In order to provide consumers with optimal protection when making online purchases, a detailed legal framework has been created to formalize the rules of online trade. It should not come as a surprise that this new legislation is regularly updated, given the rapid pace at which things evolve in the digital realm. Just last year, the rules surrounding accountability for information and the returns period were further refined. Since January 1, 2016, companies must also observe the General Data Protection Regulation or GDPR.
While, until recently, many rules were still made at a national level — which didn’t make their application any easier for cross-border e-commerce companies — the GDPR aims to standardize data usage within the EU. One of the main consequences of the new guidelines is that consumers will have a better understanding of their personal data. E-tailers therefore face a big challenge in taking a closer look at their data management practices. However, those who do this well stand to instantly differentiate themselves from the competition. After all, companies seeking growth must win the trust of online shoppers, and the secure and transparent collection and use of their data is an important part of this.
What exactly is the GDPR? This directive replaces the Data Protection Directive of 1995, which was no longer deemed sufficient in today’s digital world. It has significant consequences with respect to what companies must and must not do with the personal data of consumers. The GDPR applies not only for companies operating in the EU, but for all companies worldwide who store and use the data of EU consumers.
A lot has changed, particularly relating to what the directive calls “data portability” and “data erasure.” Data portability refers to the consumer’s ability to request a clear overview of the personal data of theirs held by a company, while data erasure refers to the obligation that it must be possible to delete the data of consumers upon their request.
Furthermore, data breaches must be announced within 72 hours of the breach, including to the individuals affected, and companies with more than 250 employees must appoint a Data Protection Officer. Companies who choose to ignore the new rules risk fines of up to 5% of their total revenues. The European governments are allowing a transition period of two years to allow companies to make the necessary arrangements for meeting the guidelines of the new directive.
Impact on e-commerce
The most significant change is undoubtedly the obligation to voluntarily, explicitly and unambiguously request from consumers the permission to collect and use their data before doing so. Incidentally, personal data means more than just their name and address details; it also implies information regarding their physical, mental, psychological, economic or social status.
For e-tailers, the GDPR will no doubt come with a fair share of headaches, given the huge importance of data-driven marketing for online traders. Many online companies make use of profiling and data-mining to generate new business and growth, which risks them being at odds with the GDPR. The obligation to request explicit permission, even for the collection and use of non-sensitive data, creates a lot of additional difficulties. E-tailers would do well to inform themselves as swiftly and as thoroughly as possible regarding the impact of the new directive on their data management practices. Not only to avoid fines, but — much more importantly — to make it clear to the consumer that data privacy and protection are taken seriously.
E-tailers must inform their customers in detail with respect to how they plan to adjust their data management practices in line with the GDPR so that the customer can make a conscious choice. In this light, data privacy may prove a strategic weapon in the battle for customers in the coming years.