Data Privacy and Compliance: Navigating the Maze

A bird’s eye view

First, let’s quickly have a look at all the documents you’ll need before we take a deep dive into privacy compliance. We’ll also give you a brief description of each policy and why you need it.

Data and privacy 

There’s been much noise about privacy and data, especially in Europe recently with General Data Protection Regulations (GDPR) implemented in 2018. So any ecommerce business planning to sell products in the EU has to comply with GDPR requirements. In short, the requirements protect EU citizens’ personal data, how it’s used, stored, transferred, and processed. More about Privacy policies and GDPR later in this article. 

If you are not selling in the EU you also have to comply with data protection law. It will help you follow good practices, protect the rights of staff, customers and partners, give you a clear view of what you are doing with your data, and protect you from any data breaches.

Shipping policy

Every customer buying products online wants to know how long they’ll have to wait before they receive their products. It applies to domestic as well as international customers. They also want to know how much various delivery options will cost them and the cost of taxes and customs. Your shipping policy should cover all of the above.

Returns policy 

Speaking of injuries: One of the advantages and drawbacks of ecommerce is that customers can’t touch, feel, and taste the products before they buy them. If they’re buying their favourite shampoo they know what to expect and will seldom return it, unless it was damaged. The same can’t be said for apparel, clothing, fragrances, and food. Sometimes people also just change their minds. Whatever the reason is for returns, you need to be prepared for it and state it clearly on your website. Customers need to know if they can return the product, what it will cost, if it will be replaced, or if they will be refunded. A clear returns policy will do all of that. 

Let’s take a deep dive into data and privacy 

GDPR: Trading in the EU

The aim of the GDPR policy is to protect EU citizens’ personal data. If your business does not comply with the requirements, you will receive stiff penalties and fines. The GDPR also aims to standardise and provide consistent data protection of data across all EU nations. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation.

In the end, it’s best to comply, and will cause less headaches and smooth your ecommerce journey. The UK’s Information Commissioner’s Office (ICO) provides an extensive guide on who has a lawful basis to process personal data. Have a look at their guide and handy tools to guide you. 

The GDPR policy can be very extensive and complicated. We’ve found some sites that provide GDPR policy templates. These templates can be downloaded, completed with your details and used on your website. Have a look at the GDPR.eu website and what they have to say about the rights of individuals, companies, and regulations you have to abide by in your data privacy strategies. They also provide downloadable templates that can help you draw up your policies. Before you head off, we’d like to chat about a couple of hoops you have to jump through in your policies. Let’s have a look at them:

• You need to have a valid legal basis for processing data. The law provides six legal bases for processing: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest
• You must implement technical and operational safeguards (e.g. Two-factor authentication; end-to-end encryption) to protect personal data they control or process
• Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.
• Have Data Processing Agreement contracts in place with third parties you contract to process data for you
• Whether you will appoint a data protection officer to oversee GDPR compliance (don’t worry, if you’re just starting out you don’t have to do this)
• What the procedure is when there is a data breach 

Just a bit more about data breaches: You have a duty to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected, within 72 hours of becoming aware of the breach. Simply put, a breach is when there is a breach in security that might lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The UK ICO provides more information on what constitutes a breach and what you should do about it. 

So, in essence, the GDPR sets in place a baseline set of standards for companies that handle customers from the EU, how to safeguard, process, and move their data. GDPR compliance is vital to securing your organisation, protecting your customers’ data and avoiding costly fines for non-compliance. To further protect your business, you may want to consider taking out business insurance against data breaches.

Privacy policies  

All companies that gather any information on their websites need to have a privacy policy that is accessible to anybody browsing the site. The policy extends to any data relating to a person in their private or professional capacity. ‘Sensitive personal data’ includes information about race, ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual orientation, and any information about previous criminal behaviour. What it basically comes down to is: if you gather any data, you have to explain how you did it (cookies), and what it’s used for. You also have to tell users of your website that you are using cookies and get their consent to do so. 

Before you even think about the details of your privacy policy, you need to keep in mind that it has to be easily accessible to anybody browsing your website. Some sites put their policies under ‘Terms and Conditions’, or you can name it ‘Privacy Policy Statement’ under a tab on your main menu. Your policy needs to be easy to understand, use simple language and avoid complex legal terminology. If something is not obvious to you, chances are it won’t be for users either. 

If you follow the Truevo blog regularly, or look back at some of the topics we’ve covered, you’ll see that there are many instances where you can use existing documents and strategies to build on – take your business plan, marketing strategy, compliance documents and social media content for example.

Thousands of businesses are in the same boat as you are. Some companies have realised this and created a range of templates you can download and complete to suit your needs. Simply-Docs and TermsFeed are two examples, but there are many similar services to choose from online. If you’re just starting out and can’t afford a full-time lawyer or marketer, you may want to consider using a template service. One thing is for sure, it will save you tons of time, which we know is really precious in a small business. 

Did you resonate with this article? Feel free to share your thoughts and tag us on Instagram, Twitter, Facebook, and LinkedIn.

Disclaimer

It’s important to note that this blog post has been written for informational purposes only. It shouldn’t be construed as legal or tax advice on any subject matter. Don’t make or refrain from making any serious or legal decisions based on the content of this post without seeking professional advice. 

Furthermore, please be aware that Truevo is in no manner connected or affiliated with any of the entities mentioned in this article. Any reference to such is simply by way of an example and does not imply or constitute any form of endorsement by Truevo.