What Magento users need to know about GDPR in ecommerce
It’s time to stop putting off your GDPR plans and start seriously thinking about ensuring your business is compliant in time for the looming 25th May deadline. Not sure where to start? Let us help you take the right approach to getting started with GDPR compliance for
Why is GDPR important?
The General Data Protection Regulation (GDPR) was first conceived in 2012, before being adopted by the European Parliament in 2016. This triggered a 2-year countdown for organisations to comply with the new regulations for how businesses can capture, store and use personal data.
For retailers and marketers, this significantly affects their existing
Why is GDPR important? The EU has implemented the new regulations to give individuals more rights, control and transparency over how their personal details are obtained and used by companies.
How does it affect
Note: Anyone still thinking GDPR only applies to companies based in the EU, forget that thought! The reason the impact of GDPR is so wide-reaching is that any organisation collecting and process personal data from individuals in the EU must be compliant with the new GDPR rules.
What are new rights of the individual when GDPR is triggered?
The new regulations are designed to give individuals better control over the way companies capture and process their personal data, ensuring the needs and security of the user are effectively met, whilst clarifying the intentions of the brand.
GDPR makes a clear differentiation between "personal data" and "sensitive personal data". Personal data is categorised as any information identifying the individual, such as name, location and other online data identifiers. Sensitive personal data is more granular and specific, such as social, physiological and cultural identifiers – even mental health information.
Collection and use of this type of sensitive personal data are not condoned under GDPR, apart from in very special circumstances.
Find out more by heading to the ICO's GDPR "key definitions" page.
Here are the key criteria for data collection and processing consent to be aware of:
- The explicit consent of individuals
- The elimination of blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions
- The ability for individuals to easily withdraw consent
The following list outlines the rights of individuals under new GDPR rules:
1) Right to be informed
2) Right of access
3) Right to rectification
4) Right to erasure
5) Right to restrict processing
6) Right to data portability
7) Right to object
8) Rights in relation to automated decision making and profiling.
For in-depth details on this, head over to the ICO's page on GDPR individual rights.
Key considerations for assessing existing data capture, retention and processing
When preparing for GDPR compliance, the first thing you need to do assess your existing data and the sources from which the data was captured. Once you’ve pinpointed these sources, you’ll need to evaluate the processes for capturing personal data via these different routes and channels.
Here are some questions to ask yourself when evaluating your current processes for data collection and processing:
- How was the data captured?
- What measures are currently in place to ensure the data is stored and used correctly?
- What control do individuals have over how their data is used and what messages they receive from your brand and/or third parties?
- How clear are your terms for data usage and what opportunities are given to
userto control or opt-out of marketing content and brand communications?
The answers to these questions will make your job easier and clearer when planning your approach to GDPR compliance.
What new processes should I implement to ensure my brand is compliant?
Having asked yourself these questions about how your retail business currently deals with user data, your evaluation should be held up to the mirror of GDPR’s new stipulations for the
Where a current process doesn’t reflect that of the new GDPR rules, you need to mark this a place to make a change. And once these have all been outlined, you need to work out how they can be resolved and then decide what is the most efficient approach to making them compliant.
Here are some key considerations for GDPR compliance in
- Ensure your existing users are made aware of how their personal data is currently being used by your brand and any third-parties.
- On any future communications, be transparent in your messaging and make clear your intentions for
usageof personal data.
- Whenever and wherever you capture user/customer data, give individuals clear information on why you are asking for their personal information and how it will be used.
- Any forms should give obvious opt-out options and no pre-selected boxes for terms or marketing opt-in.
- From the outset, when capturing data or sending marketing content/company information to users, give individuals control over what they receive in the future.
- Ensure consumers only receive messages they’ve subscribed for/opted into and give them control and options to change their preferences and tailor the type of marketing content and information they receive.
Relevance is key when looking to improve your marketing content for the future.
The ICO's 12-step plan for preparing for GDPR compliance is a good place to start, as it outlines some of the key areas to categorise for ensuring you've covered all bases when preparing for GDPR compliance. Check it out: 12 steps to preparing for GDPR
Delve into the ICO's in-depth GDPR regulations once you feel you're ready to start making changes to your processes and communications.
How do I ensure marketing consent on sign-up forms is GDPR compliant?
It's crucial that retailers get clear consent from individuals to use their data for marketing purposes, such as email campaigns, phonecall follow-ups and direct marketing. GDPR outlines the following information that must be clearly displayed to users:
- How personal information will be used and what it will be used for in the future
- Who will be marketing to them, both the company and any third-party organisations that may be involved in processing the
- How and when users can opt-out of marketing and communications from your brand
GDPR stipulates that this should not be bundled together or mixed in with other terms and conditions. Blanket consent will not be condoned.
It's all about clarity. Individuals' data should be used for the reasons stated and if the purpose of the marketing changes, the consumer should be informed of this and allowed to confirm consent or opt-out accordingly. This many require re-permission emails being sent out to individuals from your database. See this example from Litmus below:
GDPR best practice brand examples for data capture and marketing consent
If you want to see what this should look like, we've added a couple of brand examples of GDPR best practice, highlighting the ways they are compliant and also ways in which they could be improved. Take a look below.
Example 1 - Sainsbury's:
This registration form from Sainsbury's demonstrates good practice because:
- It clearly differentiates the terms and conditions from the contact permission consent details
- There are bold warnings about what individuals are about to consent to
- The information states what consent will include, in terms of marketing and via which channels the individual should expect to receive communications
- Consent requires consent via tick-boxes in order to register
Example 2 - Waitrose:
This consent form from Waitrose demonstrates GDPR compliance in the following ways:
- There is a clear explanation of the intent of the brand for the use of consumer details
- There is an assurance that data will be treated with respect, with Waitrose's "Contact Promise"
- It makes clear that Waitrose and associated companies (John Lewis & John Lewis Financial Services) can contact the individuals with marketing communications, whilst enabling users to opt-out of any or all three.
Again there are ways this could be improved, as users are required to click on each tick box where they don't want to receive marketing messages!
Recommendations for Magento GDPR compliance
At the time of writing, GDPR compliance in
Therefore, we recommend that retailers take a largely platform-agnostic approach to GDPR in
Watch this space in terms of Magento-specific guidance, as we expect the Magento to outline key GDPR guidance and recommendations in the near future, to help merchants get it right. But try and get ahead and do your evaluation and process assessment!
Approach GDPR as an opportunity to improve processes and customer experience
Although GDPR will have a big impact on retail and marketing, it's not all doom and gloom! In fact, the new data regulations should be approached as an opportunity for brands to up their game, shun existing bad practices and improve customer experience.
The transparency encouraged by GDPR should help to build customer trust and consumer confidence. Clearer processes around data capture and data usage can create
It should also help to cleanse databases, give individuals better control over the content they receive, whilst retail brands and
Learn more about this approach to GDPR in our blog: GDPR in
We hope this has given you’re a clearer view of what’s required of your business when preparing for GDPR compliance in
Need help coordinating your GDPR compliance project? Our free Checklist for GDPR Compliance in Ecommerce will come in handy. Download the checklist now and get fully prepped!
If you’d like to chat with our