What Every Online Seller Needs To Know About GDPR
There’s been a lot of talk about GDPR coming into effect in May 2018, but if like many you’re not sure what exactly GDPR is, how it will impact your online business and what the implications are for failing to comply with the new regulations, we would urge you to read on.
So, what is GDPR?
As of Friday 25thMay 2018, the GDPR, otherwise known as the EU General Data Protection Regulation, will replace the existing Data Protection Act.
Now here’s the important part – regardless of whether your business is based in the EU or not, if you have any European customers, this new data protection law will impact your business.
While I’ll get to the ‘how’ in a moment, it’s crucial to understand the ‘why’. The main purpose of this new law is to provide individuals with greater control over the security of their personal data.
As an eCommerce retailer, you deal with personal data all the time – contact names, email addresses, physical addresses, card details, right through to information on web browsing – and as such, you will be required to change the way you collect, manage and process data of this kind under this new legislation. Failing to comply can result in some heavy penalties – as much as £17M or 4% of your company’s global turnover.
If you’re thinking this seems quite excessive, there are a few reasons that have led to the creation of the GDPR that are worth understanding:
- Personal data falling into the wrong place
- Misuse of personal data
- Low-level regulation at present
The GDPR’s main purpose, however, is to ensure that all personal data is provided consensually.
Understanding the difference between a Data Subject, Controller and Processor.
Before anything else, you should be aware of the common terminology used when discussing the GDPR.
Data Subject: The person providing their personal data, in this case the potential or existing customer
Data Controller: The business providing goods or services that will state how and why the user’s personal data will be used, and will ultimately be responsible for the storage and use of the data
Data Processor: This would be any third-party suppliers such as Linnworks, your eCommerce platform, email marketing system, shipping provider and so on.
GDPR – The key things you need to know as an online seller.
While you can view the entire document here, you’ll be forgiven for not wanting to read all 88 pages of the GDPR, which is why we’ve covered some of the key themes and most relevant points for eCommerce brands.
Please do keep in mind that while we have aimed to provide you with as much information and advice as possible, based on how we interpret the GDPR at Linnworks, every business is different and we would urge you to consult a lawyer for legal advice to ensure you are fully compliant.
So, here’s what you need to know…
Enhanced rights for individuals.
Given that the GDPR sets out to give individuals (in this case your existing and potential customers) greater control over their personal data, it will help to understand the specific ‘rights’ they will have as of 25th May 2018, and more specifically what you need to prepare for.
- The right to be informed
Whatever your reason is for requesting a contact’s information, you will be required to tell them this reason, as well as details about how you will process and store this data.
A great example of how you can do this will be through the use of a real-time privacy notice, a method advocated by the ICO.
As you can see from the example below, you should display relevant information in a pop-up style format, as and when a user engages with a particular data field.
One of the main challenges you will be faced with is deciding how to comply with the GDPR, all the while displaying necessary information in a way that doesn’t negatively impact user experience.
In addition to using real-time privacy notices, you should also consider the use of a layered approach. Layering specifically enables users to access key information, with the option to dive deeper if required.
The example used below from the ICO uses three layers; the first being a headline question, the second being collapsible information and the third being a hyperlink to the relevant section of a full privacy policy.
- The right of access
In addition to knowing the reasoning behind you needing their personal data, users who share their information with you will also have the right to access this data at any time.
Should someone request this data, you will have one month to provide them with a copy of this information, free of charge.
For more information about this, including details about exceptions to the rules, we would recommend that you have a read of this.
- The right to rectification
Your contacts will also be able to amend/update the information you hold on them at any point. A request of this kind would typically occur if their personal data is inaccurate or incomplete, but if it does you will also have one month to respond to this request. Again, for further details about this, make sure you consult the ICO’s guide.
- The right to erase
It’s never ideal when someone asks you to remove them from your database, but with this new ‘right to erasure’– also referred to as the ‘right to be forgotten’ – this is something you will need to do if a customer requests the deletion and removal of their personal data.
- The right to restrict processing
Rather than requesting the deletion of personal data, your customer’s also have the right to block/suppress the processing of their personal data.
In this situation, you will be permitted to store their data, but not process it further.
For more information on this, have a read of this guide.
