It’s just over a month since the EU’s General Data Protection Regulation (GDPR) came into force, its arrival marked by the numerous emails many of us received from every company we had ever had dealings with, pleading with us to “stay in touch”. We wanted to give ecommerce business owners a quick round up of key things you should have checked to make sure you haven’t missed anything out to be GDRP compliant.
GDPR replaces the 1995 Data Protection Directive. The European Commission says that the GDPR “regulates the way businesses process and manage personal data”.
In a nutshell, it is an EU-wide framework for data protection legislation, which has been brought about to bring data protection rules up to date (a lot has changed technology-wise since the 1990s), as well as to create uniform rules across the EU.
The EU states that the GDPR applies to any business that:
“processes personal data by automated or manual processing (provided the data is organised according to criteria).”
Even if your company isn’t based in the EU but you offer goods or services to consumers within the EU, the GDPR legislation will still apply. So if you are a USA based retailer but you ship to any country in the EU then you need to be compliant.
Under the GDPR, companies are only able to process personal data based on one of six possible legal grounds. For most online store owners, this is likely going to be consent.
There are strict rules when it comes to what constitutes consent. These have been designed to ensure that individuals fully understand what it is that they are consenting to. It is vital that consent is given by an “affirmative act”, such as by ticking a box. So avoid those pre-ticked boxes on your online store and make sure your customers actively click a tick box to give consent. Its common for the tick box to be on the checkout page of your online store so the customer can consent whilst completing their order.
It is vital that consumers know exactly what they are consenting for you to use their data for and that you only then use their data for these purposes. Be crystal clear what your intentions are. If you plan to send them a newsletter each week or send them loyalty point rewards, this has to be stated.
The legislation say that it “must be as easy to withdraw consent as it is to give it”.
You could put, for example, an “unsubscribe” button right next to a “subscribe” button in your online stores footer. Its also good practice to add an unsubscribe button at the bottom of each email you send out too. Make it simple for customers to withdraw their consent for you to use their data.
Customers can request that you delete their personal data entirely in some circumstances. This must also be a simple process. Make sure you have an easy way to delete customer’s data from your ecommerce platforms backend system. With Shopify this can easily be actioned from the customers dashboard.
Under the GDPR, notification of a breach, which “poses a risk to individual rights and freedoms”, within 72 hours of becoming aware of it, is mandatory. Customers may also have to be notified, if the breach “poses a high risk to those affected”. Ensure that you have planned for how you will do this and are prepared for it.
GDPR requirements can seem overwhelming. At the heart of it all, it is about protecting your customers’ personal data.
Non-compliance can result in hefty fines. If you are at all unsure about what you need to do to comply with the new regulations, speak to a specialist solicitor as soon as possible.
P.s. Please do not take this post as legal advice. Seek professional advice when it comes to your own online stores GDPR requirements.