GDPR is everywhere and if you’re not familiar with it you should be, as it effects everyone who sells anything to anyone in Europe. The problem is wherever you look it’s all about what it means instead of how to do it. According to a report by PwC and Iron Mountain, 41% of mid-sized businesses will be in breach of the incoming law.
Outlined below are a few pointers on considerations for a framework around the collection of data, how it is controlled and managed, the security around your eCommerce sites to protect it and how to give your customers access to their data.
Collection and use of data
With modern eCommerce sites, data has become the fuel to drive customer experience. The power to collect implicit data the moment a user lands on the site capturing their device, location, products viewed or bought, what they search for and how long they spend doing it. Over time, the amount of customer data grows significantly. Most sites these days rely on multiple applications from different vendors to share that data to provide features like product recommendations, reviews, cross channel integrations, customer service, etc. The benefits these provide are powerful in improving pretty much all the KPIs a site will be measured against.
All this data needs to be controlled, this falls into two categories;
The company owning or managing the site is the data controller and they are responsible for ensuring that processors (eCommerce platform, hosting, etc) and sub-processors (recommendations, reviews, etc) are compliant with the handling of all data and that as the controller, they can provide customers access to their data and procedures to support breaches of the data across their whole estate.
As part of a site’s design and ongoing compliance, the integration between applications, hosting and 3rd party tools may need to extend from the flow of data, to now including and keeping up to date with their latest patches and policies. It is important to build this into the scope, staffing, skills and budgeting for the site and its ongoing operation.
Data management is a core function of IT departments in medium and larger businesses, however it’s not generally too much of a focus beyond implementation of an eCommerce site with a customer database attached for smaller and mid-market businesses. As a consequence, data may be incomplete, duplicated, or even contaminated with other customer records.
Getting all the data in one place and making it clean will be an important criteria to meet compliance of GDPR. The need to design and implement tools to manage the data will not only tick a box, but will also benefit the business with true data in which to make better decisions and improve customer experiences.
Now that data is being collected, there is a single view of it and have procedures in place in the event of a breach, it’s important that the data is safe and secure. As outlined in the previous article around security, eCommerce sites are the most targeted by hackers and Magento is their preferred choice with 85% of all compromised eCommerce systems. The main two vulnerabilities with it being open source and the adoption of patches.
The Open Web Application Security Project (OWASP) Top 10 is a list of ten most critical Web Application Security Risks. They provide guidance around the risks and their preventative measures for securing an eCommerce site and are a good checklist when evaluating solutions, platforms, systems integrators and hosting providers. It can also provide an ongoing checklist for monitoring the security and services for the site.
GDPR calls for giving citizens and residents back control of their personal data, be it the right to be forgotten or keeping data that is no longer required. As this data is being collected and managed as outlined above, giving control of personal data should be straight forward.
The least complex way would be to provide a request form that gets sent to a person who then accesses the data and completes the request. GDPR removes the fees associated with things like access requests, so customers are far more likely to make them and they can also make more complex requests like requests to be forgotten or requests to suspend processing. Unless an eCommerce platform provides automated support for access requests then the retailer could end up incurring a lot of costs associated with managing them.
GDPR introduces new standards around collecting customer consent, so retailers will all need to update their consent management features on their sites. The best way would be to have a number of options in the users MyAccount where they have the ability to self-manage what data is collected, add further explicit data about themselves, if it’s available to 3rd parties, enable or disable the use of that data to provide promotions or recommendations, as well as the right to be forgotten.
Providing someone with the right to access these options doesn’t mean they will action them, but it could provide them with a greater level of trust in the company that offers them.
Tags:GDPR, Magento GDPR, mid-market GDPR