Space48 Logo
August 18, 2017

GDPR in ecommerce: opportunity or pain in the £$$?

Conversion rates, UX and revenue are all metrics that savvy ecommerce retailers hold dear. They’re also elements many ecommerce businesses are worried about being significantly impacted by the roll out of the General Data Protection Regulation (GDPR).

Space 48 Ecommerce Strategist Stephen Elldred, who has over 15 years’ experience in website development and ecommerce strategy, debunks a few myths and fears around GDPR, and discusses how ecommerce businesses should embrace GDPR as an opportunity to improve customer service (CX):

Debunking some GDPR fears

Like any big legislative change, these are valid fears and although the law has been in existence since early 2016, the compliance date for organisations is set for May 2018. Mainstream awareness of the impact of GDPR has built up a head of steam and fueled industry panic.

So what are the common questions and opinions currently circulating? Is GDPR a looming spectre? Is it a pain in the £$$? Or is it actually an opportunity to improve customer experience? Let’s start with a quick overview…

Data protection has been a hot potato for a while now. GDPR is an EU regulation to unify data protection rules – superseding the Data Protection Act (DPA) – to remove grey areas and provide more transparency for merchants and consumers alike. It affects ecommerce businesses because of personal data held by merchants (or third-parties) due to the usage (and misuse) of this data.

Key factors leading to the creation of GDPR:

  • Personal data falling into the wrong place
  • Misuse of data
  • Current low-level regulation
  • To give customers greater control over their personal data

GDPR requires personal data to be given consensually:

GDPR contains the following lawful processing conditions:

New rules for consent under the GDPR spell out the following requirements:

  • Consent must be freely given, specific, informed, and unambiguous.
  • There must be a positive opt-in – consent can’t be inferred from silence, i.e. default, pre-ticked boxes.
  • Consent must be displayed separately from other Ts&Cs.
  • There must be easy routes to withdraw consent.
  • Consent should be verifiable.

For more on personal data definitions, lawful processing, and consent, see ICO guidelines.

What are my responsibilities?

This is the big question worrying merchants and marketers, as the GDPR implementation date looms. In a nutshell, GDPR responsibilities amount to transparency and continuity. Here are some key considerations:

  • What data do you hold?
  • Where was data that collected?
  • When was the data collected/updated?
  • Who is/could the data be shared with?
  • What will the data be used for?
  • What steps did the consumer take to opt-in?
  • Was the consumer clearly made aware of opt-out opportunities?

All members of your business in control of activities relating to personal data need to think about these questions, and start putting a plan in place to align yourself with new rules.

At only 11 pages long and very clearly presented, ICO’s 12-steps to preparing for GDPR is a great place to start: Preparing for GDPR 12 Steps PDF

This smells like the Cookie Law fiasco. Surely this will change?

[Sniff] In some ways it does, but it’s unlikely to have the same amount of movement and change. Making assumptions is not a good place to start, especially considering the level of fines outlined by the ICO.

Fines can amount to €20m or 4% of global turnover (whichever is highest).

Why are some large retailers holding out until the 11th hour then? Most retailers are taking a protective approach around their status quo, only looking to cause inevitable customer experience friction when they and their competitors are forced to do so simultaneously.

As this is an EU directive, will Brexit make it go away?

In short, no. GDPR affects any website trading with EU citizens, even if the trading company and website exist outside of the EU. “#FakeNews” we hear some of you cry! GDPR is a hot topic and as with most regulatory and compliance changes, it comes with plenty of misunderstanding, misinformation, conflicting advice, and scaremongering. It’s even got its own hashtag, #GDPRubbish.

The best way to tackle GDPR is to assess your current data collection and usage. Once you understand your current position, start looking at the solutions available. Use the ICO guidelines, get the right information from source, and assess how it affects you directly.

Do I need to double opt-in all of my existing data?

Yes and no. This depends on how your data was collected. Databases collect data in differing ways from different sources. Data against your orders will have been taken via your ecommerce platform. Data within your ESP may have been collected via opt-in forms – or even purchased via a third party. Each journey your data has taken will be impacted differently by GDPR.

Assess these separately and establish the gap between its current state and full compliance to the GDPR.

Rules for B2B ecommerce stores differ slightly, get more information here: GDPR Legislation Means B2B Marketing

When should I look to become compliant?

A study from the Direct Marketing Association (DMA) in 2016 showed that just 68% of UK businesses believe they will be compliant in time for the deadline, while the Director of Information Governance at the Royal Mail Group recently pointed out that research from Compuware showed 77% of retailers don’t yet have a plan for GDPR.

Although May 2018 is the deadline, you need to start acting now. Not sure where to start? Here are some key questions to consider when beginning your GDPR compliance plan:

  • What is your current state of play (Readiness Assessment)?
  • Who will you require to be stakeholders in the changes?
  • What changes are required (systems and processes)?
  • When should these changes be applied?
  • How will you assess/monitor the impact of the changes?

In ecommerce, many retailers are holding off deployment of GDPR compliance and processes. Econsultancy recently published some good and bad examples of user opt-in and data privacy notices, highlighting the transparency required around data usage.

What’s the opportunity?

What are the upsides of GDPR? Transparency breeds customer trust and consumer confidence. Clearer processes around data capture and data usage can create a better customer experience.

The opportunity is to influence the level of trust your customers have in your brand. Be better at compliance and transparency than your competitors. Make clear how ongoing customer relationships will allow you to create more personalised brand experiences and tailored customer journeys.

In any strategic conversations that we have with our clients around change, we always look for positive opportunities. The ecommerce landscape has a fast-moving rate of innovation, in both technology and digital marketing strategies, so you should view GDPR as just another change and opportunity.

Jack Welch, former CEO of General Electric said, “If the rate of change on the outside (of your organisation) exceeds the rate of change on the inside, then the end is near.”

Summary: GDPR doesn’t have to be a pain in the £$$.

Take control of the change inside of your organisation. Be prepared and assess your existing data gathering and data usage processes, matching them against ICO guidelines. Start planning for GDPR compliance with the mindset of seeking to improve customer experience.

Do you need help coordinating your GDPR compliance project? We’ve created a handy Checklist for GDPR Compliance in Ecommerce to help retailers keep on top of the tasks ahead of the May deadline. Download the checklist now and get your brand fully prepped for compliance!

Space 48 is an ecommerce consultancy, specialising in Magento website development and ecommerce strategy. If you have a burning question around GDPR or need any advice, get in touch with our experts.