May 25th, 2018 marked the day the European Union’s newest data privacy law — the General Data Protection Regulation — went into effect. GDPR sets a new bar for privacy as the most comprehensive law in the world. Every company that collects and handles European customers’ personal data will be impacted. Retailers and brands planning to sell to European customers (in the EU or EEA), will need to ensure they are GDPR compliant.
The Key Points of GDPR for Retailers and Brands
GDPR gives people more rights over their personal data. Specifically, it gives customers the right to access, correct, delete and restrict the processing of their data. “Personal data” is defined rather broadly, however, with enough ambiguity to cover information like IP addresses, behavioral data and location data. Here’s the complete guide to the legislation and full GDPR statement.
GDPR names three types of groups affected by the new law.
- The Data Subject: The customer, user, employee — anyone located in the EU providing the identifying personal data.
- The Data Controller: The commerce companies acquiring, collecting, managing, using or storing personal data.
- The Data Processor: The internal teams or third-party services/solutions providing ecommerce, marketing and shipping to those commerce companies that process the data only as directed by the Data Controller (third-parties include solutions like Shopify, ERP systems, MailChimp, DHL, etc).
GDPR outlines strict guidelines about customer consent.
Ecommerce businesses and marketers (the Data Controllers) must now give clear opt-in consent options to customers. They must explain that customer data will be stored and how it will be used (including which third-party vendors will have access to their customer data). Pre-checked consent boxes or hidden language in mile-long user agreements are no longer acceptable forms of offering consent. Predictably, this will be most impactful on the marketing end of ecommerce — think personalization, profiling and any kind of marketing activity that involves big data processing.
GDPR requires stringent data protection.
It’s now both the controller’s responsibility — and the processor’s — to protect customer data. Larger companies must hire or appoint a Data Protection Officer, whose main responsibilities include reporting data breaches and misconduct to the Information Commissioner’s Office (ICO). Online businesses must have a stringent procedure to follow when a data breach is detected and report to both the ICO and data subjects within 72 hours.
Under the newest consent regulations, customers must see their rights and know how to exercise them on any ecommerce site. For example, a retailer offers customers the option to create an account. They then ask the company to delete their account and purchase history, actions for which the retailer is now responsible. The entire “right to be forgotten” process must be easily navigable, documented and clearly advertised for anyone wanting to delete their personal data. Check out a more thorough description here.
How Does GDPR Affect Ecommerce Businesses?
The GDPR applies to all databases, marketing, sales, HR and accounting. Start by comparing the GDPR’s requirements with your current measures.
Here’s a short list of things you need to do to ensure you comply with GDPR:
- Complete a Privacy Impact Assessment (PIA).
- Decide what data from EU you need to store and confirm you have the correct permissions.
- Ensure all the third-party applications used to support the storage of data comply with the GDPR.
- Revise the site's privacy policy and/or disclosures to comply with GDPR.
- Notify existing customers who may not otherwise be re-prompted to accept your new policy and seek their consent explicitly.
- Determine whether the company needs to appoint a Data Protection Officer.
- Make consent clear and actionable, as mandated by the GDPR.
- Determine what processes and functionality need to be established to comply with customers' new rights to access, correct, erase and export their data.
Then, take a deeper dive into the areas of the law undergoing the most sweeping changes, including subject access requests and the requirement of having data protection officers on staff.
How Can Flow Help You Be Compliant?
We construct our own systems, procedures and client tools following best-in-class security practices to ensure we — and our clients — are GDPR compliant.
We recently launched Flow’s “Consent Service”, a set of GDPR-specific tools enabling clients to manage the acquisition, recording and handling of customer consent. Within Flow’s console, clients can easily access each region’s “Customer Opt-ins” tab where they can quickly configure (1) opt-ins such as marketing, cookies, and agreeing to terms of service, (2) terms of service agreements and privacy policies, and (3) final sale messages.
Flow also provides the capabilities to:
- Secure and configure user permissions, which provides the ability to indicate which users have access to personal data and what functionality is available to them.
- To exercise their "Right to be Forgotten."
Although the GDPR introduced new (and some seemingly involved) requirements, the principles are generally the same as current data protection laws. For retailers and brands already compliant with current laws and working with processors who know and also comply with the law, those businesses are already on their way to being GDPR-ready.
This article is for informational purposes only, and should not be relied upon as legal advice. We advocate working with legal counsel to determine precisely how the GDPR might apply to your business.