On Friday 25th May 2018, the new EU General Data Protection Regulation (GDPR) will come into effect, changing the way that businesses obtain, process and store customer data.
This legislation will replace the existing Data Protection Act and will become the most comprehensive data protection law in the world. In fact, regardless of whether you are based in the EU or not, if you have any European customers the GDPR will impact your business.
What is Linnworks doing to comply with the GDPR and support its customer’s compliance?
Customer data is at the core of our business at Linnworks, and we are fully committed to complying with the GDPR in delivery of our service to our customers and partners.
We have examined the relevant provisions of the GDPR and are making appropriate changes to our software, contracts and documentation to support both Linnworks’ and our customers’ compliance.
As a third-party service provider with access to your customer’s data, we will be introducing new data purge functionality within Linnworks.net, which will allow you to appropriately handle any data requests from your customers.
While we would urge you to read our article which explains in greater detail what you should be doing to comply with the GDPR, if you are a Linnworks account holder this new functionality will specifically enable you to:
- Delete all data from the system up to a certain point in time
Linnworks account holders will have the ability to purge (permanently erase and remove) data from the system, from the date that the first order was placed or the last data purge occurred (earliest data stamp), up to a specified date.
Should a customer request to be removed from your database (in line with the GDPR’s right to erasure), you will be legally obliged to erase all of their data from within Linnworks.
It's also important that you are able to demonstrate that your business has been proactive rather than reactive, in the event of a data breach. A best practice for doing this is to delete all data associated with a customer that hasn't purchased from you within a certain time frame. Keep in mind that this time frame will differ from business to business and you should seek expert advice on what this would be for your company.
- Obfuscate customer data up to a certain point in time
Data obfuscation differs from data purging, in that it masks data to prevent unauthorised access to sensitive information, as opposed to permanently erasing the data.
Data anonymisation is encouraged in the GDPR, as it can significantly reduce the risks associated with data processing, while still maintaining the data’s utility.
Within Linnworks, there will be the option to obfuscate all customer data up to a certain point in time. This method will replace the customer name, first line of their address, email and phone number, with random characters (i.e. ****).
It will also delete billing details for all orders, email communications, related order notes and the audit trail.
- Obfuscate customer data for a specific contact
In addition to being able to obfuscate customer data up to a certain point in time, Linnworks account holders will also have the option to obfuscate (mask) data for a specific contact.
- Find customer data
Linnworks account holders will be able to easily find all entries in the system related to a customer. This search can be performed using:
- Customer name
- Business name
- First line of address
- Email address
- Phone number
- Channel buyer name or reference
- Create an API token to enable the data purge methods to be executed from third party applications
Linnworks will be equipped to handle any access requests from third parties that you may appoint to manage the deletion of customer data.
As an eCommerce business, it is likely you will share your customer’s personal data with other providers such as your accounting system, customer service platform, and the individual marketplaces and website platforms you are selling through.
Given the severity of the GDPR and the consequences for failing to comply, we anticipate that there will be third party services that will be able to manage this collectively.
Should you wish for a third-party provider to access your data from within Linnworks, to perform data purge or obfuscation on your behalf, the account holder will be required to create an external access token, which provides an added level of security.
Important information for account holders
As previously mentioned, the data purge, obfuscation and customer data search functions are available only to Linnworks account holders.
You should keep in mind that data will not be recoverable once obfuscated or purged and there will be safeguards in place to prevent against accidental deletion.
While this functionality is still in Beta, it will be released prior to May 25th. Full documentation on how to use this new functionality will also be released in due course.
To learn more about preparing your online business for the GDPR, have a read of this guide.