What is GDPR and how will it affect my e-commerce business?
The deadline for GDPR, General Data Protection Regulation, is quickly approaching. On May 25th, the most comprehensive data privacy law will go in to effect across the world. This new privacy law will effect any business, large or small, who may interact with individuals in the European Union. With e-commerce making it incredibly easy to do business with anyone regardless of location, it could directly effect your store.
GDPR gives individuals specific rights to access, correct, delete or restrict processing of their data. It also specifies strict guidelines about how to gain permission or consent to use the customer's data. In additon, it specifies the definition of data, which can be found with all the other details on ICO.org.
As stated in the proprosal, the GDPR has three goals:
- Reinforce data protection rights for individuals.
- Facilitate the free flow of personal data in the digital market.
- Reduce administrative burden.
Because there is no way for certain to be sure of the location of individuals online, it would be beneficial for all e-commerce business owners to become GDPR compliant. If you are not already interacting with an EU market, being compliant is a great way to build that business. Another important reason for compliance is that if you do sell or market to anyone in the EU without being in compliance, the fines can up to $20 million euros (currently $23.5 million USD). Considering the cost of the fine, the cost of compliance is minimal.
How can I make my e-commerce business compliant?
A key factor of compliance will be in data collection and storage; therefore, consider the tips below:
- Enable the ability to quickly access records obtaining personal information so that you can supply, modify or delete it.
- Create a system to track the exact use of data and where it is distributed.
- Obtaining and recording statements of consent for joining the mailing list or tracking cookies.
- System in place to alert potentially effected individuals of a breach in data within 72 hours.
- Discontinue the pre-population of consent forms.
- Appoint a data protection officer to oversee the systems and monitor compliance.
- Notify all customers and potential customers of your GDPR compliance by stating it in the Terms and Conditions page and the footer of emails.
For most e-commerce businesses, the most cost-effective approach is to bring your practices in to compliance as opposed to trying to identify any EU customers and treat them differently. The burden of proof will lie with the business owner so in effect, it is better to be safe than sorry. On the bright side, at this time, the GDPR is not treating small businesses as strictly as larger corporations. For example, certain record-keeping requirements only pertain to companies with more than 250 employees.
How do I know if I am compliant?
You can use the checklists and self-assessment tools available through the UK’s Information Commissioner’s Office: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/.
Are the tools I'm using to help run my business compliant?
The majority of e-commerce businesses are utilizing additional software to assist with sales and marketing. As the business owner, you will want to ensure that the software you are utilizing is also in compliance.
As one of the largest, Google has gone to great lengths to reassure e-commerce store owners that it will be completely GDPR compliant by the deadline.
Another widely used software, Mailchimp, is also heavily invested in GDPR compliance. With all of the attention surrounding the privacy law, verifying the compliance of any company you are working with is as easy as a google search.
Disclaimer: The information presented on this website is for general information and discussion purposes only and may not be relied upon as legal advice. You should consult a licensed attorney before relying on the general information provided herein.