How to make sure your e-commerce business is prepared for GDPR
The deadline to be compliant with the new General Data Protection Regulation (GDPR) is fast approaching. But many businesses are still yet to get fully prepared for GDPR and the changes in how firms within the EU need to adapt how they’re collecting and using data. Despite a two-year transition period to help businesses ease into the changes and with just months left to go, a huge number of companies still haven’t fully assessed and implemented the necessary adjustments. According to law firm Blake Morgan, as many as nine in ten businesses are still to make the crucial updates that they’ll need to put in place in order to considered GDPR compliant.
GDPR comes with some tough sanctions, so failing to make the changes before the deadline could be costly to your business. Firstly, it can have an impact on your reputation, signalling to consumers that you’re not handling their data with care. In most cases, GDPR breaches will result in a written warning but where repeated or serious breaches have been made, a fine of up to €20 million or 4% of annual worldwide turnover can be issued.
With your company’s operations on the line, taking steps to ensure you’re ready for GDPR is essential. Here are a few key ones we strongly urge you to consider:
7 steps your business needs to take to be prepared for GDPR
- Review your current processes – Your first step should be to review your current processes around data, allowing you to identify exactly where changes need to be made.
- Update your policies – Following your review, you’ll need to update your policies and set out exactly what your new processes are to your customers.
- Cleanse your existing databases – GDPR applies to legacy data too. To comply, you should be going through your current databases to decide who you can legitimately keep and who you might need to seek permission to continue marketing to. If you have any contacts on your database who you obtained other than a clearly worded newsletter signup form on your website (e.g. via competition entry) then you need to know exactly what they signed up to (sign up wording) and when. If there was ever any ambiguity about the methods you would contact these people via in the future then you may be wise to seek permission to continue marketing to them. Consent needs to be clear and specific. Just saying, "by signing up you agree to us marketing to you" then it's not specific, nor clear. And because GDPR is retroactive, it's not good enough to start adhering to its principles. Your entire database needs to be bullet-proof!
- Improve your IT security policy – Handling and responding to security breaches is an important part of GDPR. If you haven’t already got a robust IT security policy in place, now is the time to implement one. Doesn't matter what type of business you are. This is vital.
- Implement the right to be forgotten process – For many businesses the new right to be forgotten regulation means they’ll need to edit their website and communications. You should make it clear that individuals have this option and provide a clear path for requesting it.
- Assess your partners – If you work with other businesses on data, such as purchasing contact lists, you’re obliged to conduct due diligence to ensure they meet GDPR. Ask your Data Processor partners to provide you with their own IT Security Policy and Data Processing Agreement, to ensure you're comfortable they're taking the necessary and fair measures to support you as a Data Controller.
- Improve staff awareness – Having policies in place will have little impact if your employees don’t understand what the changes mean for them and their job role. You should be taking steps to ensure your whole team understands how they will be affected by the May 2018 deadline. Over 90% of data security breaches stem from some kind of negligence within a business. Weak passwords that never get updated. Sharing logins. Having no processes to restrict access to previous members of staff are all dangerously common.