GDPR. Sure, everyone's talking about it but it's still difficult to figure out exactly how it affects us.
But with the deadline looming on the horizon, it's time for retailers to take action.
In this blog post, Ometria's resident GDPR expert and General Counsel Julian Palmer explains exactly what it means for ecommerce marketers.
Before you crack on reading the post, here are a key few terms explained:
Data controller: the business that determines the purposes and means of the processing of personal data
Data subject: a natural person(a human rather a corporate body) , who can be identified, or is identifiable, directly or indirectly
Processing: includes collecting, recording, organising, structuring, storing, adapting and retrieving personal data
1) What it is and what it does
GDPR stands for the General Data Protection Regulation, which is intended to harmonise the protection of individuals' data across the European Union (plus Iceland, Liechtenstein and Norway).
At a high level, its main purpose is two-fold:
- To strengthen the protection of personal data concerning the individual that has been afforded to them as far back as the early 80s.
- On the other hand, it is intended to free up the internal market for business. By that I mean that, until GDPR takes effect, we have a European Directive on data protection going back to 1995 that was implemented by each of the Member States in a fragmented manner. This makes it complicated (from a legal perspective) for data to flow freely between Member States, who have implemented this Directive in different ways.
2) When it will take effect
GDPR becomes enforceable on 25th May 2018, and with it the previous European Directive ceases to have application.
That’s just over six months away.
3) How to prepare for it
Retailers that have been aware of GDPR coming down the line for some time will have been looking at their systems and processes, understanding what data they hold and how it is protected. Such businesses do not have as heavy a lift in the coming months compared to retailers who are only just beginning to get to grips with GDPR.
If your brand has only recently found out about GDPR, the number one priority has to be to ‘get the board on-board’. I don’t think that any business will be remotely compliant if the main drivers of the business are not behind implementation of systems and policies to comply with GDPR. Without a company’s CEO, directors and/or founders acknowledging that data protection is good for their business, the necessary change will be difficult to realise.
And when I say that ‘data protection is good for business’, it’s not just a fanciful throwaway line. Think of why employee contracts have confidentiality or non-compete clauses, or why when talking to a new supplier you might require an NDA signing. The reason why business owners are cautious about disclosure is the protection of trade secrets, and one of the biggest secrets is the data they hold on past, present and prospective customers. It is their competitive advantage and getting into a mindset that the data must be accurate and secure will go a long way to GDPR compliance (and is, in fact, something that businesses should be doing now in order to comply with the current law).
Senior management must have a good vision of the data their business holds, which includes:
- Customer data
- Employee details (past and present) along with prospective talent
- Shareholders/Investors details
- Supplier personal data
As an ecommerce marketer, your main focus will be “customer data”. More on that next.
4) Know what ‘data’ means
Let’s start with your customers’ personal data. Typically you will collect:
- Order placed
- IP address
- Payment details
You might then have data relating to a recipient, a message or alternative delivery addresses.
If data can be associated with an individual to identify them then this too would be data. As far back as 2000, it was shown that you only needed three pieces of data – post code, date of birth and sex – to uniquely identify 87 per cent of all Americans. GDPR governs such indirect identification.
Many a privacy professional will tell you that data cannot be anonymised. Do not think it can be. Time and again, what was thought to be anonymised data has been reversed to reveal the unique identifiers of that individual, be that anonymised credit card data or mobile phone numbers, even human tissue.
💡 An amazing artist, Heather Dewey-Hagborg, has identified an individual from a saliva sample. Bought off-the-shelf as an anonymous sample, she sent drops of saliva to a series of genome labs progressively getting closer to, and ultimately locating, the person behind the sample.💡
5) Understanding the management of data
Once you have categorised your data, the business should start asking some fairly big questions about their holding of data, such as:
- “What is the purpose of holding the data on the customer?”
If it is simply to fulfill an order, then once fulfilled (and perhaps the returns/guarantee period has expired) that would be the end point that the data would be purged (other than the invoice, which would be retained to account to HMRC). It may be that the customer has opted in to receive additional information - new lines or sale items, for instance - in which case the data can be held for longer.
- “Is the data we hold accurate, complete and up-to-date?”
The opportunity for a customer to correct the data they have input should be being done already. From an ecommerce perspective, this can be achieved through a requirement for the customer to check the information they have input before pressing the order button. Alternatively, if the customer has opened an account, then they should have the opportunity to login at anytime to update their information.
- “Are we holding sufficient (and no more) data necessary for the purpose that we have identified?”
