The General Data Protection Regulation (GDPR) is soon to replace the EU Data Protection Directive, and aims to strengthen the data protection for all individuals within the European Union. It’s due to come into force on 25th May 2018 – but we’d advise ecommerce companies to start preparing now if they aren’t already doing so. A recent survey carried out by the Direct Marketing Association found that only 54% of businesses expect to be compliant by the deadline. The rules are much stricter than the current law, so most companies have a lot of work to do to meet the new requirements for processing personal data. Many UK businesses are also struggling with the lack of clarity in the current guidelines. The Information Commissioner’s Office (ICO) was due to finalise the guidelines regarding consent last month, however this has been held up by the General Election.
Although the GDPR has many of the same concepts and principles as the current Data Protection Act, there are some major changes. We’ve highlighted the key points for ecommerce companies to take into account.
Double Opt-In For Direct Marketing
The GDPR is setting a high standard for obtaining consent. In order to sign up for marketing communications, prospects will need to submit their details and then confirm it was their actions in a followup email. Pre-ticked boxes and consent hidden in the Terms and Conditions will no longer suffice. Email providers such as MailChimp already help companies collect personal data correctly. Even so, some data may be gathered and stored from other sources such as business cards and networking.
Make sure you check your consent practices and your existing consents. ICO requires organisations to “refresh consents if they don’t meet the GDPR standard.” Going forward, you’ll need to keep evidence of consent including details of when consent was given by the individual and how it was obtained. Although the new rules for consent will have an impact on the amount of personal data, it’s not all doom and gloom! In fact, it could help build customer trust and enhance your reputation.
Transparency of Data Usage
It’s more important than ever to be clear and specific about how your company intends to use the personal data that’s given. The most common way to provide this information is in privacy notices (this can includes privacy policies and messages throughout the site such as tool-tips attached to online forms). Review your privacy notices and put a plan in place for any necessary changes. ICO advises organisations to consider the following issues when planning a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Although the current law already requires organisations to be clear about their use of personal data, the GDPR requires additional details. These include an explanation of your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
The Rights To Opt-Out
The GDPR gives EU citizens more control over the use of their personal data. This includes the ability to refuse profiling. If your profiling is purely done through cookies, it’s likely that site visitors are already able to opt-out. However, you should make sure you know this is the case.
Also keep in mind that people who have previously given consent have the right to change their mind. Customers must be able to easily opt out if they no longer want to be contacted. Make sure that an appropriate long term plan is put in place on the process of removing customer data.
Ecommerce businesses must make sure they have the correct procedures in place to detect, report and investigate a personal data breach. Some companies are already required to inform the ICO in the incidence of a personal data breach. However, the new guidelines state that all organisations must report to the ICO “where a breach is likely to result in a high risk to the rights and freedoms of individuals”. For example, it could lead to discrimination or loss of confidentiality. The GDPR states that you must report a data breach to regulatory bodies within 72 hours. Not only that, but in most cases it will also be the company’s duty to inform those concerned. Recently, some of the personal data breaches have involved the retail industry, so it’s important that preventative measures are put in place. After all, the outcome wouldn’t only be a fine, but potentially bad press and the loss of customers.
Start Preparing Now
We will update our blog once the final guidelines have been made available by the ICO so keep an eye out for that. In the meantime, you can still review your privacy notices and data processes and put a plan in place for making any necessary changes. Businesses should take the changes in the law seriously as those who don’t comply risk being fined up to 4% of their annual turnover. Make sure all company staff members have awareness of the GDPR and have an understanding of how personal data should be managed.