How often do people within your e-commerce business use the phrase “our customer data”? GDPR for e-commerce companies will be an opportunity – and challenge – moving forward. Customer data – from contact details to information on web browsing – is one of your company’s most valuable resources.

It guides your decision making and (hopefully) keeps you ahead of competition.

It’s hardly surprising then that e-sellers approach data with a strong sense of proprietorship.

GDPR requires all online retailers to review their existing data management and cybersecurity systems and processes.

More widely, GDPR seeks to give shoppers a much greater say over their personal data and how it is used. At the same time, it encourages retailers to approach customer data differently.

Personal data can no longer be seen as an asset to be mined or exploited.

Here are some of the key ways GDPR for e-commerce can play out, including steps you can take to stay on the right side of the regulators.

Obtaining Customer Consent

The principle of transparency is a thread which runs right through GDPR.

This is especially true when it comes to obtaining consent.

Let’s say you request an email address at the point of sale to send out an e-receipt.

You cannot store that address and use it for sending out marketing info unless this purpose has been “explicitly brought to the attention of the data subject” and unless consent for this has been given.

To be valid, these consents have to be “freely given, specific, informed and unambiguous”. Vague, catch-all tick boxes are off-limits. Nor can you bury information about the intended purposes of processing that data in bundled terms and conditions.

Tips for compliance:

• Carry out a full audit of current consent forms and privacy notices across your e-commerce business. In particular, check that they are easy to understand. Also check that mandatory information is covered.
• Check whether additional consents will need to be drawn up. Especially in areas across your website where you have relied on inactivity or pre-ticked boxes.
• Ensure that separate consents are in place for separate data processing activities. You should also make it simple for customers to withdraw their consent.

GDPR for E-Commerce: Data Access, Erasure, and Portability

Under GDPR, individuals get a lot more to say about their personal data.

They can ask data controllers to confirm if they process their data and what data that is. They can ask for copies of that data, and demand that it be transferred to another business.

There are also new rights to insist that the data be erased. This applies to when the customer withdraws consent, or where the original reason for processing no longer applies. Your customer will also have the right to ask for their data to be given to them in a portable format, for instance in order to give it to a competitor.

Rights for individuals is both a challenge and an opportunity for retailers.

On the one hand, you have the prospect of existing customers jumping ship and taking their commercially valuable buyer profiles with them.

But it works both ways. If new customers come to you complete with their retail “back stories” from other vendors, you have the inside track on their preferences.

Tips for compliance:

• Make sure you get in control of what data you hold; perform a thorough data mapping to get an idea of all your processes.
• Ensure customer service staff are trained on how to respond to data access requests (template response emails may help with this).
• Ease of portability: where you receive a request, do you have the ability to locate and then export all relevant data in a structured, machine-readable format?

Data Management: The Key to “Winning” at GDPR?

Should online retailers be scared of GDPR?

Last year, one of the UK’s biggest bar chains, JD Wetherspoon hit the marketing headlines.

The company had apparently become so spooked by data compliance, that it decided to delete its entire customer email database. It seems that this course of action was considered safer than being hit by a big fine – and a lot less hassle than working out who had given consent to what!

Truth is, in the online retail sector, this nuclear option simply isn’t viable.

You value loyalty – and the success of your business depends upon your ability to build relationships with your customers.

None of this can happen without personal data.

Direct marketing communications, tailored offerings, improvements to your storefront based on buyer behaviour. To a large extent, all of this can – and should – continue post-GDPR.

But what’s more important is that the way in which you conduct your activities does not conflict with the rights of your customers. This includes their right to understand and limit how that data is used. And what it really boils down to is treating your customers fairly.

So how can you make sure you manage your customer’s expectations?

The starting point involves getting a full grasp on your data estate.

• What data do you hold and what is its purpose?
• Are those purposes legitimate?
• Are you hanging on to data for longer than you need it?
• Have you got more personal data than you actually need?
• Are the specific purposes covered by matching legal grounds, such as consent?
• Are you safeguarding, storing and (where relevant) transferring that data in a way that’s adequate?

In May 2017, Compuware found that more than three quarters of retailers still don’t have a comprehensive GDPR strategy plan in play. 71% of respondents said that the complexity of their IT-system meant they didn’t know where customer data was being held. 38% didn’t have the ability to get hold of all of an individual’s personal data quickly.

So it’s reasonable to predict that within the world of e-commerce, there will be winners and losers when it comes to GDPR.

The winners will be those with the technical and organisational ability to map, visualise, control and manage each and every data processing activity.

They’ll be able to comply with customer access requests with ease, and well-positioned to invite new customers onboard (complete with their buyer profile from other e-sellers!).

Without the ability to respond swiftly (or at all) to data access requests, retailers could be sleepwalking into non-compliance and find themselves exposed to the new fine regime.

Beyond this, savvy shoppers will catch onto the fact that personal data is now a form of currency – and one that they’re very much in control of.

Establish yourself as a safe pair of hands for this new currency and you provide one more very good reason to do business with you.