The General Data Protection Regulation – commonly known as GDPR – comes into effect as of 25 May 2018. The European Union is enacting a set of strict laws to protect privacy across the EU.
Matt Hancock, the UK government’s secretary of state for digital, culture, media and sport, has said that the measures “are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account”.
The Digital Guardian has added: “All organisations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be prepared to comply by May 2018.”
GDPR eCommerce websites will be significantly impacted, so here’s what the top eCommerce platforms (Magento, Shopify, BigCommerce, WooCommerce and PrestaShop) are doing to get themselves ready for the new changes, and how it will affect not only the services they provide, but their customers too.
Magento and GDPR
Magento has been working hard to ensure that it is prepared for the GDPR changes by proactively probing and revising its policies, contracts and processes in regards to privacy and data protection. The platform has also been evaluating its products to assist customers in finding out what exact data is being retained by the platform and where it is being kept.
Magento is advising its customers to review any extensions that are linked with their accounts, due to Magento extensions being augmented by third parties. In order to be fully GDPR-compliant, Magento has also encouraged its customers to check all of their services and contracts linked to third-party organisations.
Shopify and GDPR
Like Magento, Shopify has also reviewed how GDPR affects its platform. It has disclosed that its services will not be altered, but the way that these services will be provided will be different.
GDPR Shopify will be affected in three ways:
- Its privacy team will be re-organised to adequately document and keep record of the privacy-related decisions made by the platform, so that it will be fully accountable for its privacy practices
- Shopify will have to make and receive confirmed contractual commitments with their merchants, when using a third-party subprocessor to provide its services
- The platform will have to ensure that it is able to heed the rights of all European merchants and customers when it comes to its personal data
WooCommerce and GDPR
WooCommerce has been heavily discussing the oncoming effects of GDPR over the last few months. To help its customers get ready for GDPR, the platform has provided information about the new rules, alongside WooCommerce GDPR plans.
WooCommerce will be obligated to tell users what the platform is, why it is collecting data, who will receive the data and for how long. It has also been informed that it has to get clear consent before receiving any data, and let WooCommerce users access or delete data too. Customers will also have to be informed if data breaches occur.
WooCommerce has also recommended that its shop owners find out what they need to do to be GDPR-compliant, as there isn’t a one-size-fits-all approach.
BigCommerce and GDPR
BigCommerce says that it is “working hard to meet and exceed the privacy standards required by the GDPR”. In the meantime, the company’s director of information security, Christopher Beckett, has provided a comprehensive list of tips for building a GDPR-compliant business.
These recommendations include appointing a single employee within the organisation as a data protection leader, creating an inventory of data processing activities, and updating privacy notices to “be transparent and specific”. The article also informs customers that, under the GDPR, they have an obligation to disclose any breaches to the supervisory authority as soon as possible, at the latest within 72 hours.
PrestaShop and GDPR
PrestaShop hasn’t revealed too much about its plans regarding the GDPR, but has advised its customers to review and prepare their websites and plugins in compliance with the regulations.
The platform has also made the GDPR Suite Module available from its store to assist compliance. Released as an early version, the module offers a limited number of features including a customer data removal request and a customer personal data request, with email notifications to the store admin when a new request is created. The module also facilitates the manual administration of requests in back-office, although PrestaShop has warned that administrators will have to collect and purge data manually.
Meanwhile, PrestaChamps have published a page explaining the GDPR and the importance of complying with the new rules.
GDPR: what do I need to do?
With just over a month to go until GDPR’s implementation date, Tillison Consulting spoke to three leading influencers about what you need to do to prepare for the new regulation.
Alex Pavlović, marketing executive at Qualsys, says: “In terms of preparing for GDPR, the big ‘to do’ is understanding exactly what the regulation means for businesses. Even those businesses already complying with the Data Protection Act will have to make changes to their data management policies to avoid the heavy fines – €20m or 4% of annual turnover, whichever is greater – which GDPR can enforce.
