GDPR and its impact on e-commerce providers

What is the impact of GDPR on those using B2B e-commerce solutions?

As companies collect more and more data about individuals, and the processing of that data becomes ever more sophisticated, GDPR aims to give data subjects control back over their personal information and ensure their privacy is being respected. 

Whilst a considerable amount data processing is done online, companies need to think about GDPR as more than just an IT issue. It presents a much wider challenge to companies than just the digital data they hold. Consideration must be given to how they’re using that data; and whether information they hold about individuals working for a company could be used to make commercial decisions.

What information will be affected by GDPR?

In the past company details were not considered to be personal but under GDPR this will change. It all depends on whether the information allows you to potentially identify an individual (and use these details to make business decisions). For example, basic company information is widely available and therefore not considered to be personal data, so delivery addresses and basic info@company email addresses are not considered personal data. On the other hand however, an email address that follows a format similar to firstname.lastname@company is, as it allows you to identify the full name of the individual as well as their place of work. 

Most efforts so far in ensuring GDPR compliance have focused on structured data – an online database containing two million email addresses, for example. This information does present a big risk to an organisation’s compliance. But businesses also need to focus GDPR efforts on ‘unstructured data’. This is typically more difficult to control and is estimated to be as much as 20% of data held. Unstructured data is often created through incidental processing, such as written correspondence, business cards or even resumes that are sitting on your desk. In most cases companies don’t have processes or procedures for managing this data. 

For B2B organisations looking to improve the customer experience, GDPR regulation should not limit the ability to monitor buying preferences and customer behaviours, as this insight can be obtained without extracting any personal data. This kind of feedback is considered as ‘legitimate interest’ and considered compliant as long as you don’t keep more details than necessary, or for longer than required. In the case of legitimate interest, you must also ensure you’re not invading somebody’s privacy to a greater extent than is necessary. You can look at how customers are using the store to improve user direction, but you cannot record specific interactions without obtaining permission.

Will GDPR put restrictions in place regarding the amount of information an e-commerce solution will be allowed to hold?

GDPR will put restrictions in place but this is not so much about the type of data companies hold, but the way they’re using it. In order to obtain and process a subject’s personal data, there must be permission, a legitimate interest or it must be considered necessary to do so in order to comply with a pre-existing agreement between the two parties. If you run a B2B e-commerce store for example, you’re providing customers with a service and giving them access to the platform. You need to be able to collect and process their personal details to carry out the agreement, for example, to bill them and deliver the product when a purchase is made. Sending customers new proposals, whether it be a newsletter or a personalised message based on their shopping behaviours as a company, is still allowed.

However users of B2B e-commerce solutions need to be very careful if they wish to target specific buyers within a company. GDPR concerns personal data, so should a customer wish to exercise their right to be forgotten, you must remove their personal data from the details you hold. Although you can retain their basic company details. You must make it known in each instance why you are holding data, how you’re holding it, what you’re using it for and how long you plan to retain it. If you have collected data for one purpose, it can only be used for that purpose. 

Does GDPR have an impact on the details held in the organisation’s ERP platform versus e-commerce platform?

E-commerce solutions that integrate with ERP platforms, such as Sana’s, already support data structuring and processing. This integration reduces the risk of data fragmentation and the amount of unstructured data organisations are handling since it’s not duplicating data elsewhere. It also makes it easier to control and search for data, instead of importing and exporting excel files from your e-commerce system into your ERP. With greater control of data comes greater security. 

ERP platforms tend to be very secure and organisations should ensure that the connection between its e-commerce solution and ERP system is also secure using SSL to encrypt data to reduce the likelihood of breaches. 

How can businesses best approach their GDPR compliance?

Businesses need to perform a comprehensive data audit to identify all the ways in which they process and hold personal data.  It’s worth following a tried and tested route. Microsoft for example, take a practical four-step approach; identify what personal data is held and where (taking in account the 80/20 structured/unstructured data rule), how it’s used and accessed, determine security measures for vulnerabilities and breaches and lastly create appropriate documentation and reports to fulfil data requests.

It is mandatory for companies in certain situations to appoint a Data Protection Officer (DPO) in a dedicated and independent role, whether this be an existing employee or appointed externally. 

How does GDPR apply when selling to organisations who are based in and outside of the EU?

GDPR will apply if you deal with any EU member state, so it’s important for most international businesses to become acquainted with the regulation whether they’re part of the European Union or not. Even post-Brexit, it’s likely that UK will maintain similar regulation to ensure consistency with trade agreements. 

Retention periods for personal data are dictated by law in some individual countries, and companies will need to take regulation from relevant governing bodies into account too. Businesses in the Netherlands, for example, are legally required to keep and maintain financial records for seven years even where someone employs their rights to be forgotten. 

Robert Pennings is customer success manager and data protection officer at Sana Commerce.