Although the GDPR has been in force since 2018, many SMEs remain unsure of their responsibilities and duties under regulations.
eCommerce businesses have a statutory duty to comply with data protection and privacy laws, including the UK General Data Protection Regulations (UK GDPR).
To help streamline your UK GDPR compliance processes and procedures, we have produced this straightforward guide for eCommerce businesses.
GDPR compliance for eCommerce
The ultimate goal when complying with the UK GDPR is to create a culture of data protection and privacy compliance within your organisation.
It is a mistake to think of UK GDPR compliance as a box-ticking exercise, the results will be a data breach and a potential fine from the ICO.
As you may know, GDPR is a set of provisions designed to ensure public, private, and third sector organisations protect people’s personal data from events such as data breaches and also from being used without consent.
But to create a culture of compliance in your eCommerce business, you must grasp why this is important and the aim behind the regulations.
Briefly, in 2012 the European Commission proposed a comprehensive reform of the European Union’s 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.
The result was the GDPR which not only harmonised data protection rules across the EU but also created new data protection rights.
GDPR principles
When developing UK GDPR policies and procedures for your eCommerce business, you should keep in mind that the regulations are designed to ensure organisations stay personal data safe and do not use it in a way that is outside what the data subject agreed.
GDPR requires organisations to comply with the following principles:
- Data must be processed lawfully, transparently, and fairly
- Date must be processed for specific purposes, and the data subject must be aware of such purposes
- Organisations must keep personal data secure and protect it from unlawful processing, destruction/damage, or loss
- Only necessary information should be collected (all data collected and stored should be adequate, relevant, and limited to a specific purpose)
- Personal data should not be stored longer than necessary
- Retained personal information should be accurate (inaccurate data should be corrected and/or deleted)
In addition to the above six principles, organisations must demonstrate accountability concerning data protection compliance and keep records of their steps to ensure the above principles are met.
How to make my eCommerce store GDPR compliant?
We have created a GDPR eCommerce checklist to help ensure your small to medium online business is and remains GDPR compliant:
1. Map the personal data your company holds
This is vital to comply with the 72-hour notification requirement if a data breach occurs. You need to know where all the customer data your eCommerce business holds is stored. This involves regularly running data mapping exercises and documenting how the process was run and where data is held.
2. Undertake regular, updated data protection and privacy training for all employees
This should include addressing how consent is obtained, storing personal data, and your business’s action plan if a data breach occurs.
3. Ensure your policies and procedures include steps on undertaking a Data Subject Access Request (DSAR)
This must include, the strict timelines that apply (in most cases, DSAR must be completed within one month of receipt).
4. Be alive to instances when you will be required to undertake a Data Protection Impact Assessment (DPIA)
Examples of such situations include marketing to children, implementing new technology, and undertaking a new project that involves processing special category data.
5. Check whether you need to appoint a representative in the EEA
Suppose you are based in the UK and offer goods and services to EEA citizens or monitor their personal data. In that case, you will need to appoint an EEA representative if you currently have no office or branches in the territory.
6. If you are a controller, ensure you have a written contract with any data processors you engage
Controllers must only appoint processors who can provide ‘sufficient guarantees that the requirements of the UK GDPR will be met and the rights of sharing data subjects protected.
UK GDPR and cookies
The UK GDPR categorise cookies as a type of ‘online identifier’, meaning that in certain circumstances these will be personal data. A user authentication cookie would involve the processing of personal data, as it is used to enable the user to log in to their account at an online service.
If you operate a website that uses cookies, it is essential that you have a full and transparent Cookies Policy that identifies what cookies you use and how long they last. To get started with your own Cookies Policy you can download our free Cookie Policy template.
What happens if I fail to be compliant?
If you are found to be in breach of the new GDPR guidelines, you may be fined up to 4% of your turnover, or £17.5 million. Whichever is bigger.
If a data breach does occur, you must be prepared to report it within the 72 hour window and be able to demonstrate your security and data privacy procedures very quickly.
Get legal assistance from LawBite
ECommerce businesses must be meticulously diligent regarding UK GDPR compliance as their entire business rests on holding and processing personal data.
However, it is easy to let activities such as data protection, privacy training and data mapping slip when there are so many other matters to think about when operating an online business.
LawBite has helped 1000s of businesses to achieve their commercial ambitions and data protection compliance. To find out how we can help your business to be compliant with the GDPR and privacy law, book a free 15 minute consultation or call us on 020 3808 8314.