If you make international sales through your ecommerce business, you may have heard of the General Data Protection Regulation (GDPR) recently enacted by the European Union, but you might not really understand how it will impact you. However, with the GDPR going into effect on May 25, 2018, it’s important to be aware of the new requirements it will put in place concerning the ways you collect data from your customers and the steps you’ll need to take to ensure the security of that data.
What Is the GDPR?
The GDPR is a new regulation that governs the collection, storage and use of customer data by any companies doing business within the European Union. That includes businesses based in EU countries, of course, but it also applies to companies based elsewhere who sell to EU customers.
Under the GDPR, data is defined as any IP addresses, bank details, social media posts, photos, or identifying numbers, such as Social Security Numbers or National Insurance numbers. The collection of this data must always be opt-in, and that option must be clearly stated. Further, a “reasonable” level of security must be provided to any stored data, and there must be a clear and straightforward process in place for customers to delete their accounts along with any personal data that’s been stored.
The GDPR describes three main categories of actors in any transaction involving collection and storage of data. These include the Data Subject, defined as the customer, user or employee who is providing the personal data, as well as the Data Controller, which is the merchant providing the goods or services. The third category outlined is the Data Processor, and this consists of all third-party companies involved in the transaction, including Shopify, MailChimp, UPS, and other similar providers.
In order to comply with these regulations, sellers must ensure not only that they are following the new directives, but also that any data processors they use are doing so as well. Further, there must be clear processes in place that outline how the security of customer data is to be ensured.
On the front end, any place where data is collected must provide for a straightforward way for customers to opt in, and any third-parties that will have access to the data being collected must be listed. For larger companies, the regulation requires the appointment of a Data Protection Officer whose job is to monitor systems and report any misconduct or data breaches as they occur.
Under the GDPR, cookies are also considered personal data, and so it’s necessary to acquire clear permission from the customer to use them during a transaction. Because some cookies, such as those used to track what’s been added to an online shopping cart, are necessary to ensure a smooth user experience, it’s possible to ask the customer to give or revoke permission for each type of cookie individually.
The GDPR will impose stiff fines and other penalties for non-compliance. This makes it even more important that you ensure you have proper systems in place, and that your Data Processors do also. In anticipation of the implementation of the GDPR, Shopify has already taken steps to ensure compliance, and other large service providers likely have as well. As a seller, though, it’s your responsibility to check the processes for anyone who may be processing your customers’ data, including your mail delivery systems, accounting software, and other service providers.
The main goals of the GDPR are to give customers more control over what data is collected and to ensure that the data that is collected is kept securely. That means that encryption for all communication and transactions is required, and it also means that you should always err on the side of caution in choosing your language for use in opt-in data collection situations. Consulting with a lawyer is an important step to take to make sure you’re compliant ahead of the GDPR going into effect.
The rising awareness among consumers about the dangers of having so much unsecured data floating around is likely to drive the implementation of similar regulations to the GDPR in other parts of the world in the future. Taking steps to ensure your compliance is essential if you want to continue to do business in any EU country, or if you anticipate doing so in the future. Enacting these types of safeguards also helps to protect you from exposure to liability in the event of a data breach, which can be devastating financially and in terms of the reputation of your business.