By now most retailers are familiar with the Data Protection requirements from 25th May 2018 and have made steps to ensure that their online stores follow their guidelines. Yet, there are some retailers that have had issues in this department and can be called on it with complaints by their users.
Consent by the user
The addition of re-selling or promoting to existing purchasers is a common practice to maximize your marketing efforts through the use of recorded email addresses that users used in purchasing an item in your store. Other than sending the receipt of that original purchase, sending additional vouchers/coupons for promotional purposes could be outside of the GDPR regulations – unless proper consent was clearly stated and the user did agree and signed up to be promoted to.
The user has to be promoted in a clear and obvious manner to get their consent with their “action” to agree to be signed up. Long terms and conditions with the option hidden in the long text will not do, nor a pre-ticked box for the user to proceed and finish the purchase process. The data use has to be obtained such that it is clearly understood on the business’ intent of use as well as needs to be captured for auditing purposes.
Data collection includes user data that are recorded on cameras for example (CCTV). GDPR regulates and re-defines the profiling of users in the context of the capture of the data, how it is used or predicts the user’s behavior in an automated form. Another form that profiling takes place is with loyalty cards/points, where purchase patterns are recognized where the data then can promote further categories of such products to those users. This also includes the use of what users have browsed in your online store to further promote to them. All these marketing tools are under scrutiny with GDPR and require online stores to take the right steps to avoid going over the line defined.
With marketing tools being provided in your online store Apps, careful consideration needs to be taken on the method used on how an individual is subjected to a “legal effect”. Unless the profiling done is required for the online retailer to deliver the “contract” such as a product being purchased requiring an upload, and an upload screen appears you will have to disclose your actions and what can be expected for the user to experience. What’s frowned on is the use of loyalty cards and promoting certain items to a subgroup of that user base sets up a “legal effect” to which requires clear consent requirements.
Data Breach and Security notification
All users expect security at all points of contact online – this includes the hosting of your store, the source on your site, and the card processor. GDPR is explicit on what’s expected with compliance with PCI and various certifications of audits in your store’s security. GDPR has introduced the 72hr notification rule on any breach of security to be reported to the regulator and in some cases to the data subjects. Given this does your business have a procedure on detecting, assessing and reporting a breach?
Most online retailers focus on getting the store operational with industry-standard security as the code being used is used by other retailers and “should be safe”. It takes only one vulnerability by one App that can make an ordinary day of online business to become a very unpleasant one. The prevention of a breach requires careful consideration, audit with your development or hosting partners to ensure that your store meets the security requirements.
The procedures defined in the event of a breach are very important to define before one occurs as mistakes can be avoided in how the online retailer handled the situation. If a client complains about their data being accessed, being misused by an external party where the data originated by your store, having the procedures well in place will ensure the appropriate response in dealing with the issue. Too many online retailers suffer data breaches on a daily basis which affects the industry confidence as a whole. eCommerce platforms such a Shopify which centralises its hosting via a cloud are more secure than hosted ones since all changes/updates are applied to all stores in the cloud and do not require your online store to be updated with security patches as they come out.
Shopify GDPR: https://help.shopify.com/en/manual/your-account/GDPR
Order processing and data transfers
In today’s online business, a purchase might have several vendors delivering the goods. An order received by a 3rd party warehouse (where there is a pick/pack process), and then a shipping company to pick up the item and deliver it to your door. The data processing between companies are required to be clearly identified/protected from any misuse along the supply chain. This would include drop shipping, returns (RMA) and any other form of handling a contractual obligation to the client.
Additionally, disclosing and informing the client on how their goods will be processed with the type of delivery will ensure that the expectations are set before a transaction is completed. All data sharing with 3rd party vendors must abide by the ICO’s Code of Data Sharing to which is where the clients would file a complaint with if it is not followed.
Cross Border privacy
While GDPR applies to European countries belonging to the European Union, countries outside of this union have retailers doing business with clients inside of the Union and Visa Versa. Rules of International data transfers apply to global retailers and are similar in nature to GDPR. However, the complaint process and enforcement will vary significantly depending on the country to which the online store is registered. GDPR uses the concept of “lead regulatory authority” which identifies the handlers of a complaint, which is defined by the country in which the online store/processor is registered to. However, 3rd party companies associated with the online store may be outside of that country and therefore might involved a different organisation. With consumers that are usually not as informed on the complaint process, might engage the wrong agencies if they perceive to have a problem. This is why it is very important to be clear with your clients at every step to ensure to avoid any issue on how their data will be handled. Especially if you open your doors to various countries, cultures, payment/currencies and shipping methods.
While all merchants, clients, processors, and many other online entities reasonably understand the concept of GDPR, it is the communication to the purchaser that’s crucial in setting the right expectations. It is your professionalism in ensuring that their data is protected and that your processes are in place if an incident is reported. It just takes one missed step with the wrong 3rd party, or App in your store, or lack of maintenance of your platform that could open the door to a breach. Only due diligence is the prevention of an incident, and to avoid scrutiny, sanctions or penalty/fines. Protecting your online operation requires protecting your clients – the only way to ensure trust is maintained at the community of online retailers.