“For instance, after 25 May, subject access requests must be granted free of charge within 30 days, data breaches must be reported to the ICO within 72 hours, the ‘right to erasure’ must be granted, and data collection must have an opt-in option. Businesses need to consider how they are prepared to meet each of these specific requirements.”
How should businesses prepare for GDPR?
Izaak Crook, digital marketing executive at AppInstitute, says: “Start off by running a full data audit. It sounds daunting but this is an essential part of the process. Look into how you collected personal data, why you originally collected it, why you are still processing it and whether you still need it.
‘Is the data secure? It should be encrypted and only accessible by people who understand the requirements of the GDPR. And have you ever shared the data with a third party? You need to ensure they are compliant with GDPR, and that the person whose data it is knows it’s been shared, why it’s been shared and who with.”
“Companies preparing for GDPR need to vet their data management carefully,” says Alex. “This means completing a privacy impact assessment: an in-depth examination of how data is transferred, processed, stored and organised within the business, to identify and mitigate potential risks to personal data.
“Qualsys recommends paying close attention to your ‘information assets’ and recording them in an information asset register (IAR) and data processing register (DPR). This allows businesses to pinpoint exactly where their data is stored, so they can focus their GDPR compliance accordingly. Outlining your commitment to compliance with a public GDPR statement is a good idea for reassuring your customers too.”
Update: If you use Google Analytics to understand how users behave on your website, check out our step-by-step guide to manage your DPA details in Google Analytics.
What does GDPR mean for email marketing?
Tim Watson at Zettasphere believes: “Going forwards, GDPR perhaps impacts email marketing less than other marketing channels, because email has been permission-based for more than 15 years already. GDPR does bring a higher standard so that previous practices to trick people into permission are no longer acceptable. That’s not such a bad thing.
“For many brands, their current in-house list growth methods – such as using sign up forms and data capture during a transaction process – are not heavily impacted, but they need to check that these processes meet the standards of GDPR.”
Tim says that when asking for consent, you should check your current forms meet the following criteria:
- Consent isn’t bundled with other T&Cs – it must stand alone
- Records are kept of how and when consent was captured
- The information provided at time of capture is recorded for audit purposes
- Consent must be freely given
- The person must be informed about their choice and to what is being consented must be specific
- Consent requires a positive affirmative action, which means no use of pre-ticked boxes. Though that doesn’t mean a default to no consent should be used as this opt-in data shows
He adds: “During a transaction or checkout process, brands may decide to get affirmative consent and the above criteria apply. The alternative is to use soft opt-in and rely on legitimate interest for GDPR. There is new guidance from the ICO on this.”
In the case of soft opt-in, you’ll still need to meet many of the same criteria as for affirmative consent:
- There is the ability to opt-out at the time of capture and on all communication
- It is not bundled and the customer is not disadvantaged by opting-out
- The customer is well informed and information is specific
- Records are kept of how the data was captured
- The information provided at time of capture is recorded for audit
Tim argues that the biggest impact for email marketing is legacy databases: “Storage and processing of existing data needs to meet the GDPR standards – that means it must have been captured as if GDPR had always existed. For example, brands without records of how and where each email address was capture will find it very hard to meet the GDPR criteria and need to re-permission their database before 25 May.
“Remember that you must still comply with Privacy and Electronic Communications Regulations (PECR) when sending emails for re-permission.”
What should be on a typical GDPR eCommerce checklist?
Alex says: “Any eCommerce business looking to comply with GDPR should follow a checklist like this:
- Are our data controllers and processors documenting how they manage and store data, in accordance with Article 30 of the GDPR?
- Have we performed an information audit to find out what personal data our company holds about our customers?
- Have we ensured all members of our email database have explicitly consented to receiving email messaging from us?
- Have we communicated and coordinated with everyone in our business for a complete picture of our processing activities?
- Have we reviewed our policies, procedures, contracts and agreements to address areas like retention, security and sharing of our customers’ data?”