Is your (Magento) e-commerce website GDPR ready?
Uber was recently caught covering-up a data hack that exposed the details of 57 million customers and drivers. These reports offer a timely reminder around the importance of the impending General Data Protection Regulation (GDPR).
Uber would have been forced to pay a fine of 4% of its global annual revenue, or €20m (£17.75m) if the compliance was in place at the time.
However, many of these large corporations have entire teams dedicated to ensuring they are compliant. But, SMEs with limited resources that do not have the luxury of affordable advice or technology at their disposal are at the highest risk.
The most significant concern for SMEs is that although the fines are a scaled down version of maximum penalties, the stakes are much higher. Many SMEs that have an annual turnover below €10 million could run the risk of going bankrupt if faced with a two percent fine of their worldwide turnover.
It is imperative that SMEs become GDPR compliant and embrace the new data protection legislation. Below are five critical steps to ensure your e-commerce website is GDPR compliant.
Step 1 – Map your data
A simple data audit will deliver much-needed clarity and highlight the importance of understanding the data flow within your business. The proactive rather than reactive approach to auditing of all of your current processes will give you a head start over those that are stumbling and still unsure of where to begin.
While reviewing your audit, you should carefully consider the following areas.
• Who can access customer data?
• Create a data map.
• How is the data being collected?
• Which companies are you sharing data with?
• Where is the data stored?
You should immediately appoint one person within your company to be the Data Protection Officer. This role is crucial for scheduling meetings with all affected departments, mapping of the data and will be the first point of contact for the Information Commissioner’s Office (ICO) who are responsible for making sure businesses comply with GDPR.
Step 2 – Privacy
Step 3 – Consent
When GDPR arrives on 25th May, consumers must have the option to tick an opt-in box rather than a tick to opt-out of any future marketing campaigns. This relatively simple change means that you should book in some time with your web developers sooner rather than later to avoid inviting any unnecessary risk to your company.
After years of capturing as much data as they can, businesses must now be able to prove exactly how this information will be used. For example, obtaining a customer’s date, month and year of birth will be questioned if the marketing department only using the year for market profiling.
Step 4 – Prepare for an ICO audit
Within the UK the ICO is responsible for auditing businesses to ensure they are GDPR compliant. At any time, they can request to see your GDPR compliance files, so it’s critical that all details are documented from the steps above.
Step 5 – What’s next?
Drop us an firstname.lastname@example.org if you would like to discuss more.