GDPR: Checkpoints for you

GDPR: Your Tool Kit for Compliance: Checkpoints for you

09 Feb 2023

Amal Johny

Business Analyst

In our first blog on GDPR we have discussed the importance of the regulation and the impact it has already created for businesses and customers. In this blog we will enlist the key checkpoints that eCommerce players must abide by while implementing GDPR.

Key checkpoints to ensure GDPR compliance are as follows;

1. Collect essential data only

Since protecting personal’s data is the watchword of GDPR, the best way for eCommerce businesses is not to collect unnecessary or useless data. For example, if the name of your shopper’s workplace does not matter in doing business, do not even ask. However, when you are asking for data that’s essential, ensure complete clarity by explaining how you will use the info in the terms and conditions and privacy policy sections. No less important is thoroughly documenting all data that you collect.

It is also important to skip unwanted fields. For example, if you don’t sell products that are illegal for children, do not ask for the users’ date of birth.

2. Clarity is king

Regulators love transparency so play by the book. Your privacy policy and terms & conditions should be easily visible on the site. Do not use small and unintelligible prints as it could make your situation worse in case of a data breach and result in greater penalty. Think of the following –

• Add “unsubscribe” button on the site beside “subscribe”
• Link terms and conditions page directly from the footer and also from privacy policy section
• If you have certified or verified processes show it off with flair
• Put Opt-out options, terms and conditions, privacy statements in the open

3. Make sure to get clear consent

GDPR mandates that consent should be “freely given, specific, informed and unambiguous.” (Ref 1) This means you cannot afford pre-ticked boxes or use assumptions. (Ref 2) Also, while asking for user consent, you must use simple language and stay away from using words that can be misread.

4.Have a dedicated data protection officer

Today, each eCommerce business must appoint a dedicated data protection (DPO) officer. Some of the responsibilities of the officer will be to implement the GDPR policies, supervise how your employees comply with the rules, train them on the right ways of processing personal data including email security, strong passwords, two-factor authentication, device encryption, and the use of virtual private networks (VPNs). The DPO will also answer questions when needed.

Moreover, every employee having the right to access stored and collected user information must follow strict GDPR rules. This also means, employees like janitors and office managers who do not have direct contact with customers should not have access to user databases. This will greatly address the data theft issue. Another effective way is to make your employees sign a non-disclosure agreement (NDA) not only to avoid data leaks but also to hold employees accountable in case of a data breach, be it intentional or carelessness.

5.GDPR is location agnostic

It’s pertinent to note that all ecommerce stores, selling goods and services to Europeans, must be GDPR-compliant. This means, irrespective of the geographical location of your company, you will need to be GDPR-compliant in order to cater to EU citizens. Moreover, for companies outside the EU, it is good to have a company representative in the EU and work with local authorities on the company’s behalf.

6.Change cookie policy

There has been a major change in cookies’ policy post GDPR law enforcement. Earlier content was sent to customers by default. They had to opt-out of receiving emails from businesses. Today, organizations need to put in place a double opt-in so that customers clearly understand what they are doing.

7. 3rd party services must also be GDPR-compliant

Art.6(1B) of the GDPR law (Ref 3)says, every single service provider of yours should also be compliant. Do check that all service providers – including payment processors and cloud services are also compliant.

8. Justify your data

There are five ways to justify the use of the data according to GDPR. They are –

• Processing data is essential for the contract
• Data must be processed to meet legal obligations
• Processing data might save a life
• The use of the data applies to one of the public interests
• There is a legitimate need in processing data

9. Keep record

Keep a record of the type of info you collect, its source, location of the data, people you share it with, and terms and duration of its use. To maintain accountability, keep detailed records of the data collection or produce other evidence of compliance that might be checked. Also, keep a record of all sub-processors involved in processing your users’ data and mention these sub-processors in your terms and conditions.

10. Report data breaches

Report data breaches involving personal data to the relevant authorities within 72 hours. Additionally, implement an effective procedure for handling data breaches.

In addition to the above mentioned points, here are some more points which will greatly help you to be GDPR complaint –

• Impact assessments – carry out a data protection impact assessment (Ref 4)-
• Analysis of personal data flow – analyze a list of all personal data you store and process.
• If you process personal data of children, you must verify their age and obtain consent for processing from a legal guardian.
• When you update your privacy policy, you must inform existing customers.
• Your company must regularly review data security policies for updates.
• Send only a recommended no. of two or three cart abandonment emails, as opposed to say 50 in 30 days. Usually, customers have a legitimate interest to hear from you about the abandoned cart for 2 or 3 times but not 50 times in 30 days.
• Send browse abandonment emails to customers who have consented to receive them.
• Have Data Processing Agreements (DPA) with the third parties involved in data processing.
• Separate the UK and EU customers versus the rest of the world and set the rules differently.
• Streamline your record deletion process.
• It is better to host your website inside the EU itself. Also, transfer data outside of the EU only to countries with a proper level of data protection.

The above GDPR checklist is just a guide. Each business will have specific GDPR requirements to comply with. This might sound daunting and it’s only human to get agitated at new rules and regulations. However, do rest assured that in addition to storing personal data more rigorously and ensuring a sturdy data control mechanism, there is nothing to be worried of. In fact, after four years of GDPR, a host of industry experts agree that the new law benefits businesses that comply with it.

Benefits of practicing GDPR compliance

1. Lessens scam issues

Scammers are a pain point for all legit eCommerce businesses. They always seem to find ways into the security systems and target customers with unbelievable offers that don’t exist and are highly unfeasible. This ruins the reputation of the ecommerce industry big time! GDPR has been successful to address this issue to a large extent by considerably building customer awareness which helps them to act consciously.

2. Saves marketing costs

It might sound surprising but GDPR can actually save you thousands of bucks in terms of marketing costs, if you play by the book. This is because, while complying with the law you will be only reaching out to customers who agree to share their data. Also, when your users are proactive, it indicates that they have some level of interest which you could use profitably. In case of email marketing this becomes particularly evident, as customers have to share their email ids in order to receive email offers.

3. Boosts customer trust and confidence

Flaunting your GDPR compliance is actually a great way to promote your ecommerce business. By declaring how robust your data protection policies are and how committed you are towards protecting your customers’ personal data, you are actually winning their confidence. A TechRepublic survey shows 47 percent of respondents are worried about their data being hacked. Hence, assuring a secure user experience will be widely endorsed. With Mozanta creating a GDPR compliant eCommerce store is seamlessly easy At Mozanta Technologies, we have successfully created multiple ecommerce websites for clients from across the globe. In the process we have diligently analyzed GDPR and developed practical solutions to deal with the challenges that the law poses on eCommerce players. If you have an eCommerce store and are looking to cater to the European market we are always happy to help you. At Mozanta, we duly follow the best practices. You can know more about our projects and works by exploring our website.

Conclusion

The GDPR is a critical piece of legislation in today’s online business context. This makes all eCommerce businesses who constantly deal with sensitive information and private data, subject to the regulations. eCommerce businesses will need to rightly implement GDPR to stay hassle free and win customer trust. That said, achieving GDPR compliance is not the easiest of tasks. However, when done in partnership with a skilled team of eCommerce solution providers, the job gets easier.

Ref:

• Ref: https://gdpr-info.eu/issues/consent/
• Ref: https://www.oberlo.in/blog/gdpr-compliance-ecommerce-shops
• Ref: https://www.verfacto.com/blog/ecommerce/gdpr/
• Ref: https://rubygarage.org/blog/gdpr-compliance-for-ecommerce-websites