How Will GDPR Affect My (Magento) Business?

Is your (Magento) e-commerce website GDPR ready?

Uber was recently caught covering-up a data hack that exposed the details of 57 million customers and drivers. These reports offer a timely reminder around the importance of the impending General Data Protection Regulation (GDPR).

Uber would have been forced to pay a fine of 4% of its global annual revenue, or €20m (£17.75m) if the compliance was in place at the time.

However, many of these large corporations have entire teams dedicated to ensuring they are compliant. But, SMEs with limited resources that do not have the luxury of affordable advice or technology at their disposal are at the highest risk.

The most significant concern for SMEs is that although the fines are a scaled down version of maximum penalties, the stakes are much higher. Many SMEs that have an annual turnover below €10 million could run the risk of going bankrupt if faced with a two percent fine of their worldwide turnover.

It is imperative that SMEs become GDPR compliant and embrace the new data protection legislation. Below are five critical steps to ensure your e-commerce website is GDPR compliant.

Step 1 – Map your data

A simple data audit will deliver much-needed clarity and highlight the importance of understanding the data flow within your business. The proactive rather than reactive approach to auditing of all of your current processes will give you a head start over those that are stumbling and still unsure of where to begin.

While reviewing your audit, you should carefully consider the following areas.

• Who can access customer data?
• Create a data map.
• How is the data being collected?
• Which companies are you sharing data with?
• Where is the data stored?

You should immediately appoint one person within your company to be the Data Protection Officer. This role is crucial for scheduling meetings with all affected departments, mapping of the data and will be the first point of contact for the Information Commissioner’s Office (ICO) who are responsible for making sure businesses comply with GDPR.

Step 2 – Privacy

By explaining to your customers exactly what data is collected, where it is stored and how it is used, you are bringing transparency into the relationship. Ensure the privacy policy on your website is updated to explain how customers should get in contact to request for their data to be deleted.

Step 3 – Consent

When GDPR arrives on 25th May, consumers must have the option to tick an opt-in box rather than a tick to opt-out of any future marketing campaigns. This relatively simple change means that you should book in some time with your web developers sooner rather than later to avoid inviting any unnecessary risk to your company.

After years of capturing as much data as they can, businesses must now be able to prove exactly how this information will be used. For example, obtaining a customer’s date, month and year of birth will be questioned if the marketing department only using the year for market profiling.

Step 4 – Prepare for an ICO audit

Within the UK the ICO is responsible for auditing businesses to ensure they are GDPR compliant. At any time, they can request to see your GDPR compliance files, so it’s critical that all details are documented from the steps above.

Step 5 – What’s next?

Once your data is correctly mapped, the privacy policy updated, your consent procedure documented and your GDPR file complete, there is still no room for complacency. The crucial element of adding any new legislation is ensuring that all staff who come into contact with customer data need to be adequately trained for GDPR.

Drop us an if you would like  to discuss more.

Leave a Comment

Your email address will not be published. Required fields are marked *