GDPR will affect e-commerce businesses, are you ready?
The EU is cracking down on personal privacy and the way businesses are treating the data that they collect from customers. E-commerce businesses, most especially, have to pay attention to what’s to come with this new law being enacted at the end of May 2018.
If you’re a company that does email marketing as a part of its marketing efforts, using tools such as Drip or Klaviyo, to collect data, then yes, this affects you. Drip recently published a GDPR-prep post on what you should do to start prepping as well as breakdown the precautionary measures that they will be taking.
If you haven’t heard of GDPR until now, let’s first explain what exactly it is and who it affects.
What is GDPR?
General Data Protection Regulation (GDPR) is a regulation that the EU has actually been planning for the last four years. Its main goal is to protect the data privacy of the citizens of the European Union. While the EU has always had a data protection law in place, the changes that are upcoming are strictly being put in place to account for the growth that has risen in the data-driven world. One of its major protections is that it protects anyone that resides in the EU, and not only does it affect companies that do business in the EU, but it also affects companies that collect data from EU citizens.
The GDPR distinguishes three parties when it comes to those being affected:
Data Subjects: This is your customer
Data Controller: This is you (the company)
Data Processor: This is your tool or tools (i.e. Drip, Klaviyo, Shopify, Hubspot, or whatever tools you use to collect and store customer data)
What’s at stake? (aka how much will it cost you if you don’t comply)
The fines are hefty. Any company that’s in breach can be fined up to $20 Million dollars. Yes, you read that correctly. It’s the maximum fine for the most serious infringement, which is not having proper consent from its customers.
In the regulation, there are a number of rights that customers have and that companies need to comply with in order to be in compliance with the GDPR. Here’s a list of the top ones as listed on GDPR main site.
It’s all about consent
One of the main regulations of the policy is that companies must have proper consent from their customers to process their data and the acceptance of consent cannot be hidden in a long terms and conditions document filled with legal terminology. It must be in plain English. Just as well it must be easy for customers to withdraw consent as it is to give consent.
What does this mean for e-commerce?: No more pre-filled “opt-in” checkboxes. This also means being clear and explicit about any third party companies that the subject’s data may be passed along to. These have all be common marketing practices for many marketers, but the law may force a change.
This basically states that companies have to immediately notify their customers (within 72 hours of finding out about breach) if there has been an internal breach of data and customers’ data have been compromised.
Right to Access
This section ultimately gives power back to the subject (customer). Under this protection, companies are required to provide full transparency in the data they collect from the customer and how they process it. At any time, the company will be required to provide the customer with all the data that they collect on their subject if ever asked.
Right to be Forgotten
The right to be forgotten is one of the more talked about aspects of the GDPR. Customers have the right to ask for a complete erasure of all of their data and companies must comply as well as make sure this data is removed from any third party databases as well.
What does this mean for e-commerce?: This might be especially relevant for any companies that have a subscription or membership based company. You must make it easy for the customer to cancel or remove their data. No more requirements to call customer service in order to cancel.
Customers will have the ability to request that their data be easily moved from one provider to another, at their request.
So what exactly defines ‘personal data’?
This is a common question, and the GDPR classifies personal data as any information that can individually identify a person. These items can be name, photo, email address, bank details, posts on social networking Sites, medical information or computer IP addresses.
How much time do you have?
The new policy officially goes into effect at the end of May 2018. There will be, however, a 2 year grace period that will give companies time to get everything in order. That being said, companies should start taking necessary actions now. This especially means working with legal teams to understand what exactly needs to be done and what needs to be changed in current term and conditions and privacy contracts.
All in all, the GDPR is coming and it has been something that has been keeping many companies in a bit of a panic lately. Its tough to fully understand how this will affect companies individually, but most companies are taking the better safe than sorry approach. Encryption goes without question in all scenarios.
I’ve even seen some companies go as far as to say that they will be eliminating the collection of data from customers in the EU. While that’s a valid solution, it really shouldn’t be the safeguard approach that companies look to take. There’s a very good chance that the GDPR will not be the first of its kind. With data collection and privacy, and all of the recent breaches that happened just in the past year alone (err-hem, Equifax), we just may see more and more countries following suit in the way of the EU GDPR.