The General Data Protection Regulation (GDPR) is now in effect, which means that there are some things online retailers should avoid doing to make sure they are compliant and don’t incur high fines. Here are five things that you should stop doing if you want to avoid getting an unpleasant letter from the supervisory authorities.
1. Asking users to provide data you don’t need
Why not use contact forms to find out your customers’ e-mail address, name, profession, wedding day, and even their cat's birthday? What a good idea, except that it completely contradicts the principle of data economy introduced by the GDPR, according to which you can only ask customers to provide the data that you actually need to provide the service they’ve purchased.
2. Failing to keep your documentation up-to-date
One of the most important innovations introduced by the GDPR is the principle known as accountability, which means every company must be able to prove that it complies with data protection regulations. The record of processing activities is at the heart of this accountability. To create such a record, you basically need to document all activities in which personal data is stored and processed as accurately as possible.
If you’ve never liked creating tables, you will find precious help in the form of templates on the internet or in our newest product, the Trusted Shops Data Privacy 360, thanks to which you can create your record of processing activities with just a few clicks.
3. Ignoring information requests
No online retailer would be happy to receive an e-mail from a customer asking for information on all the personal data being stored about them. However, according to article 15 of the GDPR, online retailers are obliged to respond to such requests within one month and provide information on the personal data available in their systems and the purpose of the processing.
Look at it this way: information requests are time-consuming for you as an online retailer, but your answer will show your customers that you are trustworthy and that you take data protection seriously. Plus, such requests are unlikely to occur in practice anyway.
5. Hide data breaches
“Oops, customer data has become public… but probably nobody noticed, so everything’s fine, right?”
No, it’s not. According to the GDPR, you must inform the appropriate supervisory authority about data breaches within 72 hours. Therefore, create a reaction plan now, including information as to who must be contacted and which measures must be taken in case of emergency.
Focus on your sales with Data Privacy 360