E-Commerce in the Light of the New Data Protection Regulation

By the end of 2018, over 50% of companies affected by the GDPR will not be in full compliance with its requirements. Taking effect in May 2018 the European Union General Data Protection Regulation will require global organizations to control processes and protect the personal data of EU citizens on a much higher level than they do today.

The issue of data protection is closely correlated with e-commerce law. Combined they will regulate how retailers conduct business electronically cross-borders, how they approach target groups and handle data in order to provide products and services to consumers.
Many of our clients conduct their business through e-commerce, and thus, in this newsletter we have chosen to focus on the latest changes that are awaiting e-retailers.

After months of discussions and speculation on the impact and application of the new data protection regulation, also known as the GDPR, the year begins with intensive work for all affected companies and authorities in order to become compliant with the GDPR.
GDPR replaces the 1995 EU directive (Directive 95/46/EC) and aims to harmonize data privacy laws across Europe.

The major difference between GDPR and the previous directive is, among other things, the more strict requirement for documentation. Companies and organizations must demonstrate compliance with the regulation and have clear procedures on collecting and managing personal data.

Furthermore screening is a very important requirement where companies and organizations can no longer store personal data for all infinity, but must clarify the purpose for which personal data is collected and handled, and then erase or pseudonymise personal data when the purpose is fulfilled.

E-Commerce retailers will need to ensure users are provided with information including company contact details, the purpose of processing personal data and how long data will be stored for.

In the first instance, businesses will need to review current data processes and must be confident that any customer data held or processed is secure, Retailers that outsource parts of the business to a third-party for services such as IT, marketing, cloud-based services or payments, can no longer shy away from the responsibilities of data security.

In the lead up to the GDPR deadline, we will soon see uniformed UX changes in the way E-commerce sites display privacy policies, terms and conditions and contact permissions. Retailers will need to ensure their online customers are met with a more granular view of all available options they’re agreeing to with regards to the submission of their personal data. These communications should be ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’ before customers consent to their data being collected.

At its core, “Privacy by Design” in the GDPR requires data protection to be at the forefront of design as opposed to a secondary element. E-commerce retailers, in particular, will need to be explicit about what actually happens with customer data, including where data is sent and who is responsible for storing and processing it.

Online retailers will also need to openly request consent from users if they wish to share their data, including sharing browser history with third-party companies. Retailers will be required to provide users with clear ‘yes’ or ‘no’ options for consent, provide the names of the companies their data will be shared with, how long data will be stored, how to withdraw consent and how to access their data to be amended or deleted – the right to erasure – all before a user confirms their consent.

We cannot enough stress the importance of the timely start on adaptation of the GDPR. An inadequate preparation or lack of continuous work to remain compliant makes organisations vulnerable to exactly the issue that has made GDPR so well-known, namely the sanction fees, where organisations can face fines up to 20 million Euros or 4% of the global annual turnover for intentional or negligent violations.

From an ethical and sustainability point of view this new regulation is truly valuable and the right step in the global market development where many have felt that transparency and data protection has been handled carelessly in the past decades, especially with regards to the wide spread information within the retail business.

When it comes to data protection and e-commerce we need to stop seeing these legal matters as solely compliance issues and instead embrace these legal matters from a philosophical, ethical and sustainability point of view. There are no loop holes and we need to stop considering Data as “ Nice to have” and instead ask the question “Need to have?”