N.B. This article serves as a guide and does not constitute legal advice. For official advice, speak to a specialist legal expert.
May 25 is when General Data Protection Regulation, or GDPR as it’s known, rolls out. It could affect almost every business working with European consumer data – from huge corporations, to small companies selling rubber ducks on Etsy. It’s important too, because fines up to €20m can be issued to firms that don’t comply.
For eCommerce stores there’s a lot to know. From website security to purchase data, there is an awful lot to consider and get straight before the law comes into effect. This guide aims to provide a thorough resource for a whole range of issues involved with running a website.
1. Data Consent
2. Data Collection
3. Giving Customers Control
4. Storing Customer Data
5. Website Security
6. Data Breaches and Notifications
7. Accessing, Exporting and Deleting Data
8. Using Plugins and Extensions
So this is what it’s all about really. Do customers know you’re storing their data? How long are you storing data for? And is it really necessary for the business to operate?
Anywhere you collect data, it is important to be totally clear about these points. On any pages with field entries – particularly personal information – it is important to have a disclosure that establishes how the information will be used. It is also important to provide a disclaimer about who is using it and who is responsible for storing and processing it. This already appears on a lot of websites as a trust factor, but as of May it will be a legal requirement to provide it.
In the example above, Sainsbury’s have been very careful to split out the agreements and not bundle their consent into one checkbox.
Collecting data is clearly important for a number of reasons. Knowing customer buying habits helps us present products they may be interested in. Knowing things like age and gender helps us tailor remarketing strategy. Knowing payment details helps make the checkout process smoother. But how long should we store this data for? GDPR requires us to delete data after a certain period of time, if it is no longer necessary to keep it. So every store, no matter how big, should be deciding how long they will keep this vital information for.
It is also worth reconsidering what information is actually being used for. For example, a lot of websites ask for a company name, or require several forms of contact information. Is this necessary? Do you need a phone number for someone who is buying a laptop case online? The delivery company may need this, but if your company doesn’t need it, then there is no point asking for it.
To a lesser extent, but something that may present an issue in the future, is how long cookies are stored for. This may fall under the remit of your development team, but cookies have an expiry time and Google Analytics uses them to set session times. Cookies can remain active for years and years to come, which seems excessive. If someone hasn’t made a purchase, it probably isn’t necessary to store information on the visit for longer than a few months.
One way stores can protect themselves is by giving customers back control of the information companies have on them. The Account Settings area may provide a transparent way for customers to see what information you have on them and what it is used for. In much the same way Facebook have changed the way users control their privacy settings in recent years, eCommerce stores could give customers access to their data and privacy settings – so customers can delete information they do not want stored.
Giving customers control of this also prevents time consuming requests for data that consumers are entitled to ask companies for, once the new law comes in. If they can manage the data your store keeps, then they will be less likely to initiate a formal request.
Storing Customer Data Safely
Reputation has always been a priority for website owners, as a data breach can have a really negative impact on public perceptions. But GDPR now requires companies to have taken certain safeguarding measures to protect consumer data. If authorities deem that measures aren’t strong enough, then it could result in a fine.
Switching to a secure HTTPS connection is pretty much essential practice for ecommerce stores. If you haven’t switched over already, it’s worth every penny. Not only is it safer for data transfer, it is now a Google ranking factor, so it could actually increase your organic visibility. Form entry pages will now show an error warning if there isn’t a secure connection, which can really influence a customer’s decision to buy.
Deciding where customer data will be stored and who has access to it is an important decision that could be reviewed as part of the GDPR procedure. A database on an encrypted cloud server is probably the best option for a larger store. It may be a more expensive option, but it will limit the threat from hackers, malware and data corruption.
Of course, encryption is only part of data protection. Ensuring passwords are updated regularly is essential practice. Insecure passwords are one of the easiest ways into a database, so it’s important someone is in charge of this. Larger firms often employ someone to manage data security, so it may be worth considering, depending on the size of your store.
Data Breaches and Notifications
GDPR requires victims of data breaches to notify their customers within 72 hours. This requires systems in place to not only detect breaches, but to identify who has been affected and inform them as soon as possible.
For larger databases this may be quite a tight deadline, but to adequately protect information it is important customers are informed as soon as possible so they can take measures to limit the impact of a breach.
Accessing, Exporting and Deleting Data
In the instance a customer asks a company for all the data it holds on them, the request should be completed as soon as possible. This requires data to be readily available to access, export and – if necessary – delete.
Many stores will have automatic processes in place for storing data and using it when various parts of a website need it. Whoever is in charge of data protection should be able to access data as easily as possible so they can take the steps to removing it.
Not being able to remove, or even provide data may put your company in breach of GDPR.
Using Plugins and Extensions
All open source platforms will offer extensions and plug ins that extend the functionality of their platform. These are usually created by developers external from the company that have created a solution to a particular problem.
While they can be useful, it is essential your site reviews them before GDPR comes into play. Because even if your website conforms to the regulations, extensions and plug ins may not. The questions we need to ask are, what data do they have access to? And if they do have access, are they also compliant with GDPR?
Many of the more established extensions will be way ahead and will have made sure they are compliant when the law comes in, but not all. So it is worth doing a thorough audit of every tool your site uses.
Once you have decided which tools to keep and which not to, it’s vital that they are regularly updated. Many of the most popular extensions update regularly to provide security patches and keep them safe from hacks. Failure to update an old version may result in vulnerabilities to the site, that might be flagged as an problem if your site is audited after a data breach.
How we as businesses use information to target previous customers has been scrutinised in the past, but with GDPR there will be very strict processes to follow. Again, consent will be a major part of the process and if there isn’t a double opt in – i.e. two verifications by the customer that they want to receive information – you cannot send them marketing emails. This usually comes in the form of a checkbox, followed by a confirmation email after.
It’s important to bear in mind that historical records that don’t have evidence of a double opt in, may be unsuitable to use in campaigns after 25 May. However, that doesn’t mean they are lost for good. Competitions and incentives are a good way of encouraging people to show they are interested before the law comes in. For example, if you offered 10% off the next order, or a competition to win a holiday for people who update their preferences, you could salvage a large part of your remarketing list.
Eon have made sure to ask again recently, when customers log in. This may be in reaction to GDPR, or it may be to provide more evidence of opting in to an existing database of customers:
As mentioned before in regards to consent, choosing to receive marketing information with a pre ticked box may not constitute consent. Also, those awkwardly worded statements (“I do not confirm that I do not wish to be emailed by third parties in the future”, or something along those lines) underneath tick boxes may not be considered consent either.
There are many things to consider when getting prepared for GDPR. It’s important to remember that the vast majority of the guidelines are designed to protect consumers and if your company is transparent and honest about the data you use and what you will use it for, then you will be less likely to fall foul of the law. As with anything, it’s better to be active about the new laws, than reactive after they come into play. So speak to someone and get some advice beforehand. Our team will be more than happy to discuss some of the common issues business owners will be likely to face, so pick up the phone, or send us an email.
Get in touch with the team to discuss GDPR regulations today