What is GDPR (General Data Protection Regulation)?
GDPR is the new privacy regulation, in force since May 25, 2018, created to protect both citizens' personal data and the right, or duty, of companies to process personal data in order to carry out their business.
GDPR provides severe penalties (up to 4% of annual turnover) in case of non-compliance and it is a regulation that also affects all e-commerce sites.
What consequences does GDPR have for your e-commerce site?
You have worked in recent months to achieve a reasonable degree of compliance of your e-commerce website with GDPR, but in doing so you have certainly realized how complex it can be to set up tools, within your company, that allow you to respond concretely to any requests from your customers, quickly and without excessive use of resources.
In a previous article we had the opportunity to delve into the general legal aspects and clarify the main doubts related to the regulation, such as the definition of Controller, Processor and Legal basis for data processing.
In this article we instead go into detail about the functions that an e-commerce platform like Open2b puts at the service of the e-commerce site, and how these functions simplify the management of data coming from the online store.
GDPR, data protection and e-commerce: what Open2b offers
Below we describe how the following Open2b functions limit the risk of errors or incomplete information and reduce the costs and response times to customer requests.
- Definition of processing activities and notices for customer records, orders and quotes
- Consent creation and management system
- Consent tracking and history
- Anonymization and deletion of abandoned carts
- Communicating customer data in a structured format
- Automated management via API
We remind you that GDPR requires that data processing be lawful. By lawful it means that the legal basis on which your right to process data is based must be at least one of the following:
- consent: the data subject, i.e., the person to whom the personal data refers, has given consent to processing.
- contract: you have a contract in place with the data subject, such as an order.
- legal obligation: you must comply with a legal obligation, such as keeping invoices for several years.
- legitimate interest: you have a legitimate interest in processing personal data, such as contacting a customer who has shown interest in your products.
How does Open2b help e-commerce site managers?
Creating processing activities
Open2b allows you to create processing activities on customers' personal data and have them already integrated into the e-commerce site's layout.
Processing activities are divided by category of personal data: Customer records, Orders and Quotes. For each of these data categories you can create one or more processing activities and indicate the respective legal basis, the notice text to show the customer at the time of data collection, and whether consent is required or not.
Displaying the notice
Processing activities, with reference to the notice, will be shown to the customer at the time of personal data collection. For example, processing related to customer records is shown on the site registration page and processing related to orders will be shown on the addresses page when proceeding with order completion.
GDPR requires that personal data be processed for a specific and explicit purpose, which means that as many processing activities must be created as there are purposes for which data is collected (e.g., order execution, newsletter sending, etc.).
Notice
When a person provides you with their personal data, you must inform them:
- of your data and contacts as data controller,
- of the purpose and legal basis of processing,
- of your legitimate interest if processing is based on legitimate interest,
- of any recipients or categories of recipients of personal data,
- of the period during which the data will be stored,
- of their rights over personal data, such as rectification, withdrawal of consent, deletion, access and portability,
- of the right to lodge a complaint with a supervisory authority.
Creating and managing consents
If you need to manage a consent-based processing, the customer will also be presented with a checkbox they can select to give consent. If you decide that consent is mandatory, then the customer will not be able to proceed with registration, order or quote if consent is not given first.
In addition, once logged in, the customer will be able to see the notices on the page of their personal data, orders and quotes, and give or revoke consents.
Consent tracking and history
In the Open2b management panel, on the detail page of each customer, order or quote, a specific section called GDPR allows you to see all consents that have been given, the date they were granted, the text the customer read at the time of consent and the IP number of the network used.
This information will help the e-commerce site manager prove conclusively that consent was actually given in the event of a check or explicit request by the customer.
Processing abandoned carts
GDPR requires that personal data be processed only for the time strictly necessary and with security measures to ensure integrity and confidentiality.
This means that if a potential customer attempts to place an order but for some reason does not complete it, and has not given other consents for data processing, according to GDPR you would have no right to keep the information the customer provided during the order phase.
Open2b therefore allows you to delete abandoned carts. It also allows you to keep them but anonymize them if you want to retain the information for statistical purposes.
An important question remains regarding abandoned carts: with the arrival of GDPR, is it still lawful to send customers who abandoned a cart invitations or promotions to push them to complete the purchase?
The answer, as often happens, is: It depends.
If the customer did not provide consent during the order phase to receive marketing communications, on what legal basis do you still hold their data? A possible interpretation brings the case under legitimate interest, provided that the proposal is specifically related to the product the customer had placed in the cart, and provided that communication does not become excessive in case of no response, tipping the balance of rights in your favor.
If then, after the invitation to complete the order, which in theory might not have been completed for reasons beyond the customer's control (power outage, virtual POS temporarily unavailable, etc.), the order still is not completed, the user's data in your possession should necessarily be deleted.
Communicating personal data to the customer
According to the principle of access and portability provided by GDPR, a person has the right to access their personal data in your possession by asking you for a copy of the data in a structured format readable by an application.
Open2b allows, with a simple click, exporting this data in a structured, legally compliant format so that you can provide it to the customer if requested.
Reliable data with no margin of error and above all a significant savings of time and resources to provide information whose collection could otherwise require hours of work.
Automated management via API
Open2b finally makes available integration with APIs to allow the merchant to connect with external systems, such as software for sending newsletters, for exporting information strictly related to GDPR, such as consents.
Visit Open2b.com for more details on the GDPR features and to discover all the other 2018 updates of the e-commerce platform.
You can also activate a free demo to test the various features, counting on the support of the Open2b Software team.