E-Commerce websites are constantly under scrutiny for a myriad of reasons. Whether it be from consumers or regulatory committees, these websites need to play defense 24/7 to ensure their networks remain compromise-free from the threat of hackers. This is one of the main reasons why the General Data Protection Regulation (GDPR) was adopted in Europe in 2006.
Although GDPR may be somewhat of a regulatory headache for e-commerce websites, it is also important for keeping consumer data secure. With an estimated average of 4,800 e-commerce websites every month becoming compromised by hackers inserting malicious code into their website to steal payment information such as credit card numbers, names, and more – there is no denying that a strong defense is the perfect solution.
This is why having a GDPR compliance checklist for e-commerce companies is incredibly advantageous in helping overcome these malicious network intruders. Let’s walk you through our GDPR e-commerce checklist that helps online retailers understand the importance of GDPR and what rules and regulations they should familiarize themselves and their IT teams with.
What is GDPR?
General Data Protection Regulation (GDPR for short) was adopted by the European Union (EU) in April 2016 and took effect in May of 2018. GDPR creates rules for how all European residents’ data must be managed by businesses operating in that region. Overall, GDPR impacts how businesses handle data that pertains to everything from medical history to financial records to internet activity.
GDPR has been a momentous undertaking that has reshaped what E-Commerce is and how it is Europe, influencing how you engage with your customers, the tools you use, and how you use them. Even though the term “e-commerce” is only discussed once in the entire full text of GDPR, that doesn’t mean that e-commerce websites are immune to it.
Regardless of where the physical company is based, GDPR applies to all companies that offer products or services to consumers in Europe. That means even if 100% of your storefronts or your corporate headquarters are not in the EU, but your e-commerce website caters to EU customers, then your website needs to abide by GDPR.
As a reminder, GDPR doesn’t just pertain to the European customers that actually purchase products from your e-commerce website. It also covers any interaction that they have on your website that pertains to their personal data.
Why Do We Need GDPR?
GDPR sets out to outline the laws that govern the rights of individuals and configures a list of obligations in the form of regulations that businesses are subjected to. These regulations are a very high standard for any company to meet. If your e-commerce website is under the gaze of GDPR, you’re most likely going to need to invest large sums of money to ensure your compliance or face the music when it comes to paying hefty fines.
GDPR legislation is designed to harmonize data privacy laws across Europe and give individuals greater protection and rights to how their data is used by businesses. As data continues to separate itself from oil as the most valuable commodity on the planet, it is morally imperative that the use of data is regulated stringently to ensure a type of checks and balances is achieved.
GDPR E-commerce Website Checklist Overview
Speaking of checks and balances, it is best for e-commerce websites to practice incorporating specific plans, strategies, and personnel to ensure they remain compliant with GDPR. Here is a GDPR compliance checklist for e-commerce websites that can help them maintain avoid costly breaches, fines, and other residual effects in the future.
Data Breach Incident Response Plan
First on the checklist of importance for GDPR compliance is developing and implementing a sound Data Breach Incident Response Plan. If your company had an incident response plan in place before GDPR, you will most likely need to amend and update it to ensure full compliance with GDPR requirements. Not doing this could cost you more than just money; it could possibly be the downfall of your e-commerce business.
Now, e-commerce websites are no strangers to data breaches. eBay was hit with a data breach that left 145 million users compromised back in May 2014. Countless other e-commerce websites have been affected before and after around the world.
Juniper Research estimates that the cost of data breaches will increase to $2.1 trillion globally by the end of this year. With more businesses connecting their infrastructures via digital platforms, the average cost of a data breach will exceed $150 million by 2020. Currently, 64% of companies have said that they have experienced web-based attacks, which is not a stat that GDPR compliance regulators want to hear about.
Having an incident response plan and implementing it during a real-life data breach are two different things though (both that GDPR looks at very closely). To remain compliant, make sure to test your plans and make sure that your team is capable of reporting breaches within 72 hours (3 days). How well a company’s data response team is able to implement the incident response plan and minimize any damage that a data breach infects will affect how much a company is fined by GDPR.
Building a culture of GDPR awareness with a plan that can be easily implemented by all team members ranging from senior management to software developers is key. GDPR takes a collaborative team effort that is all for naught if even one person isn’t on board with the regulations. Be sure that every team member is prepped with the necessary GDPR knowledge that is up-to-date and pertinent to the goals and objectives of the organization.
