Andrea Danti - Fotolia
E-commerce GDPR for Salesforce: Watch what data you capture
Making your Salesforce GDPR compliance strategy for e-commerce starts with monitoring the customer data you collect, starting with cookies -- and we don't mean the Keebler kind.
The European Union's General Data Protection Regulation will require that all companies doing business in the European Union, or online with EU citizens, protect the personal data and privacy of those citizens. That means Salesforce customers using Commerce Cloud with EU customers must develop e-commerce GDPR compliance strategies, too.
"GDPR is going to affect the e-commerce strategies and infrastructure of all U.S. companies that do business with Europeans, regardless of the head count or amount of revenue generated from the EU," said Gina Kang, senior vice president of marketing, North America for MPP Global Solutions Ltd., a subscription and billing platform.
Some of the ways GDPR affects e-commerce in particular relate to practices around capturing CRM information about customers or online prospects visiting an e-commerce site, including cookies, IP addresses, purchase history and addresses. These types of information can improve sales, prime recommendation engines and streamline the checkout process.
Digital commerce providers on Salesforce Commerce Cloud will have to create a compelling reason and associated messaging to encourage consumers to allow businesses data access. But for e-commerce GDPR compliance, they'll need policies and procedures in place to delete that data when asked.
The paradigm of consumer-owned data
Until GDPR, most privacy regulations were designed around a model where the business owned the data that it had collected from consumers, but the business had to disclose how it was using the consumer's personal information that it held. The most stringent regulations gave the consumer some control over how their data could be used, stipulating that the consumer could control whether the business could communicate with them or not.
John Josephvice president of marketing, Scribe Software
John Joseph, vice president of marketing at Scribe Software, which provides integration platform as a service (iPaaS), said that "GDPR changes all that by introducing an entirely different ownership model of the data. For the first time the consumer/buyer has been given complete ownership of their data. The business is able to use the data, but only in specific ways the consumer/buyer allows and for only as long as the consumer/buyer bestows that privilege to the business."
This change affects any business or person that collects or processes personally identifiable information on EU citizens, regardless of whether they are a multinational consumer products company or a small, specialty manufacturer. E-commerce GDPR compliance, then, requires systems and policies that know where that data lives and how to handle it according to the customer's wishes. (See "General Data Protection Regulation checklist, and for more comprehensive information, see Latham & Watkins' "GDPR Compliance Checklist.")
"It also applies to every CRM subset," Joseph added, "so whether you use personally identifiable information in your sales, marketing, e-commerce or support processes, you have to treat it in a way that maintains the rights of the consumer/buyer."
A higher standard of governance and control for data flows
To maintain the rights of the consumer in e-commerce GDPR compliance, businesses must have much greater control over their data flows. They must not only control core systems, such as the different CRM modules for marketing, sales, e-commerce and service, but all subsequent systems, such as SQL databases and analytics and reporting systems that use data from those core systems. E-commerce businesses will need to audit these data flows, particularly as they cross cloud and geographic boundaries.
Integration platforms for weaving e-commerce related service together have traditionally focused on reliable data synchronization across cloud services. Now, enterprises will have to ensure their integration strategy or integration provider also includes measures for ensuring that customer data is tracked.
"This will require tighter governance rules and tighter coordination between different parts of your company and with third parties with whom you may share your data, such as an outside marketing firm," Scribe's Joseph said. "These relationships have to be much more transparent and available on demand."
There also need to be mechanisms to easily delete data from e-commerce services efficiently in order to effect Salesforce GDPR compliance. It is also important that enterprises establish a strategy for ensuring that European customer data stays in services in Europe. This will also require examining the business processes for these third-party services to ensure that no data leakage out of Europe accidentally occurs.
Purchases do not create consent
MPP's Kang expects retail vendors to be particularly saturated with e-commerce GDPR challenges. "With international brands like Burberry, Zara, J. Crew, etc., a lot of their outreach and marketing efforts are through email, so it'll be absolutely crucial for their database to be kept current and as fully opted in as possible. Those emails are how their happy and loyal consumers know about new releases, promotions and collaborations, so it is a mutually beneficial exchange."
Online retailers also need to establish clarity across the organization regarding the meaning of consent. Buying a product or service no longer qualifies as meaningful consent under the new law. Data must only be used for the purposes intended and for which consent has been specifically granted.
"The days of adding customer email addresses en masse to marketing lists are over," said Matt Harris, co-founder and CEO at Sendwithus, an email marketing service. "An email address collected in conjunction with an online purchase, for example, cannot be used to send marketing emails unless the customer has granted specific and express consent to receive such emails."
Build a privacy portal
E-commerce sites should also add a privacy portal into their shopping platforms. This needs to be backed by a collection of internally crafted privacy services or third-party cloud services that can automate these processes.
Scribe's Joseph said, "Organizations probably have an opt-out policy and privacy policy in place, but they now [also] need to create controls that allow consumers/buyers to have their data deleted on demand."
They also need a process to communicate, in a personalized manner, with all people in their database to inform consumers of data breaches and to handle data requests from consumers. Also, expect the emphasis to be less on email and more on demand-gen channels such as advertising and search engine optimization to promote products and content to communities.
E-commerce sites also need to demonstrate value to customers willing to share their data. This can include highlighting the benefits of easier reordering, making better product recommendations, and rewarding customers for leaving reviews.