GDPR ECOMMERCE GUIDELINES

Consent is king.

GDPR empowers Europeans to control exactly how their data is used. As a result, being GDPR
compliant means you can’t assume what your users want.

For example, GDPR says, “Silence, pre-ticked boxes or inactivity should not constitute consent.”
That means you should avoid stuff like this:

Only collect data that you need.

The heart of GDPR compliance is protecting people’s data. You can limit your exposure by not
collecting data that you don’t need.

If there is no business value in knowing, say, what company your shopper works for, then GDPR
gives you an incentive to not even ask.

If you’re not going to use the information, then don’t ask for it. And if you are going to use it, be
really clear about what you’ll use it for.

For example, sometimes you’ll see checkout pages that ask for a shopper’s phone number.
Shop owners need to ask themselves, “What am I going to use this person’s phone number
for?”

There are definitely legitimate reasons to ask for a phone number. Could be for SMS campaigns,
or as a safeguard against fraudulent orders. Shopify’s fraud detection mechanism flags orders if
the shipping address and IP address are in different locations, and then uses the phone number
to protect consumers and get confirmation. That is totally fine as far as GDPR compliance goes.
Just make sure that you explain this stuff in the terms and conditions and privacy policy.
Make everything really clear.

Regulators in charge of GDPR compliance love transparency. You could put an “unsubscribe”
link on your website next to “subscribe.” You could link directly to your terms and conditions
from your footer. And your privacy policy.

Putting all of this stuff out in the open is one of the simplest ways to protect yourself from
concerns about GDPR compliance. And if you have certified or verified processes, tell the world!
This is how fashion giant Zalando does it:

Don’t do sneaky stuff.

For companies under 250 employees, so much of GDPR boils down to simply not being sneaky.
If you are honest and transparent and implementing best practices, you won’t face the massive
fines that come with GDPR.

Daunting as it all may seem, small businesses can take comfort in this: as long as they can
demonstrate that they’ve put their best foot forward to meet the requirements of GDPR,
regulators will work with them on any problems that might arise.

Which means…

Keep selling in Europe!

GDPR isn’t just rules and headaches. It’s a huge opportunity: European customers will like you
more if you are GDPR compliant.

No doubt, data privacy is a big deal in Europe. And you can see topics related to GDPR
compliance pop up all over the web. In fact, European companies from every sector use data
protection and data privacy as a selling point, and store owners can do the same.

Here, for example, is the home page of the German supermarket chain Edeka. When you arrive,
you get a heads up that they use cookies, as well as a link to a “Privacy Policy” page
(“Datenschutzhinweisen”).
This data privacy stuff is way bigger than the Edeka logo. It’s front and center and huge:

Interested customers can also find a massive cookies section in the imprint, as well as yet
another link to the data privacy section. Topics surrounding GDPR compliance are planted all
over the website.

And this isn’t a financial institution or government body. It’s a supermarket.

This isn’t just a German thing. The French entertainment website tf1.fr has a floating banner
about cookies — right below its dedicated “privacy policy” and “cookies” sections:
The Dutch might take the cake. Or take the cookie, as it were. Just look at this massive cookie
notice that every visitor sees upon arrival at the popular site Marktplaats:

Meanwhile, top Dutch news site Telegraaf has no fewer than three data privacy-related
sections in its footer:
Simply put, data privacy and data protection are huge topics in Europe. Sure, some countries
require websites to give details about cookies and data protection. But these websites don’t
just give details. They show it off. It’s marketing!

European consumers want to feel comfortable about GDPR compliance issues before making a
purchase or engaging with a brand. That’s why websites ranging from supermarkets to news
outlets make such a big deal about GDPR-related topics like cookies and data privacy.

You can leverage these attitudes to grow your ecommerce business. Let people know that you
are GDPR compliant. Make GDPR compliance part of your Terms and Conditions page. Put it in
the footer of your emails. Every little advantage helps.

If you’re GDPR compliant and your competitor isn’t — or even if both of you are GDPR
compliant but you’re the only one who brags about it — then that might be a big selling point in
the European market.

What About GDPR and Marketing?

Let’s say you do everything in your power to be GDPR compliant. You remove those pre-ticked
boxes, you only collect vital data, your policies are clearly explained. Awesome.

There’s still the issue of your tools: Are they GDPR compliant?

After all, shop owners typically use a handful of platforms and solutions to optimize their
marketing, analytics, social, email, and so on. What’s more, most of those ecommerce tools are
based outside of Europe — Google Analytics, Google AdWords, Facebook, MailChimp, and a
whole lot more. 

Can a shop owner be GDPR compliant and still use these tools? Let’s take a look.

Chances are that you interact with Google’s suite of products on a daily basis. Google Analytics
is the world’s most used analytics solution, and Google AdWords is No. 1 in search marketing.
You might even run your email with Google.

Store owners know Google. Does Google know GDPR?

Absolutely. In fact, Google has gone out of its way to reassure ecommerce shop owners that it
will be completely GDPR compliant by May 2018. As Google put it:

We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR)…. We
are committed to complying with the new legislation and will collaborate with partners
throughout this process.
Google AdWords updated its terms and conditions in August 2017, unveiling data protection
measures “related to the EU General Data Protection Regulation.”

Google also announced recently that it would stop scanning emails to deliver personalized ads
and services. PageFair, a British group specializing in digital advertising, speculates that GDPR
compliance “may be the real reason, or at least a contributing reason, why Google announced
that it will stop mining people’s emails for ads.”

What About MailChimp and GDPR?

MailChimp, the world’s leading email tool for small businesses, has made repeated references
to GDPR compliance.

