The General Data Protection Regulation is coming to the European Union on May 25, and thanks to the fact that it affects every company that deals with EU nationals, it's set to reach the whole world of eCommerce. Complying with the included regulations is something businesses have to deal with right away. The penalties for violating the rules are substantial, and the latest specifications represent a major upgrade from existing standards.
The following are a few suggestions to help your eCommerce company emerge into the new era of GDPR compliance and continue serving its customers, in the EU and elsewhere.
1. Audit your current data stores
What data do you hold on your customers? If you haven't checked on this information in a while, or even if you have, a detailed audit is a good way to get started on GDPR compliance. The U.K. Information Commissioner's Office recommended careful documentation – under the new rules, you'll have to keep records of how you process, store and share data. Starting off with a full-scale assessment of what you're currently holding could prevent your company from accidentally slipping into noncompliance.
2. Update your privacy notices and opt-ins
Use of personal data under GDPR regulations is based on clear, stored declarations of consent by customers. Companies are reaching out to their audiences to ensure they have permission to continue collecting and using data – you've probably gotten a few of these from sites you deal with as a consumer. The ICO noted the consent received by businesses should be "freely given, specific, informed and unambiguous." A box checked "yes" by default isn't enough, and companies can't infer data use consent from customer silence.
3. Get ready for a new data use paradigm
If your company buys commoditized third-party data to help target consumers, that's about to change. Martech Series contributor Ken Leren of Tech Essence pointed out the fact that GDPR's passage means the end of data merchants. Buying third-party information is merely one way to collect information on consumer preferences, however, and it's wise not to spend too much time mourning the old style as you dive into the new paradigm. Once you have permission to collect and store your consumers' data in GDPR-compliant fashion, you can begin new analysis efforts.
4. Think about the future
TechTarget noted that Articles 25 and 32 of GDPR require companies to use up-to-date IT systems to store and protect data. In cases where a firm is judged to be using outdated or weak tech tools, that company has to justify the act, noting either a lack of risk or prohibitive cost of an upgrade. Not only must technology be modern and capable, your company or its IT partners will have to perform regular checks to ensure the state of the art hasn't passed your chosen tech by.
5. Deepen commitment to security
No matter how good your data security capabilities are at present, new additions may be necessary for survival in the GDPR era. One of the regulations that has been receiving attention is the short window for breach disclosure. The ICO specified that firms should be ready to detect any problems with information integrity, report those issues and launch investigations. All of this comes alongside the need for as much security as possible. The risk of suffering a breach is always present, and the consequences are about to become more severe.
Preparations can't wait
Whether you power your own IT infrastructure in-house or work with a third-party eCommerce platform provider, inspecting your digital resources and ensuring they are up to EU standards is an essential step to take. Though compliance with existing data collection and security regulations has likely left your company in a good position regarding its IT readiness, there's no excuse for failure to pay attention as GDPR takes effect.
In the eCommerce world, data is a form of currency. The new regulations are changing organizations' relationship with that resource, making it explicit just how important personally identifiable information is to individuals and businesses alike. Cutting corners is not an option, so your internal IT leaders must ensure the business's own systems are strong enough, and that all partner organizations pay close attention to their own data processing. Companies that fail to show proper diligence may regret their decisions soon.