What does it mean for ecommerce?
Data Processing and Consent
Databoxer, the one-click GDPR compliance platform, says:
Any touchpoint at which data is collected needs to be –
Unbundled. Data needs to be asked for separately for each purpose. A name and address can be ‘bundled’ for the single purpose of delivering something, but you can’t sneak a date of birth into that bundle, as it’s not relevant to the purpose.
Opt-in. For each purpose, data must actively be given informed consent. No more pre-ticked boxes which customers need to spot and untick to protect their data.
Granular. If a piece of data is intended for multiple purposes, consent needs to be given for each purpose.
Named. Customers need to be aware of everyone who will be using, relying on, or otherwise benefiting from the data.
Documented. You need to keep records of what data has been consented to, as well as how and when that consent was given.
If this seems excessive for each item of data you hold, consider how much of that data you really need to enable your business to function. Strip back the information you collect, streamlining your data handling and providing a more focused, less bloated service.
To meet Google’s Webmaster Guidelines, ecommerce websites should have full HTTPS coverage across the whole site, not just the checkout and My Account pages. This now also falls under the jurisdiction of GDPR as websites that use HTTPS send data over an encrypted connection, so you could say that if your whole website has an SSL certificate that you’re on your way to GDPR compliance. You should also ensure that the database itself is encrypted, like the Magento CMS.
Therefore, it’s not only important to have full HTTPS (instead of partial) for SEO purposes, but now also GDPR.
Think about your third parties
Retailers must be aware of third parties they’re using to power their website. Everything from their CRM, emarketing database, retargeting tools and marketing content. For example, if any website videos on Vimeo or YouTube are embedded on the website.
SiteImprove, who have built their own GDPR module, explains that:
“Having an embedded video on your website means that the website is not in control of the data gathered by the embedded resource. This policy highlights embedded YouTube videos on the site being checked.”
Policy Updates – start now!
What information is being collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on the individuals concerned?
Is the intended use likely to cause individuals to object or complain?
(Note, for the full detail on what information should be provided to the data subjects at the point of data collection, readers should check out article 13 of the GDPR, specifically paragraphs 1 and 2, summarised by the ICO here.)
Privacy by Design
For instance, a pop-up where the user is requested to exchange data for 10% off or data collection points like Account creation. These areas now have to state clearly what their data will be used for, so start thinking about how this can be implemented on your website as early on as possible. The sooner these small changes are implemented, the more you can work towards reducing the costs of compliance and also avoid the ‘last minute’ rush.
Here’s a fab example from the ICO showing how you can use a tooltip to show a ‘just in time’ privacy notice:
In short, we all are. The current penalty from the ICO is £500,000. The 4% of worldwide turnover fine stretches to €20m. It is imperative that agencies are helping to guide their clients on this topic, not only from a marketing and ecommerce standpoint but how it will affect them on an ongoing basis.