Posted by & filed under List Posts.

Your company may have already invested substantially in General Data Protection Regulation (GDPR) compliant systems and training for experience in the key global data protection law from the European Union (which went into effect in May)… or it may still be on your organization’s to-do list. While the GDPR is certainly being discussed with great fervor within IT security circles in 2018, compliance is far from ubiquitous. A report released in June found that 38% of companies operating worldwide believed they were not compliant with the law (with that number surely higher once those who are unknowingly noncompliant are included).

Who has to follow the GDPR?

Just about every company must be concerned with the GDPR if they want to limit their liability. If you are an ecommerce company, to be clear, you have to follow the GDPR whether you accept orders from European residents or not, as indicated by Internet attorney John Di Giacomo. The GDPR is applicable for all organizations that watch the user behavior of or gather data from EU citizens. An example of something that would need to adhere with the GDPR is when European users can sign up for a mailing list. It also applies if you are using beacons or tokens on your site to monitor activity of European users – whether your company has a location in an EU state or not.

The below are core steps in guiding your organization toward compliance. 

#1 – Rework your internal policies.

You want to move toward compliance even if you are not quite there yet. Pay attention to your policies for information gathering, storage, and usage. You want to make sure they are all aligned with the GDPR – paying special attention to use.

Write up records related to all your provider relationships. For instance, if you transmit your email information to a marketing platform, you want to be certain data is safeguarded in that setting.

It is also worth noting that smaller organizations will likely not have to worry as much about this law as the big corporations will, per Di Giacomo. While the European Union regulators have already set their sights on the megaenterprises such as Amazon and Facebook, “a $500,000 business is probably not the chief target,” said Di Giacomo.

#2 – Update your privacy policy.

Since the issue of data privacy is so fundamental to the GDPR, one element of your legal stance that must be revised in response to it is your privacy policy. The GDPR specifically mandates that its language must be updated. You privacy policy post-GDPR should include:

  • How long you will retain their data, along with how it will be used;
  • The process through which a person can get a complete report of all the information you have on them, choosing to have it deleted if they want (which is known as the “right to be forgotten” within GDPR compliance);
  • The process through which you will let users know if a breach occurs, in alignment with the GDPR’s requirement to notify anyone whose records are compromised within 72 hours; and
  • A description of your organization list of any other parties that will be able to access it – any affiliates, for instance.

#3 – Assign a data protection officer.

The GDPR is a challenging set of rules to incorporate, particularly if you handle large volumes of sensitive personal data. You may need to appoint a data protection officer to manage the rules and requirements. The officer would both ensure the organization’s compliance and coordinate with any supervising bodies as applicable.

In order for companies to stay on the right side of the GDPR, 75,000 new data protection officer positions will have to be created, per the International Association of Privacy Professionals (IAPP).

#4 – Assess traffic sources to ensure compliance.

In European Union member states, there has been a steep drop in spending on programmatic ads. The amount of ads being purchased has dropped in large part because are not very many GDPR-compliant ad platforms (as of June 2018), per Jia Wertz. Citing Susan Akbarpour, Wertz noted that the dearth of GDPR-compliant advertising management systems would continue to be an issue into the future because of a slow transition among ad networks, affiliate networks, and programmatic ad platform vendors away from the use of cost per thousand (CPM), click-through rate (CTR), and similar metrics that use cookies.

Leading up to the GDPR, ecommerce companies have been able to store cookies within consumers’ browsers. The GDPR wants all details related to the use of cookies to be fully available to online shoppers. With those warnings now necessary, the CPM and CPC rates are negatively impacted. Basically, the GDPR has made these numbers an unreliable way to measure success.

#5 – Shift toward creative ads.

Since programmatic ads have been challenged by the GDPR, it is important to redesign your strategy and shift more of your focus to creative. You can use influencer marketing to build your recognition, bolstering those efforts with public relations.

Any programmatic spending should be carefully considered, per Digital Trends senior manager of programmatic and yield operations Andrew Beehler.

#6 – Rethink opt-in.

No matter what your purposes are for the information you’re collecting, you have to follow compliance guidelines from the moment of the opt-in forward. Concern yourself both with transparency and with consent. In terms of transparency, you must let users know why you are gathering all the pieces of data and how they will be used. You want to minimize what you collect so your explanation is shorter. Do not collect key information such as addresses and phone numbers unless you really need it.

Related to consent, you now must have that agreement very directly – the notion of explicit consent. If a person buys from your site, you cannot email them discounts or an ebook unless you have that explicit consent if they are EU citizens. That means you cannot default-check checkboxes and consider that a valid opt-in.

Additionally, you want your Terms of Service and Privacy Policy to be linked, with checkboxes for people to mark that they’ve read them.

#7 – Use double opt-in in some scenarios.

You do not need double opt-in by default to meet the GDPR. However, you do need to make sure that your consent is easily legible and readable so that the people using your services can understand the data use.

An example would be if the person is signing up for a newsletter. The agreement should state that the user agrees to sign up for the list and that their email will be retained for that reason.

The consent should also link to the GDPR data rights. One right that is important to mention is that they can get a notice describing data usage, along with a copy of their specific data that is being stored.

#8 – Consider adding a blockchain layer.

Blockchain is being introduced within advertising so that there is a decentralized layer, making it possible for ecommerce companies to more seamlessly incentivize anyone who promotes them and incentivize users for verification, all part of a single ecosystem.

Blockchain is still being evaluated in terms of how it can improve retail operations, security, and accountability. Blockchain will improve on what is available through programmatic advertising by providing more transparent information. “Blockchain is here to disrupt antiquated attribution models, remove bad actors and middlemen as well as excess fees,” noted Akbarpour.

#9 – Use ecommerce providers that care about security and compliance.

Do you want to build your ecommerce solutions in line with the General Data Protection Regulation? The first step is to work with a provider with the expertise to design and manage a compliant system. At Total Server Solutions, we’re your best choice for comprehensive ecommerce solutions, software, hosting, and service. See our options.