- The right to data portability
This essentially enables users to move, copy or transfer their personal data to another service or retailer in a safe way, without impacting usability. Unfortunately, this can include the buyer profiles you’ve built up for them.
But how do you prepare for this?
Realistically, you and your team will need to know how to locate and export all relevant data in a structured, machine-readable format.
While you can learn more about complying with this particular right here, one other thing to keep in mind is that this can in fact be an opportunity. Think about it. If a new customer comes to you with their “retail back stories” from other retailers, you immediately have insight into their preferences.
- The right to object
In an eCommerce scenario, the right to object could mean a user refusing to be profiled for direct marketing purposes, such as behavioural advertising. Another example would be for research purposes.
- Rights related to automated decision making and profiling
The GDPR further applies to all automated individual decision making and profiling, both of which require consent from the user.
With many online stores now using complex data automation processes to personalise the user experience, thanks to cookies and IP addresses, this is something that you will need to acknowledge.
Merely tracking a website visitor on your website does not constitute profiling, but using this data to evaluate their behaviour and personal preferences does.
For more guidance on how to comply, have a read of these guidelines.
New regulations for obtaining consent
The need to acquire personal data is fundamental for any online business. After all, without your customer’s contact and payment details, you’ll struggle to make a sale.
As an online seller, it is crucial that you’re not only aware of the GDPR’s regulations surrounding how you obtain, process and handle your customer’s data (whether potential or existing data), but also that you’re acting on them ahead of May.
While you can read more about consent here, a few key things you need to comply with include the fact that:
- Consent must be freely given, specific, informed and unambiguous
Any person sharing their personal data with you should have no doubt as to how their data will be handled and processed, and even why their data is necessary.
This means that when requesting consent, the wording should be clear, concise, easy-to-access and distinguishable that it is a request for consent.
As I mentioned in the ‘right to be informed’ section, a great way to do this is through the use of ‘real-time privacy notice’, whereby the user is provided with an explanation about why and how their information will be used.
- Individuals must actively opt-in
If you currently use pre-ticked opt-in boxes (similar to the example below), whether that be for agreeing to terms and conditions, subscribing to your mailing list, agreeing for information to be shared with a third-party, or anything else for that matter, this is something that you will need to change promptly.
The simple reason for this is because under the GDPR’s regulations, ‘silence’ does not constitute consent.
Instead, your customers will need to provide consent through a statement or clear affirmative action, i.e. by actively ticking an opt-in box themselves.
- Consent must be separate from other Terms and Conditions, and it should not be a precondition of signing up to your service
Going forward, users must be able to accept your terms and conditions separately to providing consent. Making it a prerequisite that a user consents to subscribing to your newsletter or any other service, simply by accepting your T&C’s, will no longer be acceptable.
In order to comply with the GDPR, you will be required to provide users with a separate opt-in box/option for agreeing to your terms and conditions, similar to the ICO’s example below.
- Allow users to consent separately for different services
You will no longer be able to use a single opt-in box for instances where data processing has multiple purposes. Instead, consent for different services will need to be ‘unbundled’.
If, for instance, you provide users with the option to consent to being contacted via multiple services – post, email, telephone, SMS etc. – you will need to ensure that they can consent to each separately.
The example below highlights the ICO’s recommended way to use opt-in boxes for these situations.
- You are required to name any third parties who will rely on the consent
Now this is incredibly important. As an online retailer, it is extremely likely that you share your customer’s personal data with numerous third parties – your CRM provider, email marketing software, inventory management system, eCommerce platform, payment processing provider, marketing agency, advertising service such as Google, and so on.
Under the GDPR, you will now be required to be explicitly clear as to who these third parties are that will have access to your customer’s data, with a further explanation on the reasoning behind this.
- You must make it abundantly clear that your customer’s have the right to withdraw their consent at any time, while detailing how they can do this
With the right to erasure being a fundamental part of the GDPR, it is crucial that you know how to handle any requests.
- You must make is as easy as for customers to withdraw as it was for them to consent
Following on from the point above, the process a customer goes through to withdraw their consent and ultimately request to be erased from your system, should be as straightforward as it was for them to consent in the first place.
While the GDPR sets a high standard for consent, it’s worth keeping in mind that it puts your customers in control, which can in-turn build trust and help to enhance your brand’s reputation.
