The 7 GDPR requirements and rights
It’s GDPR week and everyone is running around like headless chickens wondering if they’ve covered all the bases and if they’re legal and compliant. The trouble is that no one appears to be really sure what the GDPR requirements and rights are and how they apply to them. For instance is it OK to give your marketplace buyer’s email address and phone number (which you’ve stored in a third party multichannel management software solution) to a third party courier so that they in turn can send tracking emails to your customer?
The answer to the above question is generally yes, as it’s part of the purchase information that you need to give to the customer to complete the transaction. However you should really disclose what use of customer data you make and the problem is that there’s nowhere on marketplaces that you yourself can add a GDPR statement so you’re reliant on the use of the GDPR statement the marketplace itself uses.
So what is GDPR and what are the main GDPR requirements and rights you need to be aware of? GDPR stands for General Data Protection Regulations and sets out businesses responsibilities and consumers rights which up until now have been covered by the Data Protection Act 1998.
We’ve set out the main GDPR requirements and rights below with some guidelines of how they apply to you.
The 7 GDPR requirements and rights
There are seven main GDPR requirements and rights that you need to be aware of. The first three clearly apply to retailers and the others are generally aimed at larger businesses.
You may no longer add people to your mailing list and give them the choice to opt out. You also can’t auto tick a sign up form and rely on customers to untick them, equally you can’t auto-subscribe customers unless they find a tiny box which they need to tick to opt out.
From Friday, customers need to make a very clear choice to opt into your marketing and they have the right to withdraw this consent so you need to offer clear unsubscribe options.
The biggest change for many online retailer is that you can’t simply add every customer to your mailing list – they have to actively choose to do so. Without an active opt in then the customer should only receive emails related to their purchase.
It goes without saying that if you sell on marketplaces their terms and conditions generally prohibit you from adding customers to your own mailing lists. Just because they made a purchase from you on a marketplace doesn’t mean that you own the customer data. Not only will you be breaking the marketplace user agreement but from Friday this will be a clear breach of GDPR.
Use of data
Users have the right to know how their data was acquired and who it was shared with. If someone asks how they’ve ended up on your mailing list be prepared to tell them when they signed up or which company gave you their data. You also have to disclose which companies you have (or may have) shared it with.
Right to be forgotten
Customers have the right to have their data erased which is slightly problematic for retailers and tax purchases, but not so for marketing lists. You’ll need to discuss with your accountant just what data you need to save in case you have a tax inspection. Do you really need to save every bit of data you acquire – customer name, email address, phone number, mailing address, banking information etc in your accounts program or would the order number/invoice number products purchased and sale price be sufficient?
Of course for marketing it’s nice to be able to see prior purchases from a customer for future marketing but customers can now decide they don’t wish you to be able to do this and request you erase their data.
Privacy Options set to high
Online services will have to set your privacy options to the max as a default in future and you will then have the choice to relax them if you so desire. For instance on social network sites just because you can share your phone number, email address and date of birth with the world doesn’t mean you would want to. There should be an option for you to choose who gets to see your data and that includes third party apps and services that may have access to your data even if it’s not publicly displayed.
Companies should offer an explanation of algorithmic outcomes from machine learning and artificial intelligence to enable customers to opt out should they wish to do so. An example of this would be examining a customers past purchases in order to provide relevant product suggestions in future marketing. In many cases a customers option to opt out might simply be to offer to close their account as AI and machine learning are so deeply embedded into today’s online services. However, you’ll have noticed many online services offering an option to opt out of tailored advertising which they promote on the grounds of relevancy – if you opt out you’ll still see adverts but your personal data and preferences won’t have been used to choose them.
Easy data portability
I have to give Google a shout out here that whenever you choose to leave a Google service they make it very easy for you to download your data and take it with you. Not all companies are the same however but they’ll need to be so in the future.
This is actually important for consumers and small businesses as well as large corporates. In the very near future for example, we’ll all be doing our tax and VAT online and will likely use various third party services to do so. Should you decide to switch the service you use for your online accounting, they have to offer you a very easy way to move your data to your chosen new partner.
Some companies have in the past sat on news of a data breach for considerable periods of time. Should a company discover that their data has been accessed then in the future they have just 72 hours to report it. They can no longer try to fix the problem or cover it up or delay making the breach public knowledge.
That’s quite a long scary list of responsibilities considering that companies can be fined up to 4% of their global turnover for breaking GDPR rules. The ICO aren’t interested in applying financial penalties to all and sundry, their approach will be to save fines for the most deliberate and egregious breaches of GDPR. The ICO are likely to prefer an educational and supportive role to those who are genuinely attempting to comply. Don’t necessarily expect the same leniency if an EU consumer in a different EU Member State complains to their own country’s equivalent of the ICO.
GDPR will still apply after Brexit as it’s written into UK law and regardless if you deal with any EU companies (and just about everyone in the world does) then you’ll still need to comply.
1. Active Consent – https://www.sendmode.co.uk/marketing-current-lists-gdpr – looks like anybody already on your mailing list can be left on as they have had the chance to be removed and choose not to.
3. Right to be forgotten
This is a sticking point for many, there may be reasons that you need to keep data, apart from tax etc, as customers could easily try and defraud you or may not contact you for 3-6 months, at what point do you not need to be able to look up their order should they need you to or to check against fraudulent transactions, INR’s etc.
If, after receiving an order, you do nothing other than store and forget the data, why would people be bothered about you having it?
Thanks for your article although I’m not sure that point (1) is strictly correctly. GDPR is not specific in that and the data can be held either by consent or where there is a legitimate interest to either the customer or company ie for after sales service and contacting customers for other reasons. My understanding of GDPR and others that have advised on the internet is .. providing the customer clearer has an option to opt out of any relevant marketing that does not directly break any GDPR rules.
also see this post written by a person in the legal profession