Conceived in 2012 and adopted in 2016, the General Data Protection Regulation (GDPR) is all about the protection of EU consumers’ data. Although most of the online sellers and retailers have updated their site to comply with the eight rights, the few who are still knee deep in pending development and documentation, are pushing the boundaries to get their acts together as the deadline to conform, 25 May 2018, has passed already.

The General Data Protection Regulation is crafted by keeping an individual at the center. The focus has been set to ensure that an individual does not become victim of any unfair business practices. Therefore, the GDPR rules are for the companies to follow. Here is a brief list of what it entails for a business.

ο It is applicable to all websites who are offering a product or service to EU customers

ο The basic requirement is to get explicit consent from data subjects before capturing their data

ο For legal basis such as fulfilment service, you may capture personal data without consent, they are

• Name

• Address

• Email address

• Bank detail (while making a purchase)

ο For no reason whatsoever you can capture sensitive information, they are

• Social standing

• Psychological pattern

• Cultural inclination

ο You have to clearly stateWhy want the data

• How you will store the data

• How you will process the data

• Will you share the data with a third-party vendor

• How long you will retain the data

ο You have to delete the data once the process, for which it was captured, gets over

ο Once an individual requests for her raw data stored with you, you have share the same

ο An individual can delete her data from your records

ο In case of non-adherence, the penalty is 2% to 4% of annual global turnover or 20 million Euro

Why an e-commerce firm should care

As data is the lifeblood of any e-commerce business, apparently it may seem that such rigidity has fallen too hard on e-commerce organizations, but in reality, the policies have only cleansed the relation between a business and its customers. Whether to manage the operation, marketing, or understand customers, the e-commerce brands rely on systems like CRM, EDM, and BPA. These systems are fuelled by the customer data pulled from CDPs. So far the brands have been using the data to run automated systems and strike a personalized, targeted communication with the customers, easily. GDPR only instructed the brands to do it responsibly. Under GDPR, e-commerce brands can still talk to their customers, can still send them promotional emails, or present them a targeted ad but only if the customers have chosen to accept them. In addition, to reinforce the transparency in the customer-brand relationship, GDPR has asked the brands to allow full access to the raw data of an individual. This includes anything and everything that falls under the purview of identifiability. Whether its name, email address or location as stated in Article 4 or cookies that help in IP tracking, as elaborated in Recital 30. The latter has not only brought a major change in the way the e-commerce brands have worked with cookies but acts as a mop to sweep out bad actors of advertising who have spawned behind the veil of ad networks and affiliate networks.

How to be GDPR compliant

To be compliant with the GDPR, an ecommerce player need to keep the following in mind:

Smoke the data security system

ο

The security system should be robust, incase of any breach, it should be reported within 72 hours

Take cognizance of sensitive data

ο

Sensitive data should always be captured against explicit consent

Design the system to protect data

ο

Customers’ data should always be anonymized and pseudonymized

Bring IT and marketing together

ο

Both the teams need to get together to work out customized IT solutions

Train your staff

ο

Every member of an organization should be trained on GDPR, including customer relations and data entry operators

Introduce tool driven privacy

ο

Evaluate and partner with service providers offering anonymization and pseudonymization service

Work with GDPR compliant third-party vendors

ο

Third party vendors like CRM providers, email marketers, PR agencies, marketing agencies are to GDPR compliant

Data Protection Officer (DPO)

ο

Introduction of Data Protection Officer as a role to ensure GDPR compliance

How Drupal Supports

Stores created with Drupal are not left outside GDPR. As a store owner, you have to ask for data from your visitors and will process them to offer a better experience, hence you got to ensure that your Drupal store is in line with the regulations.

Move away from implicit consent

ο

ο

ο

The cookie is to be placed till the second page loadsCookie toolbar to have checkbox to collect explicit consentThe consent checkbox should not be checked by default

Include explicit consent checkbox

ο

ο

ο

ο

All web form to carry checkbox to collect explicit consentNo checkbox to be checked by defaultGo to DrupalAdd checkbox to all pages

Check every cookie Drupal code creates

ο

ο

ο

Check every cookie Drupal createsRun a source code checkCheck for every JS and PHP script that modified

Easy data deletion request page

ο

ο

ο

Make for easy data deletionCreate a page for data deletionUse Webform handler to connect data deletion page and CRM

Audit referral system

ο

ο

ο

ο

Audit referral functionalityCheck if system stores recipient email addressIf system stores the email address then check how the data is stored and usedIf the email address is used for marketing then build intermediate step to get explicit consent

Properly segment the data

ο

ο

ο

ο

ο

GDPR related disclaimers are to be shown to EU customers and visitorsNon EU customers need not see themSegment data under EU and Non-EU customer and visitorShow information only to EU customersGather data through explicit consent only from EU customers or visitors

Use GDPR-Drupal module

ο Use the current GDPR-Drupal module to:

• Create checklist for administrators to check the status of automated content, module, and configuration

• Get GDPR consent to set up agreements and track the consent received

• Use GDPR fields and mark a data as personal

• Use Drush commands to prevent developers from accessing sensitive data

• Use GDPR tasks to manage operations like tracking requests or initiating “forget me”



ο Keep the module and update with future update that include

• Feature to view data export as per the regulation and track data flow

• Synchronization of the configuration of existing GDPR field with GDPR data dump

• Option to allow logged in users to view the stored raw

• Functionality to make APIs for other modules to announce the data stored with them

Clearly communicate privacy policy

ο

ο

ο

ο

ο

ο

ο

Write privacy policy in easy to understand languageClearly state your intent with respect to data usageInform how data is collectedInform how data will be usedInform how data will be storedInform how data will be sharedInform how long data will be retained

Use secured data for analysis

ο

ο

ο

ο

ο

Understand how data processors use the dataEvaluate if data processors are GDPR compliantAudit data that are shared with data processors for analysisAudit the data for pseudonymized handlersTurn on anonymization while sharing data with data processorsThe initial storm has passed. By now you’ve gained clarity on how your third-party extensions are using the customer data, you’ve been asking for explicit consent from your customer to place your cookie, you’ve either anonymized or pseudonymized your customer data and given your customers the control and rights. But your tasks don’t stop there. You need to be constantly on top to make sure that your site adheres to the current policies. You certainly don’t want to get penalized after a back-racking exercise to get your site compliant. Download our checklist and see for yourself if your site is still GDPR compliant or a few nuts and bolts still needs a little tightening.