The General Data Protection Regulation – commonly known as GDPR – comes into effect as of 25 May 2018. The European Union is enacting a set of strict laws to protect privacy across the EU.
Matt Hancock, the UK government’s secretary of state for digital, culture, media and sport, has said that the measures “are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account”.
The Digital Guardian has added: “All organisations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be prepared to comply by May 2018.”
GDPR eCommerce websites will be significantly impacted, so here’s what the top eCommerce platforms (Magento, Shopify, BigCommerce, WooCommerce and PrestaShop) are doing to get themselves ready for the new changes, and how it will affect not only the services they provide, but their customers too.
Magento has been working hard to ensure that it is prepared for the GDPR changes by proactively probing and revising its policies, contracts and processes in regards to privacy and data protection. The platform has also been evaluating its products to assist customers in finding out what exact data is being retained by the platform and where it is being kept.
Magento is advising its customers to review any extensions that are linked with their accounts, due to Magento extensions being augmented by third parties. In order to be fully GDPR-compliant, Magento has also encouraged its customers to check all of their services and contracts linked to third-party organisations.
Like Magento, Shopify has also reviewed how GDPR affects its platform. It has disclosed that its services will not be altered, but the way that these services will be provided will be different.
GDPR Shopify will be affected in three ways:
WooCommerce has been heavily discussing the oncoming effects of GDPR over the last few months. To help its customers get ready for GDPR, the platform has provided information about the new rules, alongside WooCommerce GDPR plans.
WooCommerce will be obligated to tell users what the platform is, why it is collecting data, who will receive the data and for how long. It has also been informed that it has to get clear consent before receiving any data, and let WooCommerce users access or delete data too. Customers will also have to be informed if data breaches occur.
WooCommerce has also recommended that its shop owners find out what they need to do to be GDPR-compliant, as there isn’t a one-size-fits-all approach.
BigCommerce says that it is “working hard to meet and exceed the privacy standards required by the GDPR”. In the meantime, the company’s director of information security, Christopher Beckett, has provided a comprehensive list of tips for building a GDPR-compliant business.
These recommendations include appointing a single employee within the organisation as a data protection leader, creating an inventory of data processing activities, and updating privacy notices to “be transparent and specific”. The article also informs customers that, under the GDPR, they have an obligation to disclose any breaches to the supervisory authority as soon as possible, at the latest within 72 hours.
PrestaShop hasn’t revealed too much about its plans regarding the GDPR, but has advised its customers to review and prepare their websites and plugins in compliance with the regulations.
The platform has also made the GDPR Suite Module available from its store to assist compliance. Released as an early version, the module offers a limited number of features including a customer data removal request and a customer personal data request, with email notifications to the store admin when a new request is created. The module also facilitates the manual administration of requests in back-office, although PrestaShop has warned that administrators will have to collect and purge data manually.
Meanwhile, PrestaChamps have published a page explaining the GDPR and the importance of complying with the new rules.
With just over a month to go until GDPR’s implementation date, Tillison Consulting spoke to three leading influencers about what you need to do to prepare for the new regulation.
Alex Pavlović, marketing executive at Qualsys, says: “In terms of preparing for GDPR, the big ‘to do’ is understanding exactly what the regulation means for businesses. Even those businesses already complying with the Data Protection Act will have to make changes to their data management policies to avoid the heavy fines – €20m or 4% of annual turnover, whichever is greater – which GDPR can enforce.
“For instance, after 25 May, subject access requests must be granted free of charge within 30 days, data breaches must be reported to the ICO within 72 hours, the ‘right to erasure’ must be granted, and data collection must have an opt-in option. Businesses need to consider how they are prepared to meet each of these specific requirements.”
Izaak Crook, digital marketing executive at AppInstitute, says: “Start off by running a full data audit. It sounds daunting but this is an essential part of the process. Look into how you collected personal data, why you originally collected it, why you are still processing it and whether you still need it.‘Is the data secure? It should be encrypted and only accessible by people who understand the requirements of the GDPR. And have you ever shared the data with a third party? You need to ensure they are compliant with GDPR, and that the person whose data it is knows it’s been shared, why it’s been shared and who with.”
“Companies preparing for GDPR need to vet their data management carefully,” says Alex. “This means completing a privacy impact assessment: an in-depth examination of how data is transferred, processed, stored and organised within the business, to identify and mitigate potential risks to personal data.
“Qualsys recommends paying close attention to your ‘information assets’ and recording them in an information asset register (IAR) and data processing register (DPR). This allows businesses to pinpoint exactly where their data is stored, so they can focus their GDPR compliance accordingly. Outlining your commitment to compliance with a public GDPR statement is a good idea for reassuring your customers too.”
Update: If you use Google Analytics to understand how users behave on your website, check out our step-by-step guide to manage your DPA details in Google Analytics.
Tim Watson at Zettasphere believes: “Going forwards, GDPR perhaps impacts email marketing less than other marketing channels, because email has been permission-based for more than 15 years already. GDPR does bring a higher standard so that previous practices to trick people into permission are no longer acceptable. That’s not such a bad thing.
“For many brands, their current in-house list growth methods – such as using sign up forms and data capture during a transaction process – are not heavily impacted, but they need to check that these processes meet the standards of GDPR.”
Tim says that when asking for consent, you should check your current forms meet the following criteria:
He adds: “During a transaction or checkout process, brands may decide to get affirmative consent and the above criteria apply. The alternative is to use soft opt-in and rely on legitimate interest for GDPR. There is new guidance from the ICO on this.”
In the case of soft opt-in, you’ll still need to meet many of the same criteria as for affirmative consent:
Tim argues that the biggest impact for email marketing is legacy databases: “Storage and processing of existing data needs to meet the GDPR standards – that means it must have been captured as if GDPR had always existed. For example, brands without records of how and where each email address was capture will find it very hard to meet the GDPR criteria and need to re-permission their database before 25 May.
“Remember that you must still comply with Privacy and Electronic Communications Regulations (PECR) when sending emails for re-permission.”
Alex says: “Any eCommerce business looking to comply with GDPR should follow a checklist like this:
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
Get early access to latest news and monthly digital marketing tips for eCommerce