Awareness doesn’t just pertain to your internal team; it also holds true for any third-party controllers or processors who are also held liable under GDPR in the event of regulatory concern. Therefore, if the company that handles your data is not compliant, then you’re both not compliant with GDPR and could face hefty fines. This is why it’s important to collaborate internally with your team and make sure you’re upfront with any vendors who handle your customer’s sensitive data to keep your e-commerce website from getting the short end of the stick when it comes to staying compliant.
Even though a majority of users never read privacy notices, GDPR still requires that they remain concise, transparent, and easy for your users to understand. This move to make privacy notices easier to digest marks a move towards GDPR giving granular consent to users, thereby empowering them to have greater control over their data.
Per GDPR, privacy notices should be designed in a way that is not the usual wall of text. Instead, GDPR prefers businesses to use a table with icons, thereby making the notice easier to read and agree to.
Make sure that you also be transparent as to which services are essential for platform functionality and which are used for analytics, advertising, and marketing purposes. GDPR makes this a regulation to ensure e-commerce websites practice responsible development while also giving users a means to opt-out of individual tracking at source if they wish to do so.
Data collection is the backbone of what GDPR was built on. If your e-commerce website doesn’t take the necessary time to address all pertinent GDPR regulations on the manner, then you’ll be taking the expressway to substantial fines.
Since GDPR gives individuals the right to request their data be corrected, provided to them, prohibited for specific uses, or removed entirely by companies, that means it is vital that these requests be handled promptly and appropriately by the e-commerce website. Compliance with this regulation calls for your organization to audit all of the data that it has been collecting and processing on a regular. These audits will likely uncover sources of data that your website doesn’t need to store or process, which will help make your customer experience more secure.
Make sure that your website’s audit includes any data that it receives and processes from third-party providers. Even if the data is only passing through in transit to another source, your website has the responsibility to know what it is and how you are safeguarding it.
An easy way of ensuring your customer’s data is protected is to add a checkbox for subscribers to give their consent about how they would prefer to be contacted by you (if they actually want to be contacted by you in the future). Give them additional protection and a guarantee of consent by choosing to turn on double opt-in, making sure that they understand clearly how you plan to use their data in your correspondence.
No matter which platform you use to accumulate data from your website, campaigns, etc., it is most likely not compliant with GDPR. Case in point, even Google was fined $57 million for their non-compliance with GDPR. This means before entrusting your e-commerce website’s GDPR compliance in the hands of another platform, you need to do your due diligence on whether your analytics solution is up to par with GDPR as it is.
The Effects of GDPR on E-Commerce Websites
Ever since GDPR was put into effect, e-commerce websites in Europe have recorded lower page views, site visits, and revenue numbers. Here are just a few key stats that e-commerce websites are feeling the full effect of currently:
- Revenue decreased by 8.3% Year over Year (YoY)
- Pageviews fell by 9.7% YoY
- Website visits decreased by 9.9% YoY
One of the possible reasons that European e-commerce websites have seen such incredible declines in traffic and revenue is because GDPR increased the risk that comes with email and online display advertising. This means that e-commerce websites now have to pay a premium to only use compliant third-party marketing platforms that are GDPR complaints which can be costly. These added costs can eat into the personalized marketing channels that help to drive online traffic to a website; thereby decreasing website visibility and keeping visitors to a minimum.
With time though, website traffic may rebound for these e-commerce websites as users become more aware of how their information is used. But as researchers are finding out, GDPR may have temporarily changed user preferences for how much time users spend online and which sites they frequent. As a result of GDPR, programmatic ad buying has plummeted in Europe which can have a trickle-down effect on e-commerce websites around the world as well.
What Happens If You Fail To Comply With GDPR?
If your e-commerce website were to have a hiccup in compliance during your GDPR journey, expect to be hit with extensive fines due to your violations. Facebook was a part of an $8.8 billion collective lawsuit with Google in 2018 due to its violations in their opt-in/opt-out clauses. Even though Facebook made $55 billion in revenue in 2018, this is still a significant chunk of change that definitely affects their bottom line on their balance sheet.
No matter if you’re Amazon, eBay, or XYZ Inc., failing to adhere to the GDPR has steep penalties. You’re either stuck with paying millions of dollars, or 4% of global annual turnover (which can be in the billions of dollars as Facebook and Google are well aware of), whichever is higher.
All in all, GDPR compliance shouldn’t be something that your e-commerce website dreads. Instead, think of GDPR as a way to level the playing field while encouraging your website to be more transparent, customer-focused, and creative in the way that you go about your business. As long as your e-commerce website is able to follow the checklist that we have outlined in this article, you will have the tools you need to succeed in the foreseeable future. If you need any help with this, RSI Security can help you get started as a top-of-the-line GDPR certification provider.