GDPR and Its Effects on eCommerce Businesses


December 14, 2017

The December Blog Series | Looking Ahead: What's to Come for 2018

Issue 15: GDPR and Its Effects on eCommerce Businesses

With the General Data Protection Regulation (GDPR) taking effect in the spring of 2018, there are a lot of changes coming down the pipeline. As these financial regulatory changes take place, the question arises -- how will this affect eCommerce? Businesses should be aware of these changes to properly prepare their systems. Here is why:

  • Any business dealing in online transactions where payments are taken or handled will be affected.
  • All existing policies and procedures on how you handle customer data may have to be revamped.
These are some of the new directives:

Consent for marketing
Any online correspondence must have the consent of the customer prior to sending. That means there should be clear opt-in and opt-out boxes, a separate consent notification that does not fall under terms and conditions, the consent must be named so all third parties are mentioned, and every marketing activity must have its own consent.

Right to be forgotten
Any customer has the right to be forgotten. That means your communications must be transparent and include an opt-out for removal or deletion of their account.

Data Protection
All data protection procedures will be stricter. If your organization does not have a data protection officer, chances are one will have to be hired. Privacy policies also need to be revamped and presented in clear, plain language so a customer will understand.

What does this mean?

This means your organization must be aware of the new regulations, and ensure compliance. A few things to pay attention to:

Access to data
Customers must be able to quickly access their personal data. If it has been used by another organization or third party, you may have to supply an explanation, and justification.

Personalized privacy
As an online vendor, you will collect sensitive information about your customers. You must be transparent, informing the customer where their data is going, how it is used, and who is responsible for its storage and processing.

Keeping accurate and detailed records of every consent is imperative. The customer must be able to determine what they consented to, and the method of consent. The method in which you store information should be safe and consistently monitored to prevent vulnerability.

In the event of a data breach, impacted customers must be informed within 72 hours. This notification should also explain any pending delays.

Non-compliance will result in not only hefty fines, but could lead to a shutdown of the entire organization. Fines up to 4% of your annual turnover may be assessed as a penalty for breaking the rules. In drastic occurrences, customers whose rights have been violated will be now be able to file lawsuits and request compensation for a company's negligence.

If all of this sounds like a lot of work, it is. Moving into 2018, your management team should have already started making changes to the infrastructure to accommodate these new regulatory processes. Conducting an analysis of your existing processes and procedures is the first step in ensuring you meet the guidelines and are fully prepared for the new GDPR rules.