Clearly, an ecommerce retailer has to have some core information. The issue is whether additional information is really required - i.e. nice to haves rather than must haves.
- “How long shall we hold the data?” and “When does the data become redundant to the purpose we have identified?”
Holding old data creates an inherent risk of a small data breach becoming a substantial breach. Retailers have to decide upon a cut off date that after which data will be deleted. That might be if a customer has not returned to purchase for, say 12/18/24 months. It will be for each retailer to decide what that might be (based on the buying patterns of their customers).
- “Is the data secure?”
Here consideration has to be given to accessing customer data - this might relate to differing levels of access rights, how data is stored - locally or on the Cloud - how often passwords are changed, the strength of such passwords, whether the data is encrypted etc.
- “Have we explained clearly how we process the data in a transparent manner?”
Customers cannot give informed consent if they are not given clear details as to how their data is to be processed. What the retailer should be aiming to achieve are privacy statements/cookie statements that are easy to understand by their target clientele. A retailer wants to achieve a strong level of trust with its customer: almost, “If you give us your information, we will protect it and process it as we have described and if we use someone else to process our data, we will make sure that they do the same.”
- “Can we demonstrate how we process data in a lawful and fair way?”
Here you have to think about the way you interact with the customer, more of which I consider under the next heading.
6) Consent is not necessarily the magic bullet
Retailers often wonder whether all they need to do is get consent to process the individual’s data and they will be fine. To a point that is correct. Personally, I think that consent should be used as a last resource unless another law requires consent to be given.
Let’s look at unsolicited direct marketing emails.
You cannot lawfully issue email marketing unless the recipient has given consent. That consent (most likely arising from a soft opt-in - which you can read about here) has nothing to do with GDPR. Consent is already required by virtue of the ePrivacy Directive. Given that you need consent for ePrivacy, you are likely to rely on consent under GDPR. Saying that, once GDPR comes into effect (and the new ePrivacy Regulation) next year consent will have to be more freely and actively given.
That’s a good example of consent being required, but here is an example of where consent can go wrong. You take an order in which your terms say that in entering into the purchase, the buyer has to give consent to marketing. GDPR says that such an approach is not legal and so all processing is not legal including, in my opinion, processing the individual’s data for the purpose of fulfillment of the order.
If your T&Cs have such terms then you will need to separate the marketing consent from your T&Cs and instead rely on the fact that processing is necessary for the performance of the contract and have separate opt-in provisions for marketing that fully explains the type of marketing you intend to do.
A trickier (and the last) basis is that the purpose is necessary for the ‘legitimate interests’ pursued by the controller or a third party, unless overridden by the fundamental rights of the data subject (such as, for instance, where the individual is a child). There will be many businesses already relying on this ground under the current legislation and will continue to do so. It requires detailed analysis and if the business finds that there is no legitimate interest at the end of that process, then, of course, the business could not process the data, irrespective of whether or not the individual has competing interests.
So, let’s go back to running an ecommerce business. In brief:
- Processing the order and returns is covered by the terms of contract.
- Profiling, in itself, does not require consent.
- Wholly automated decision making (e.g. credit scoring) requires consent.
- Email marketing requires consent as it currently does under the ePrivacy Directive
- GDPR acknowledges that postal marketing offering special offers to customers is a legitimate interest of a business.
What the retailer must do is explain how data is going to be processed. Retailers should already have clear privacy policies, but these should be reviewed. There are many businesses out there that are coy about how they process data. Some of that is down to copying privacy statements from other websites and thinking that will do after all who reads this stuff?! For others, the writer of the statement did not understand the flow of data across the business’ platform, sub-processing, back-ups and possible transborder migration of data. And of course, privacy policies extend to employees and prospective talent, use of CCTV, etc.
In short, GDPR expects businesses to be very clear, using appropriate language for the target audience. There is no reason why businesses cannot do some funky stuff with video or animation to explain their data use.
Before you stop reading…
I have only touched on where I would focus immediately. The more complex the business, the greater the task will be to conform to GDPR. It needs some systematic thinking on the part of business and that in my mind is no bad thing.
There is much to do and think about when implementing GDPR: making a start is key to success. As one expert at a recent Data Privacy conference I attended in Brussels said, “GDPR is the most complex regulation issued by the EU”. It is certainly complex, but, with some application, retailers can ready themselves for the changes in May 2018.
Julian is General Counsel at Ometria. Keep an eye out for more blog posts and downloads from him in the lead up to May 2018 and beyond.