included as well.
To implement the GDPR on time, here are the 6 steps to follow.
Step 1: Get to know
If you are reading this, you’re probably the person responsible for implementing the GDPR regulations for your company. In that case you probably need to read the regulation in order to set an action plan tailored to your business needs.
Step 2: Access your data
It might sound simple as you definitely have access to your data, but you need to know where your company stores all the personal information about your clients. If you don’t have a CRM or database that you’ve been running for years, you’ll need to answer to the questions like:
- What personal data does my company collect?
- Why we do that?
- From which sources does it come from?
- Where data is stored?
- Who has an access to it?
- How long do we keep it?
- Where data is used?
The GDPR requires that companies prove that they know where personal data is stored and most importantly – why.
Step 3: Inspect the data
Once all the questions are answered, the next step is to inspect the data in order to reduce your workload. First of all you should delete all the redundant, obsolete, and trivial data (ROT). Then start identifying all the relevant personal information of your customers by categories and catalogs. Standardization, data quality rules, and patterns recognition are vital elements of this process and the right tools for GDPR compliance.
According to GDPR, information cannot be kept indefinitely. Companies will be required to erase the data when:
- Agreement or service comes to an end;
- A partner organization requests to delete information.
Step 5: Protect personal data
Cyber security needs to become a first priority as chances of compromising your company’s data are too high. There are many ways to protect your data: encryption, backups, pseudonymization or anonymization. You need to make sure that the data of your customers won’t be compromised and that’s where cyber security service companies could help.
Step 6: Start monitoring
It is crucial to start reporting GDPR compliance of your company. Since these policies and requirements can take years to implement, your company needs to demonstrate and specify the steps you are taking to meet GDPR. In that case you need to:
- Know what kind of personal data your company collects and where it is located;
- Show that you and your team properly manage the process;
- Prove how and when personal data is used, what is the purpose for that and who uses that information;
- Have fully working processes in place to manage things like data breach notifications, the right to be forgotten, and more.
It is important to mention that data breaches should be reported too. Within 72 hours EU authorities should be notified about any kind of breach in your company.
Specific steps to take for eCommerce businesses
There is a huge amount of personal data held by online businesses. That’s why this regulation is truly important for eCommerce and that’s why a couple of extra steps should be taken:
- Ensure accurate data. This means that whenever a customer updates personal information, you too need to update it in your database and in all 3rd party sources.
- Enable opt-outs for cookies and other online identifiers.
- Record clear opt-ins (no pre-checked boxes, no fine print).
- Make sure you are capable of exporting and sharing all the data of your customers within one month after request.
- Make sure you are capable of deleting all the data and records of your customer within one month after requests from all your sources.
It’s all for the better
The transparency and care brought about GDPR might be the key to fully understanding customers and improving the relationship. It is an opportunity to adopt proactive and healthy data measures and to eliminate the fears of your customers. Consider this like a spring cleaning inside your company that will only lead to better results in the future.
Interested in learning more? Check out our other blog posts!