Protecting end consumer's PII (Personally Identifiable Information)

What is happening?

As we are expanding into international markets, we need to comply with international data privacy and GDPR laws. 

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since the regulation applies regardless of where websites/software are based, it must be heeded by all that attract European users, even if they don't specifically market goods or services to EU residents. GDPR regulates and protects the processing of personal information. It outlines new data protection laws and principles that expand the privacy rights, granted to individuals. 

In a nutshell, the GDPR establishes rules on how companies, governments, and other entities can process the personal data of citizens.

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is any piece of information meant to identify a specific individual. This includes data such as an individual's name, financial accounts, email addresses, login credentials, addresses, phone numbers, and date of birth.

This information is your unique identifier, singling you out among billions. 

Why does the end consumer's PII need to be protected?

Without any guidelines to restrict storage and usage of end consumer's PII, there is always a risk of this data being compromised. This data can then be made available for all sorts of frauds including phishing and pretexting scams, mailbox theft, financial theft, etc.

Some of the biggest data breaches in India in recent times

• PII of 180 million Domino's India pizza customers went out of sale on the dark web in April 2021.
• Police exam database with information on 500,000 candidates went up for sale in February 2021.
• COVID-19 test results of Indian patients leaked online in January 2021.
• BigBasket user data went up for sale online in October 2020

What are we doing to be GDPR compliant?

Challenges in storing or sharing (with sellers) end consumer's PII, while being GDPR compliant

• Architectural restriction - There are common integration touchpoints with marketplaces that cannot be customized for each seller.
• Legal contractual challenges - International clients demand company-wide GDPR compliance. So it is not viable to have a different architecture for international and domestic clients. 
• Very little ROI (Return on investment) in providing you with this data as this information is already available at marketplace seller panels or your own e-commerce portals.
• Huge penalty on DSR violations

We will be taking the following actions

• Store a Client's (Brand's) data in their particular region.
• Do not store any linkage between end consumer PII (e.g. email, phone, address in our system).
• In relation to the above point, anonymized PII information will be stored in our database tables.
• B2C Invoice and Shipping Label documents will be deleted after one week.

PII information that will not be available

• Customer's name
• Email address
• Contact number
• Address

Non-PII information that will be available

• Pin code
• City
• Country