Blog Post - Nils Kijkuit , Dec 15 2017

Have you made GDPR compliance your New Year’s Resolution?

Have you made GDPR compliance your New Year’s Resolution?

Unless you've been living under a rock for quite some time, you must be aware about the upcoming privacy regulation GDPR by now. And, as an online marketeer or eCommerce manager, it is easy for you to see GDPR as nothing but a burden.

However, it is essential your business becomes GDPR compliant, and there is a lot to be done to achieve this. For example, you need to map out where all your data sites; not just in your commerce platform and ERP, but also the data you are pushing via an API to your Email Service Provider and Payment Provider (the PayPal Express API, for example, sends customer data and purchase information to PayPal).

And what about your customer? Are they aware that you are transferring their data with consent? Ever thought of scripts that live inside Google Tag manager? Have you checked if any personal data has been sent to third parties (I am pretty sure your Facebook tagging script will!). You might argue that sending abandoned shopping cart data, for example, to your ESP doesn't hurt anyone. But, what if somebody starts to display a certain pattern in his purchase intentions - for example, books about addictions, specific religions or sexual preference? Then, this information suddenly becomes sensitive data.

Here's another eye-opener: did you know that some of the larger commerce platforms do not encrypt every page out-of-the-box? This is not only detrimental for your SEO ranking with Google (given the fact that more commerce websites get more personalised), it's also a privacy issue.

All parties (under GDPR: the data processors) that might touch, or even read, your data - for which you, as the controller, are ultimately responsible - should also be GDPR compliant.

  • Do you have an up-to-date privacy statement on your site?
  • Have you checked your contacts with your third-party data processors, especially non-EU processors?
  • Do you have a proper data processing agreement in place?
  • Will your data processors report suspected data breaches in time, so you are able to meet the "report within 72 hours" deadline?
  • Have you checked if your own systems and data processors can support processes like "the right to be forgotten" and "the data portability right"?

show your customers you truly care about their privacy

The right for a customer to be forgotten does not end by just removing this data from live production systems, but also from the test systems, back-ups... the whole lot. And, if you're not sure whether you or your data processors do comply, you'd better start setting aside some money, as non-compliance can result in some hefty fines! And, just to make it clear, GDPR does not give room for a "if you don't like it here, take your business somewhere else" attitude. If you are serving even just one EU citizen, you have to comply. Period.

Viewing GDPR compliance as just a burden isn't perhaps the right approach. Sure, a lot of work has to be done on top of all the other stuff in your backlog jostling for inclusion in the next sprint. But look at it this way: isn't the lack of trust one of your biggest conversation killers? And, now that consumers will become increasingly aware about their privacy rights, GDPR will play a role in the consumer's mind when he or she considers whether or not to shop with you.

So, just meeting minimum GDPR requirements won't cut it. Turn it around and show your customers that you do really care about their privacy. make what they sign up for completely clear and transparent. Give them full control over their data, particularly in the MyAccount environment, for example. Ensure that you collect as little data s needed, and purge it as soon as possible. A consumer that has given you full consent to use his or her data is very likely to be a committed consumer; a consumer that trusts you enough to keep, protect and use their data is likely to do business with you. The same principle goes for online marketing: sending newsletters to non-consenting recipients will certainly hurt your open rates ow more than ever, and the receiver is very likely to unsubscribe. And, not just that, recipient unsubscribes will also hurt your CSAT and NPS scores!

Having permission to use consumer data, and using it in such a way that does not hurt the interest of the consumer and also adds value, will improve open rates and increase conversions. At the end of the day, implementing proper GDPR policies will enable just that.

So, don't wait until May 25th to be GDPR compliant; you just might be missing out on opportunities! How about making it your New Year's resolution?