5 Steps to a GDPR-Ready Web Store
This article was originally featured in ERP SoftwareBlog. You can read the original article here.
The European Union’s General Data Protection Regulation (GDPR) went into effect May 25th, 2018. The regulation aims to give EU residents greater access to and control over their data online, and compliance is mandatory not just for businesses in the EU, but anyone doing business with or exporting data from the EU.
This means that even if your company is not physically located in Europe, if you sell and ship products to EU member states, you need to meet GDPR requirements.
GDPR compliance might seem like a hassle, but it has a number of upsides which even non-affected businesses should consider. Optimized customer security is, of course, a plus for any company, and the nuts and bolts of GDPR come down to data management best practices that can have some surprising benefits for your business.
Here’s a look at four ways to make sure your e-commerce business is on the right track.
- Assess Your Compliance
The GDPR is an all-encompassing regulation that directly affects businesses all over the world. Not surprisingly, there is a vast amount of material online designed to help business owners meet the requirements.
Unlike PCI certification, there is no single regulating process that officially determines if a company is GDPR compliant. It is entirely the responsibility of the company to be familiar with the practices and protocols of the regulation. This all by itself can be one of the more challenging aspects of making sure your business complies.
You can make your life a lot easier by consulting one of the many GDPR assessment questionnaires available online. Designed for business owners, these free GDPR resources take you through all aspects of the regulation in a question-and-answer format to help you determine your company’s current level of compliance and identify those areas that need work.
- Know Your Data
Under the GDPR, EU citizens may at any time request that a company disclose in full all the data they have on them. They may challenge the company’s use of their data, and even have the company delete their data entirely. What’s more, early polling indicates that nearly half of all online shoppers plan to use their new rights, and that’s in the UK alone.
In many cases, this can present a serious challenge because online businesses acquire and store data through numerous channels which are not always in communication with each other. A classic example is the sets of data stored in your web store and in your ERP, respectively. Should a customer request their data, you would need to compare both sets to make sure and retrieve all relevant details.
Naturally, ERP integration goes a long way towards solving this problem, as it ensures that both systems use the exact same data. But social media, PCI environments, third-party services and other channels may present additional data sets that you will need to account for and consolidate into a comprehensive data profile of each customer.
While this potentially involves a great deal of work, it has the immense benefit of streamlining all the data your company holds into single top-to-bottom portraits of each client.
- Know Your Cookies
Websites use and store cookies for a wide range of purposes and for varying lengths of time. Some cookies remember the number of search results a user wants to see per page and are kept until the user logs out. Others remember profile settings and are kept for a year or more.
If you are uncertain about the cookies your web store uses, speak with your e-commerce solution provider for a list.
- Use a PCI-Certified Solution
By far, the single biggest data storage and security issue for online businesses is credit card data. Years before the GDPR, the Payment Card Industry Data Security Standard (PCI DSS) established a set of worldwide protocols for protecting cardholder data.
Similar to the GDPR, PCI DSS compliance can be determined by a self-assessment questionnaire, and largely comes down to strict observance of best practices in data security. For most companies, the greatest risk is the credit-card-processing technology itself, since this is where the cardholder data is treated. And the only way to guarantee this technology is secure is through PCI certification: either by obtaining it yourself (a long and expensive process) or by choosing a certified solution.
By choosing a payment processing solution that is already PCI-certified, you will eliminate virtually all the risks associated with handling credit card data, and make great strides toward full GDPR compliance at the same time.
- Appoint a Data Protection Officer
If your business deals with a large volume of customers, managing all that data can easily become a full-time job. In such cases, the GDPR mandates that your company appoint a Data Protection Officer (DPO).
Appointing a DPO will make many aspects of GDPR compliance significantly easier, as it becomes the DPO’s sole responsibility to ensure that your company is compliant. The Data Protection Officer is responsible for keeping track of all the data stored by your company across different channels, addressing the data requests made by customers, and training company staff in compliance protocols required by the regulation.
Bear in mind that, just as with PCI DSS, failure to comply with GDPR can be devastating to a business in the event of a data breach, incurring debilitating fines and often irreparable damage to the company’s reputation. On the flip side, compliance ensures your customers’ security, and positions you to make the best use of all the data you store.
If you’d like connect with us about eCommerce solutions, please contact us.
We specialize in providing technical assessments, break-fix support, optimization services, and solution expansion projects for Dynamics AX (Dynamics 365 for Finance and Operations)