News Alert:

Avoid AED 10,000 penalty by registering for Corporate Tax today!

Insights

How privacy law could impact on-line/e-commerce businesses?

November 01, 2022

“Privacy” of an individual is one’s right and his or her control over personal details is irrefutable.

Enforcing Privacy and Security by design and by default, in practice and in behavior so as to defend against any attempted access by unauthorized users and misuse of Personal Identifiable Information (PII) is a critical concern for e-commerce businesses. Especially e-commerce businesses that collect financial information such as bank accounts, credit cards, or social security numbers must be hyper-protective of the sensitive data.

Privacy regulations have been in place for a long, The German state of Hessia enacted the world’s first data protection legislation in 1970 and many more followed in countries and different sectors but adherence was weak. Post-May 2018, as General Data Protection Regulation (EU GDPR) was introduced, the gravity of enforcement and hence the outlook of businesses to personal information handling has changed quite a lot.

We are a team of Data Privacy experts working with MBG Corporate Services, UAE office. We have been supporting and assisting our e-commerce customers to assess, evaluate and implement the privacy and security frameworks in their environments, utilizing our consulting capabilities and helping build a secure and protected Personal & Business information safe environment. Our Data Privacy team is a combination of skilled & experienced individuals who help organizations in the most professional and diligent manner to implement global privacy frameworks and further build a culture of Data Privacy within an organization.

Importance of Privacy in e-commerce business:

Data privacy and protection regulations direct us to regulate an organization’s way of working while handling PII (Personal Identifiable Information) and SPI (Sensitive Personal Information) of its customers, employees and third parties. For individuals (data subjects), willing to engage online and utilize e-commerce services, their trust in the entity collecting and processing their personal information can be maintained through transparency by keeping them informed on how the personally identifiable information (PII) is going to be handled. Businesses that ensure that data privacy and protection frameworks are formalized, implemented, and obeyed within their organization, are able to pass the test of trust with Data Subjects, with an enhanced brand reputation.

For a business, data privacy goes beyond the PII of its employees and customers. It also includes the information that helps the company operate, whether its proprietary, research and development data or financial information that shows how it’s spending and investing its money.

When personal data is handled inappropriately, there are increased chances of security incidents resulting in financial or reputation loss to any organization and e-commerce businesses stand a greater chance of a compromise resulting in data breaches. Therefore, it is very crucial to put in place water-tight security measures and hire a skilled team to ensure Data Privacy for the business.

Privacy Regulations applicable to e-commerce businesses within UAE

Some of the most important regulatory privacy frameworks that may apply to an entity doing business in a geographies include but may not be limited to:

  • Federal Law No. 15 of 2020 on Consumer Protection: The law aims to protect all consumer rights, including the right to the standard quality of goods and services and the right to obtain them at the declared price. The law insists on suppliers to ensure consumer privacy and data security, and refrain from using them for promotional and marketing purposes
  • Federal Decree-Law No 45/2021 on Data Protection (DPL): The UAE Personal Data Protection Law (PDPL), regulates how the personal data of UAE data subjects, meaning individuals, can be collected, stored, and processed, and gives data subject’s rights to control their personal data.
  • DIFC Data Protection Law of 2020: Regulates how the personal data of data subjects within DIFC free zone is handled, ranging from collection, storage, use, sharing, archiving, and disposal, and gives data subjects rights to control their personal data.
  • ADGM Data Protection Law of 2021: Regulates how the personal data of data subjects within ADGM free zone is handled, ranging from collection, storage, use, sharing, archiving, and disposal, and gives data subjects rights to control their personal data.
  • National data protection laws: Many countries, such as Qatar, The Kingdom Of Saudi Arabia, Japan, Australia, Singapore, and others, have comprehensive data protection laws. Some, like Brazil's General Law for the Protection of Personal Data and the UK's Data Protection regulation, are quite similar to the GDPR.
  • California Consumer Privacy Act (CCPA): Requires that consumers be made aware of what personal data is collected and gives consumers control over their personal data, including a right to tell organizations not to sell their personal data.

Privacy concerns in e-commerce business

While growth in the e-commerce industry has seen a steep rise, online transactions have grown multifold.  It has attracted the attention of the nasty schemers in equal measures. E-commerce cybercrime reports reveal that the eCommerce industry is among the most vulnerable and targeted environments by cyber criminals. The e-commerce world experiences about 32.4% of all cybercrime attacks.

Below are some of the potential threats listed based on our analysis and industry experience that could affect the e-commerce business of our customers and hence invite compromises:

  1. Denial of Service or Distributed Denial of Service attacks

A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack the e-commerce site and server. They are flooded with malicious queries that stop the site from working properly making the website inoperable. These attacks are disruptive, costly, and affect overall sales.

  1. SQL injections

SQL injections are cyber-attacks used to manipulate backend databases and access information that was not intended to be displayed. They can inject rogue code into the database to data as well as delete it.

  1. XSS attacks

Cross-site scripting (XSS) is a type of attack in which malicious scripts are injected into the websites and web applications for the purpose of running on the end user's device.

  1. Customer journey hijacking

Customer journey hijacking (CJH) is a customer-side phenomenon whereby unauthorized advertisements are injected into consumers’ browsers. The injected advertisements can include product ads, pop-ups, banners, and in-text redirects.

  1. Credit card frauds

Credit card fraud is the unauthorized use of a credit or debit card to make a purchase. The card numbers can be stolen from unsecured websites or can be obtained in an identity theft scheme.

  1. Bad bots

Bad bots are designed to perform a variety of malicious jobs. They are capable of stealing content from the website, such as product reviews, product pricing, catalogs and so on which they publish on some other site. This affects the search engine ranking of the retailers' websites. Bad bots can make multiple page visits within a very short period thus straining Web servers, which makes the site slow for genuine users.

Data Privacy & Protection Approach E-commerce business need to adopt

Although data privacy concerns have been a part of online business since the inception of the Internet, however, in the past few years with the evaluation of privacy laws there has been a drastic shift in how companies are expected to handle user data. For many years, online businesses would create a privacy policy that was very one-sided and typically granted the company a broad range of rights concerning how and what data they collected, and how they chose to use it.

The classical approach to user privacy no longer works as consumers are more sensitive than ever to how their data is collected and used by the sites they visit and have been pushing back on e-commerce businesses and demanding more transparency and control of their data.

A combination of security, privacy-enhancing technologies, and a greater understanding of technical aspects of the data protection phenomenon was used to establish a sound e-business operating environment.

MBG has helped its multiple customers to inculcate a culture of privacy within their environment by implementing a data privacy framework including appointing a Data Protection Officer, getting unambiguous consent from data subjects, efficient data disposal, and making the employees aware of Data Privacy.

How MBG can help?

  • Formulating and implementing a Privacy Policy governing e-commerce business
  • Performing Data Protection Impact Assessment
  • Identifying the risks and providing mitigation plans for the identified risks
  • Implementing a privacy framework in the organization including drafting policies and procedures aligning to the privacy regulation applicable to the organization
  • Implement technical controls utilizing Privacy & Security by design & by default
  • Implementing a Data Breach Management Framework
  • Providing Data Privacy Awareness training

Conclusion

Handling data is an important part of running an e-commerce business today. All the security breaches and fraudulent uses of data have made customers more concerned about their privacy and security. To combat the Privacy risks, Government regulators and legislators have enacted a large number of data privacy laws to govern the collection and use of user data which should be complied with by every e-commerce business.


What can we help you achieve?

Stay one step ahead in a rapidly changing world and build a sustainable future with us.

Get a quote
Open chat
Hello
Can we help you?