Unless you’ve been hiding under a rock for the last few months, you’ll have heard about GDPR.
The Information Commissioner describes the General Data Protection Regulation (GDPR) as “the biggest change to data protection law for a generation”. GDPR is the result of years of work. The EU wants to give people greater control in terms of how their data is used.
So just how big is the problem which GDPR is trying to address? Here are some key facts to give you an idea:
- 80% of data breaches are a result of human error
- 60% of these data breaches are linked to a 3rd party
- 75% of companies in the UK have suffered a breach of some description
- 60% of organisations do not have a security budget
(Source – ARC Network and Security)
The changes the GDPR introduces this year will impact businesses of all sizes and when it comes to doing business online, it introduces a new set of requirements about how digital marketing data is collected and used.
If you’re anything like us, the announcement of GDPR came as a shock and possibly sent you into panic mode. We’ve taken steps towards helping other businesses when it comes to GDPR (including holding two seminars on the GDPR topic in London and Southampton). We’ve also made some big changes already, to make sure we are compliant with GDPR. Once you get your head around the basics, it’s not as scary as most of us are led to believe it is.
What could GDPR mean for your ecommerce or digital marketing strategies? What can you do to prepare yourself for when the Regulation becomes law in May 2018? Read on to find the answer to the questions you have, that others may not have been able to answer…
Appoint a data protection officer for your business
Everyone in your business has a responsibility for data protection compliance, however, it is useful for most organisations to have a data protection lead – someone who is responsible for ensuring compliance now and going forward and to act as a single point of contact within the business. This is true, even if you are not mandated by GDPR to have a Data Protection Officer (DPO).
Make sure you have data protection policies in place
Having a central data protection policy is essential in empowering employees to understand their responsibilities under the GDPR. As such, you should make sure you have in place a policy which sets out your company’s approach to:
- Data protection in general
- The processing of data within your business
- Carrying out due diligence on third party suppliers
- Anonymising data
- Data retention
- Data security and access controls
- The use of data protection impact assessments
- The use of IT services such as email, cloud services, and other systems, and how to be compliant when using these services
- The expected compliance behaviours of employees
- Dealing with individuals’ rights (e.g. subject access requests, data portability, etc.)
- Protocols for transferring data to the third parties
- Protocols for international transfers of data including when you use cloud-based services
- Procedures for dealing with third party access to data (e.g. law enforcement, etc.)
- Your approach to dealing with data breaches
You may also find you will need specific policies for certain areas of your business (for example you may set a separate policy for the marketing team’s compliance).
Carry out an audit of data, systems and policies
Whether you’re looking at data protection for the first time across your business or if you’re working out how your business and its data flow will be affected by the GDPR, you should carry out an audit of your data, systems and policies. This will enable you to ensure compliance as well as setting a benchmark for compliance if this is the first time you’ve looked at your data protection compliance.
Document your approach to data protection and processing
Remember the GDPR accountability principle means it’s up to you to demonstrate your compliance. Even if you’re not mandated to document your data processing activities, it can be useful for you to document your business’ procedures and processes. It will be best to document exactly what you have done to be compliant with GDPR and what you haven’t done (all businesses, whether they are B2B or B2C will have different codes of practice to follow, and it is not necessary for all businesses to document the same processes). You may want to tie these in with your data protection policies.
Document retention policy (for ecommerce sites)
Within a documentation of compliance you need to include your data retention period and provide explanations, example below:
1) Employer stores employee information (data subjects) for X years plus current due to data protection – it’s the law.
2) A company stores information on prospective clients (data subjects) for a “business critical” period of time before it’s deleted. Some examples below:
Prospective data subjects:
Advantec (Prospect = company looking for a new website)
Generally, a prospect won’t convert for X months/years, for wiggle room perhaps add a year so there is an opportunity to go back and revisit the quote at a later date. After this time the original information will be deleted, if the prospect were to enquire again it’s likely the requirements will be different so the deleted data may not have been relevant.
Prospect = Guest user
Many eCommerce platforms, Magento included, will allow you to define when a cart will expire – this is generally managed by session duration and therefore impacts how long a user can be logged in to your website. It’s worth noting that although the session has have expired the cart may still exist within the database, especially if the prospect had made their way to the checkout; resulting in their name and address being held within your system.
Prospect = Customer account holder
Similar to the example of Advantec, it will be advisable to remove prospect data after a certain period of inactivity. Often we encounter users which are either a one time or biyearly purchaser; before deleting customer accounts we strongly recommend running a report of last login dates to gauge your deletion threshold; perhaps cross-reference against the volume of orders – but again add plenty of wiggle room.
For example, Dan (our DPO) only buys brake pads for his bike from Evans Cycles – he has an account with them and buys new pads once a year, and everything else he tends to buy from Wiggle (although, other retailers are available). He purchases via his account when he’s logged in (because he’s a massive nerd and likes to have his order history at hand) – he’d be REALLY annoyed if every year as part of their data retention policy his account is deleted. So the customer account retention is very specific to the company themselves because the merchant has to think about brand protection and not making their customers angry.
In addition to the above, the quote database table in Magento isn’t automatically maintained and can become very large depending on traffic. So it’s worth getting a developer to write some code which will clear rows older than X days. We recommend checking your “Time To Purchase” within Google Analytics to get an understanding of what will be an acceptable timescale – perhaps cross-reference against reports from your database (if possible).
For example; Over the course of a week a certain website had 233 transactions, 20 of which the “Days to Transaction” was 28+. This gives you justification to not clear carts younger than 28 days old, but again you can increase this at your own discretion. As long as you’re able to justify your decisions as “business critical” you should be fine.
Specific protection for children
Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved. If you process children’s personal data then you should think about the need to protect them from the outset and design your systems and processes with this in mind.
Provide internal informational resources for your employees
Where possible you want to be able to provide a single reference point within your business, where employees can find all the relevant information they need to be compliant (policies, documented processes, single point of contact details, etc.). An intranet site is usually the best place to make this content available and usually, the DPO will be responsible for maintaining it.
Train your staff so they understand their responsibilities
If your staff are fully versed in the importance of data protection, they’ll understand their own responsibilities, how your data protection policies apply to them within their roles and who to go to when they need help. Roll out generic training to the whole business, preferably in a classroom environment (rather than an online course) and run specialised courses for specific teams (e.g. data protection and marketing, data protection and customer services).
Maintain ongoing compliance
Data protection compliance isn’t a one-off exercise. As well as dealing with ongoing compliance needs (e.g. subject access requests, making sure systems are secure), you’ll need to make sure your employees are kept up to date with data protection and make sure that compliance is maintained. You’ll do this by ensuring your policies are up to date and delivering data protection refresher training.
Keep your business up to date
Keeping on top of developments with the law, actions taken by regulators across Europe, as well as national changes (e.g. Brexit) and keeping on top of best practice and mandated codes of practice (e.g. from the ICO), is all part of a Data Protection Champion’s role. Even when the UK has left the EU, there will be plenty to keep notice of.