Privacy By Design.
Privacy by design requires data protection to be at the forefront of design, as opposed to merely being an afterthought.
This ties into the requirement for you to explicitly state what happens to your customer’s data, including where it is sent and who is responsible for storing and processing it, anywhere on your website where you request consent.
A key example would be your checkout process. Consider updating both your basket and payment pages to provide clear statements detailing which payment gateway provider will process the customer’s payment and how their personal details – payment details, email address and contact details such as their physical address – will be processed and stored.
To help you get a better understanding of privacy by design and how it impacts your business, we have outlined 7 Principles of Privacy by Design.
1. Proactive not reactive
This specifically refers to the fact that you should consider data privacy at the start of the data security planning process, as opposed to merely after a data breach.
Ultimately, privacy should be at the core of everything you do, ensuring you have preventative measures in place for avoiding a data breach altogether.
2. Privacy by default
Personal data should automatically be protected within the system by default and the customer should not be required to complete any action in order to protect their privacy.
On top of this, data minimisation should be a huge consideration and you should only seek to obtain data that you will actually process. This is also supported by the fact that you will need to detail why you’re requesting specific data. So, if you have no valid reason for obtaining a customer’s phone number, don’t ask for it.
3. Privacy embedded into design
Data security techniques such as encryption and authentication shouldn’t be put on the backburner and should instead be a key consideration for your business.
4. Full functionality
Privacy by design should at no point compromise your business goals. In other words, you can have privacy, revenue and growth without sacrificing one for another.
5. End-to-end security
Again, you should use appropriate encryption and authentication processes to protect your consumer’s personal data at all points.
6. Visibility and transparency
Clearly communicating your privacy practices not only complies with the GDPR’s regulations, but also helps to establish trust with your customers.
7. Respect for user privacy
You should make it abundantly clear that your customer’s own their data. This essentially means that you must provide these consumers with the control to not only correct their own data so that it is accurate, but also ensure that they are the only ones who can grant and revoke consent on the use of this data.
Data Breach Notifications.
In the event of a data breach happening, it is your duty as the data controller to report this to the relevant supervisory authority within 72 hours of becoming aware of the breach. This should also detail any delays that might occur.
If the breach is deemed as a high risk to the individuals’ rights and freedoms, you will also be required to inform them in the same 72-hour window.
How does the GDPR affect you when selling through an online marketplace?
If you sell solely through an online marketplace, don’t handle your customers data and take payment through a service such as PayPal, chances are you won’t be affected by the GDPR. This is because it’ll be down to the marketplace and payment provider to keep the customer’s data secure.
That said, we would advise that you consult directly with your online marketplace(s).
Next steps for eCommerce brands.
Make sure that you’re completing the following steps as soon as possible.
- Review your existing processes for collecting, handling and processing personal data
- Conduct a complete audit of all current consent forms and privacy notices that you use for your eCommerce business and make sure that they comply with GDPR standards
- Ensure that your data is accessible and that your customer service team are equipped to handle requests for the deletion, rectification and/or transfer of a customer’s personal data – you may benefit from creating template response emails
- List all of the third-party suppliers that will have access to your customer’s personal data and assess their own security compliance processes
- Update all relevant pages on your website and app, to provide clear statements as to which third parties (i.e. your payment processing provider) will have access to the customer’s data, further specifying what that data is, the reasons they will have access and how they will process and store this data
- Deactivate any default opt-ins
- Ensure any requests for data are unbundled and comply with the GDPR’s regulations surrounding consent
- Review the personal data you currently store for existing customers, past customers and other contacts, and if you can’t prove proof of consent, consider carrying out a re-permission campaign (as a rule of thumb, if someone hasn’t purchased from you for 1-2 years, it is recommended that you delete their data)
- Make sure you have the right processes in place to detect, report and investigate any data breaches within the required 72-hour period
- Conduct a data protection assessment
While the new GDPR regulations will create challenges for your company, they do actually open up more opportunities for your business, by giving you the chance to optimise your processes and the ways in which you interact with your customers.
Full Infographic
To find out how Linnworks is complying with the GDPR and better understand the changes we are making to our functionality to support our customers with this new legislation, have a read of this article.