For example, in October, MailChimp announced that it would get rid of its double opt-in
requirement. However, they are keeping double opt-in as the default setting in Europe. Why?
As MailChimp put it in a blog post,

We made this decision after receiving a lot of feedback from EU customers who told us that
single opt-in does not align with their business needs in light of the upcoming GDPR and other
local requirements.

So yeah, MailChimp has heard of GDPR. In fact, MailChimp published a 26,000-word PDF
explainercalled, GDPR: What it is, what we are doing, and what you can do.

Like Google, MailChimp is heavily invested in GDPR compliance.

Conclusions on GDPR Compliance for Shop Owners

So what does all that mean for GDPR and your online shop? Here is the tl;dr version:

 GDPR affects businesses that interact with consumers in Europe — or

that might interact with Europeans — no matter where those companies are located.
 GDPR compliance is a bit simpler for small companies. Which means GDPR compliance is
different for your ecommerce business than it is for a massive company.
 Your can help your shop be GDPR compliant by making sure your terms and
conditions are clear; removing pre-ticked boxes; and generally respecting the privacy of
your customers and potential customers.
 Your ecommerce business can take advantage of GDPR. Data privacy is a huge deal in
Europe, so get GDPR compliant — and then let all your European shoppers know about
it.
 The marketing tools and channels that you use in your online shop will need to be GDPR
compliant by the time GDPR takes effect in May 2018. You need to keep an eye on this,
and contact them directly if you have questions. But GDPR is not a secret to anyone.

Privacy-by-Design

When a company takes payments online, there is an explicit ask for sensitive
information, from card details to an email address. When GDPR comes into force this ask, whilst
already explicit, needs to come with a clear statement about where the data goes, who is
responsible for storing it and processing the data.

Every company in this value chain needs to have processes that offer rigid protection.
And then the end-user needs to be able to confidently give their consent, knowing that they are
handing over personal data that can protect it. Consent can also be withdrawn at any time,
which means reconsidering auto-renewal and subscription payment processes.

Easy Access to Data

Consumers need to have quicker access to personal data than current legislation allows.
Once GDPR is implemented, organisations need to make this data available for download,
“‘where possible’ and ‘without undue delay’”.
That means that your customer, if wanted, can and will need to have tools at his
disposal to see what persona data you stored about him, download or completely delete said
data.

It may also be necessary to outline the data chain to consumers, showing them who else
has handled the data and why it was necessary.
PCI compliance help us achieve GDPR compliance too!

Both PCI DSS and GDPR are designed to improve customer data protection. PCI DSS
focuses on payment card data whilst the GDPR focuses on personally identifiable information.
However, despite the clear overlap there are significant differences in terms of how the two are
phrased.

The good news for organisations already PCI DSS compliant is that the GDPR is less
prescriptive than the PCI DSS standard.  The GDPR lays out what organisations need to do but
does not spell out precisely how. In contrast, PCI DSS not only specifies what needs to be
achieved but also how it should be achieved, with regular updates and laying out a clear
methodology for achieving card data security that the GDPR lacks.

ANY ORGANISATION TAKING CARD PAYMENTS IS REQUIRED TO COMPLY WITH PCI DSS.

In essence, PCI DSS and GDPR complement each other, and organisations already PCI
DSS compliant will find that it’s relatively straightforward to enact GDPR compliance alongside
what they already have in place. Complying with PCI DSS can also be used to help show that you
comply with GDPR.

If your organisation is PCI DSS compliant then you will already be conducting annual
reviews of the card data that you process as a requirement of your compliance. The aim of this
is to ensure that any new technology you’ve introduced or new processes you’ve implemented
are included within your PCI DSS compliance. This schedule of reviews gives you a framework
that can also be used when implementing GDPR, giving you an advantage over those
organisations that are starting from scratch.

Likewise, if you’re PCI DSS compliant then your organisation may well have already
invested in secure technologies, encryption, auditing, firewalls, logging and so on. Once you’ve
identified the additional personal data your organisation needs to protect under the terms of
the GDPR then you could already have the technology, processes and procedures in place to
protect it. The technology you’re already using for PCI compliance can be extended into this
new arena in many instances.
Does the Right to Erasure Include Backups?

The short answer is yes, it does!

 Where possible, controllers should organize backups so that each data subject gets his
or her own separate backup archive for personal data.
- This is an ideal solution because it enables the granular deletion of personal data
without affecting the records of other users.
- Unfortunately, this approach is likely to be impractical for many businesses to
implement, as an individual’s personal data is often scattered across multiple
applications, locations, storage devices, and backups.
 Backup archives should always be stored using strong encryption. That way, even if a
backup archive with personal data awaiting deletion were stolen, the thieves couldn’t
use it.
 When individuals request the erasure of their personal data, controllers should be
transparent with them about what will happen to the backups:
- Primary instances of their data in production systems will be erased with all due
speed
- Their personal data may reside in backup archives that must be retained for a
longer period of time – either because it is impractical to isolate individual
personal data within the archive, or because the controller is required to retain
data longer for contractual, legal or compliance reasons.
- The individual can be assured that their personal data will not be restored back
to production systems (except in certain rare instances, e.g., the need to recover
from a natural disaster or serious security breach). In such cases, the user’s
personal data may be restored from backups, but the controller will take the
necessary steps to honor the initial request and erase the primary instance of
the data again.
- Backup archives containing personal data will be protected with strong
encryption, so that even if criminals were able to steal the archive, its contents
would remain useless to them.
- Retention rules have been put in place so that personal data in backup archives
is retained for as short a time as necessary before being automatically deleted.
- Records of all data subject requests regarding their personal data will be
retained, as will audit logs that record all activities on backup archives containing
personal data. This means that the user can be confident that their personal data
has been backed up in accordance with GDPR principles of security by design and
by default, as well as data minimization, and that their rights, including the right
to be forgotten, have been honored.