Or: At what stage are the data and information in an e-commerce process most sensitive? “Data protection (84.4%), cost transparency (83%) and menu transparency (80%) are the most important success factors.“ Leitfaden E-Marketing & E-Commerce
From the time when the Internet revealed many possibilities and potentials, especially since it ceased to exist as a parallel universe and competition to the “real world”, our rights to privacy, data protection and information security have become so sensitive, and we have become exposed in this evolutionary process like never before. Accordingly, this field is rapidly becoming more complicated as an increasing number of laws are coming into force to protect the rights of all market participants. And the right to privacy is one of the basic human rights guaranteed by the Convention (Article 8).
COMPLEXITY OF THE PROCESS
E-commerce, and its extension M-Commerce, is one of the most complex processes from the information’s security point of view. Almost all the laws regulating the mentioned areas have coalesced in this seemingly simple process. The complex legal picture needs to be incorporated with the dimension of infinity, the possibility of sale on all meridians, and thus the (non-)existence of national legislation, as well as its pecularities. Where are my servers located? What law protects my customer? Should I open a company in the USA / EU / Brazil or some other country that enforces some of the data protection laws? How can I resolve problems most easily?
If you were to ask your customers what they are afraid of when shopping online, most would answer with „misuse of information in the payment stage“. Only a few are aware that an e-commerce company could shut down if found misusing sensitive personal data, which is hidden in almost all phases of the e-commerce process. The customer will be less comfortable with someone stealing their bank account number, compared to stealing information about their sexual orientation or political beliefs. The latter could cost companies much more. Thus, solution to the problem is multi-fold, depending on the viewpoint. More precisely, depending on the viewpoint of data protection and information security, problems are lurking everywhere.
A STEP BACK
Although the presentation of the offer is considered the first phase in the e-commerce process, ISO and DPO cause the process to make one step back in the beginning, i.e. to revert to the phase while sales are still being planned. This is not just about a responsible approach to work, but also a legal obligation. Some laws require data protection to be an active part of the process from the very beginning (GDPR, Art. 25, Privacy by Design). Besides, the preparation of a strategy requires some information, so it is very important to know whether this information can directly or indirectly identify a person. If so, pay attention to data protection laws in countries where you have registered legal entities. Above all, it is important to make sure that the information about your plans sees the light of day only when it is least harmful to your online ‚baby‘, and to implement all available measures to educate and inform people involved in the production process, as well as other protection systems.
Creating a sales platform, as one of the first major steps, is technically one of the most complex endeavours. It is important to apply all the necessary technical measures, e.g. secure database, secured proxy server, technically predefined data access control, secure interfaces, etc. No less important are organizational measures, which include educating the team, drafting procedures and business rules, compliance with legislation, etc.
The moment your webshop goes live, you become the target of various malicious individuals and software and you have a permanent obligation to protect yourself from it through password management, antivirus programmes, constant employee training, data encryption, etc. You are responsible for each piece of personal data you collected during user registration, which is why it is advisable to collect a minimum amount of data.
WHAT IS BEHIND ALL OF THIS?
If we agree that the secret of success in online sales is painting a picture of the potential customer’s needs, creating an offer, and an adequate presentation, we will also agree that a process of precise profiling is behind everything, which is another sensitive point from the data protection viewpoint providing it includes evaluation of a person in any sense. Through profiling, we come to several stages of the process which relate to product presentation, CRM and further customer relations, data storage and database management. In addition to the minimization principle mentioned above, keep in mind that the use of each piece of data must have its purpose. If you are collecting data for no reason, you are not on the right track. Add to that the principle that prescribes limited data storage (accuracy). As soon as you have fulfilled the purpose of taking and processing someone’s data, you are obliged to delete / anonymize it.
Integrity and confidentiality principles require you to secure data and information from unauthorized access and misuse by any party, even yourself. The best example is sending emails with commercial content. If the customer has not expressly and provably agreed to receive the commercial newsletter, you should not send it to them. If they did not consent to all Cookies‘ categories, because the IP address is also considered personal data, you are not allowed to activate them. Most activities are allowed only if the customer agrees. There are, fortunately for those who rely on direct mailing, agencies which can sell you lists of email addresses of people who want to receive your commercial offers.
Data is most difficult to preserve during the payment stage, largely because it is most appealing to thieves and because it involves at least one other participant, so there is communication between at least two systems which, therefore, creates a weak point in terms of security. Security systems are being improved every day, and currently 3FA is one of the most popular. It usually consists of 3 different elements: one that I posses (card, token, etc.), one that I know (PIN, ID, etc.) and one that I get (e.g. TAN). This phase is far more complex and requires multiple protection, which is why the optimal solution is to use already tested, certified applications which quality has been tested.
IN THE END OF THE CYCLE
Product distribution and eventual return of goods are the last phases of each e-commerce cycle. In this stage, it is extremely important to be aware that you are also responsible for the data that is processed on your behalf, i.e. based on a contract concluded with you, by another person (supplier). You are responsible for all data collected through direct registration on the webshop or via cookies, and for handing it over to someone else to process them. If you do business in the EU, it is always better to choose a company registered in the EU, which servers are located in the EU and which, even if it has headquarters on another continent, does not use data and information from the EU in global analyses.
Based on these few selected examples, you can guess how complex this process is and why it is important to avoid draconian penalties that would surely affect the destiny of your webshop. “You sell on the web by making it easy to buy” (Jakob Nielsen), and the more you try to simplify the process, the more complicated everything becomes for the other side. The more you try to be personalized, the deeper you step into the waters of personal data protection. This increasingly important issue is not new, but it is rapidly gaining momentum with the development of e-business. Catch up and surf without fear, because business will have no future without this.