It’s 2019 and that means if you run an e-commerce store and haven’t yet thought about GDPR, you need to start today! If you’ve never heard of GDPR or didn’t think it would affect you, it’s not too late to make changes.
In this post, we’re going to take a look at GDPR, understand who needs to concern themselves with it and what steps you can make to ensure you’re always compliant.
What is GDPR
GDPR stands for General Data Protection Regulation.
It was implemented across European Union citizens in order to help protect the way personal data is stored and used.
It’s not supposed to be a scary thing. It’s simply there to provide more regulation as to how personal data about EU citizens can be handled, within the EU and outside the EU.
If you sell to people in the EU, especially, you should concern yourself with GDPR.
Even if you don’t sell your products within the EU, you should still pay attention to GDPR as you don’t want to end up being non-compliant if, for example, you end up storing data about an EU citizen.
The idea of data regulation isn’t completely new, however. One of the many benefits for e-commerce merchants is the ability to have one streamlined set of rules.
In previous years, there were different rules for different EU countries. Now, however, the rules remain the same.
When did GDPR come into effect and who should be concerned??
The GDPR came into effect on May 25, 2018. This means that there could be instances where you’re not compliant. If this is the case for you, there’s still time to make changes. You’ll find out exactly what those changes need to be further down in this post.
Anyone who requests and stores personal data should concern themselves with GDPR.
Some people make the mistake that because they’re not based in the EU, their e-commerce business isn’t affected by the new legislation.
This couldn’t be further from the truth.
In fact, if you’ve ever handled EU citizen or resident’s personal data, you should be applying the changes.
If you think you might not need to think about GDPR, it’s best to err on the side of caution and believe that you do. That way you’ll always ensure you’re handling your customer’s data with complete transparency.
How GDPR effects e-commerce store owners
GDPR affects e-commerce merchants. Ignoring GDPR’s existence could lead to huge fines.
The basis of GDPR is to give citizens and residents of the EU better control of their data.
This way they get to control who has access to their personal data and how it’s used.
When you think about it in that way it doesn’t seem that bad at all. How many times have you signed up for a service or product only to receive endless emails from them?
With the GDPR, businesses are now no longer able to do this.
As a consumer, if you want your data modified or deleted, you have the ability to request this and it will be done.
GDPR non-compliance fines
We’ve mentioned that failure to comply with the new GDPR legislation could lead to hefty fines for your e-commerce store.
You might have to pay up to 10 million euros or 2% of the annual worldwide turnover for the previous year if you’re found non-compliant with the new rules.
Or you might have to pay up to 20 million euros or 4% of the annual worldwide turnover. This fine is for any company that has a data breach where European citizens’ personal data has been compromised.
As we’ve stated above, GDPR is there to help put the power of personal data in the consumers’ hands.
What this means is that without prior consent, you are not able to store or access their personal data.
If for example, you find a list of 100000 email addresses and think it would be a good idea to send them all an email about your latest product – don’t. You see, these people haven’t given you consent to hear from you.
As such you’re not allowed to email them.
There are various ways to get consent. If for example you have a newsletter sign up form, this is classed as getting consent.
In this example from BooHoo, if a customer fills in this form, you now have consent to contact them via email.
Not only do you need to get consent before you collect any data, but you also need to make sure that you protect the data you do have.
What this means is that you store and process the data in a way that tries to minimize the potential of an attack.
If you do have a breach of data, then make sure you inform all your customers as soon as possible.
According to the new legislation you only have 72 hours (after an attack) to let your customers know.
The issue is, you’re now liable to be fined – but if you don’t let your customers know you’ll be in a much worse position.
Your customers and potential customers now have the power as to how you use their data. If they want to know what data you have stored, they can find out.
If they want their data deleted, they can do this.
If they need to make changes to their data, you need to make sure this happens.
What this means is that if a customer reaches out to you and asks you to delete your data about them you should do so in no longer than a week.
Final thoughts – keep data privacy at the forefront of your business
So what does this mean for e-commerce businesses?
Well, in short, it means that you need to put greater thought as to how you collect and store data.
Your customers (rightly so) have the power when it comes to their data.
But the good news is that as long as you’re compliant in the ways you collect and store data, you’ll face no issues and GDPR will actually be a good thing.
After all, you’re only sending our marketing messages to those who really want to hear from you.