What Does the GDPR Mean to eCommerce?

What Does the GDPR Mean to eCommerce?

SnatchBot TeamSnatchBot Team, 11/04/2018

While the GDPR will require changes within your business, the biggest change may be the fact that you can’t just collect and use data as you wish. To that end, complying with the GDPR will require unprecedented levels of data management, transparency, and security.

Data Management Requirements

Specifically, this is what you can expect:

You need to get a consumer’s active opt-in for all one-to-one communication on any channel – even Skype, Messenger, Facebook, and Instagram – even if you’ve previously interacted with this individual.

If you market to children under the age of ‑, you need parental consent to process their

child’s data.

You will need to focus more on discarding data vs. keeping it because you can only keep data if you have a clear, ongoing use for it.

The GDPR even applies to the ways you profile individuals through automated processing.

Typically, this falls into the following categories:

  1. Economic situation: Tracking user purchases, price percentiles and related calculations.
  2. Personal preferences: Whether captured explicitly or implicitly through tagging.
  3. Behavior: Affinities for products, brands or categories, whether captured explicitly or implicitly.
  4. Location/movements: Such as through IP addresses and cookies.

If you carry out large-scale behavioral targeting, you’ll need a Data Protection Officer on staff to formally oversee all aspects of your data management process.

Transparency Requirements

Whether you use algorithms, machine learning, personalization, or some other technology to process personal data, you need to first notify and give them an opportunity to opt-out of it. Simply put, you need to show each individual what you know about them, where data is sent and who is responsible for storing and processing it, how you intend to use that information, how long you will store it, and whether you will be transferring outside the EU.

A prime example is the shopping cart and checkout process. You will need to clearly state which

payment gateway provider is processing payments for you and how personal data such as credit card details, email address and physical address will be processed and stored.


To collect data, you need to give consumers and employees a very clear and detailed view of all their options as relates to submitting their personal data. If you are using consent as the ground for such processing, remember that as per the GDPR, consent must be:

  • Freely given
  • Informed
  • Specific
  • Unambiguous

The following also apply if consent is used as the basis for processing the data:

  1. Even if you just want to share a person’s browser history with a third-party company, you need to get consent to share that data. When asking for consent, along with providing clear “yes” and “no” options, you’ll need to provide:
  • Name(s) of the company/companies you’ll be sharing the data with
  • How the data will be used
  • How long the data will be stored
  • How the individual can withdraw consent and access their data
  1. If you contact or interact with prospects or customers through more than one channel – e.g., phone, email, SMS – you need to provide options for individuals to give consent for each channel.
  2. You also need to give an option for the person to change their choices going forward.
  3. And you will need to maintain detailed records of all consent (see records of processing activities under Article 30 of GDPR).

Challenges to Overcome

Handling individual requests to access, correct, erase, or restrict the processing of their data

could quickly overwhelm your customer service group and other departments. After all, when someone makes one of these requests, the GDPR states you need to respond within a month. It’s easy to envision that the general public will become more aware of the GDPR as May 2018 draws near. That knowledge will likely lead to more requests about their data.

Depending on the person’s request, you may need to explain all the ways the data is being used, provide the reason you are storing the data, or immediately make changes to it or even delete it

from all systems. If someone does request to “be forgotten,” you will need to first confirm that no legislation outweighing the GDPR requires you to maintain that personal data. If you are not required to keep the data, you must remove it from your systems (and ensure you notify your partners to remove it from their systems). Imagine making sure this happens across all systems – even each employee’s hard drive where this data might be stored.

In addition to protecting each individual’s rights, giving them more control over their data, and protecting that data, your organization will need to be able to detect and assess security threats and breaches to meet the GDPR’s breach notification obligations. Your company must also be able to prove that it is addressing all GDPR requirements.

At SnatchBot, we are ready! Our compliance means you can be confident we are committed to ensuring the SnatchBot platform satisfies the standards and regulations that matter.

Chatbots will quickly prove themselves useful for GDPR compliance: they can help get consent, update information or offer accessible opt-out options for prospects. Essentially, they reduce the pain and the necessary steps required to update your customer, prospect or candidates’ files.