We know, it’s not 2018, but the General Data Protection Regulation (GDPR) is still very much relevant. Even four years later, a lot of
eCommerce store owners and digital agencies find themselves challenged by GDPR and its implications.
Don’t get us wrong, GDPR is a good thing that is meant to protect users’ personal data and provide individuals more control over their personal data. But for many businesses, it’s a bit complicated and hard to follow, the things to consider are overwhelming, and the penalties are quite frightening.
That’s why we decided to write this piece, to offer a comprehensive (but practical) guide to GDPR compliance for eCommerce. It will show you how to implement GDPR requirements quickly and easily.
First, let’s define what GDPR is.
WHAT IS GDPR?
GDPR is a regulation or data protection law in Europe (by the European Union), that took effect on the 25th of May 2018 and replaced the Data Protection Directive (DPD) from 1995.
It stands for General Data Protection Regulation and sets the tone for how European residents’ personal data should be collected, stored and handled. Personal data means “any information relating to an identified or identifiable natural person.”
It offers consumers eight individual rights: to be informed, to access, to rectify, to have erasure, to restrict processing, to have data portability, to object and to make decisions concerning automated decision-making and profiling.
The important thing to note is that while it applies to EU residents, it should be a concern for all businesses that offer goods or services in Europe or monitor EU users' behavior in some way. Even one EU customer is enough to cause an eCommerce store legal obligations.
WHO IS AFFECTED BY GDPR
Well, pretty much everybody, or everybody that is doing business with EU citizens. For that matter, if your client’s eCommerce store is available in Europe, they have to comply with GDPR.
WHAT DOES GDPR MEAN FOR ECOMMERCE?
Since eCommerce stores handle a lot of private information, such as names, email addresses, shipping info, phone numbers, credit cards and more, they are required to abide by GDPR (as long as they cater to EU citizens).
Non-compliance to these legal requirements can have severe consequences for business owners.
The fines are enormous and can amount to 20 million euros or 4% of the global turnover, whichever is higher. Giants like
Google and
Amazon were already fined. Others, such as Etsy and eBay had shut down the EU operation until they were compliant.
So as an agency that manages eCommerce sites for SMBs, you need to watch and adapt the way you collect, use, store and share personal data so it's compliant with eCommerce GDPR regulations. Just as a reference, IP addresses, and cookie identifiers are also considered personal data. These are online identifiers. What else? Genetic data, social media profiles, biometric data, location data, political opinions, religious beliefs, health data, etc.
Furthermore, the GDPR states that children cannot give legal consent as they may be less aware of the risks, consequences and safeguards of sharing data. Which means data controllers must know the age of consent in particular EU countries.
But what does GDPR really mean for eCommerce sites? Let’s review a complete checklist to understand.
GDPR CHECKLIST: MAKING ECOMMERCE WEBSITES GDPR-COMPLIANT
Wouldn’t you love a checklist of primary action items to sort through the clutter of this GDPR mess? This checklist should organize things for you and allow you to understand the scope of the GDPR-compliant project and legal requirements for eCommerce companies.
However, this information is by no means a substitute for legal advice. Be sure to consult with a legal representative with GDPR expertise.
So let’s get started…
- Conduct an information audit / data mapping - This kind of project should start with an audit to understand where you’re at and where you’re going with regard to GDPR compliance. It’s important that you’ll answer 2 key questions: what information do you process and who has access to it?
- Document like crazy -
Keep a list of the user data you store, its type, categories of data, sources of that data, who can access the data, who you shared the data with, legal basis for holding the data, reasons for collecting it and when you will no longer need it.
- Appoint an in-house data protection officer (DPO) -
If you have more than 15 employees, you have to appoint a dedicated person to ensure GDPR compliance and create a project timeline.
- Collect only the data that you must have -
Minimalism people! Collect only the customer data you’re actually going to use to run the online store. For example: Should you keep credit card information once the checkout process is completed? And for how long?
- Be as transparent as possible -
Make everyone aware of the various measures you’re taking to be compliant and allow for a clear and easy way to refuse sharing data. Opt-out options, terms and conditions, privacy statements, all these must be in front of users.
- Tend to your privacy policy - Make sure the privacy policy is clear so that users will be able to understand it. In the privacy policy, you must state the information that is being collected and explain the specific purpose of collecting the data. In addition, the privacy policy is valid for any organization that makes use of this data. Also, notify existing customers if you updated the privacy notice.
- Update your Terms and Conditions -
Your Terms and Conditions page should include the basis for data processing.
- Active Opt-in forms - contact forms should have tick boxes or opt-in methods to make sure the user accepted the terms of using the website or app and provided explicit consent to be contacted. “Silence, pre-ticked boxes or inactivity should not constitute consent.”. It’s also advisable that you use double opt-in, though it’s not mandatory. One last thing, users must be able to withdraw that consent at any time.
- Clean up your mailing lists - make sure all your mailing lists include users' consent. Also, allow subscribers to manage their preferences and opt-out of email marketing, and unsubscribe users who didn’t give consent.
- Use a website builder that supports building GDPR-compliant websites -
your chosen website builder/CMS should offer specific tools and elements to help you make your clients' websites GDPR-compliant. For example, Duda provides you with a privacy page template that you can add to every site, an easy-to-customize cookie notification, a free SSL certificate for safer sites and more. Click
here to learn about how Duda’s got your back when it comes to GDPR-compliant websites.
- Be safe -
It’s your responsibility to take appropriate security measures and to use updated security systems to protect the data you collect, whether it’s a firewall software, apps or antivirus software. If you experience personal data breaches be sure to report them to supervisory authorities (such as the Information Commissioner’s Office or ICO) within 72 hours.
- Legalize your 3rd parties relationships -
it’s not enough to sign contracts with the 3rd party services you share data with. You have to state clearly the reasons for processing the data, the duration, data type and so forth. The GDPR law states that all data controllers should ensure any third-party data processors are compliant as well.
FINAL NOTE
GDPR came and swept us away with all sorts of restrictions and obligations. With all the hassle involved, it’s important to remember that GDPR is a good thing. Be minded of the fact that you hold one of the users’ most precious assets, their privacy. Respecting the user’s rights to their privacy is what GDPR is all about.
Data privacy is a standard to work by, and the world, indeed, is embracing that standard. True, GDPR is a regulation for data protection in Europe, not the entire world, but it holds for all businesses that offer goods or services in Europe or monitor EU users' behavior in some way. So pretty much, everybody.
Also, building that trust with customers and potential customers is crucial for every online business, let alone an eCommerce business. The above checklist is an important place to start with (however, be sure to contact a law representative for a full GDPR-compliant plan).
One of the items on that list is using a website builder/CMS that supports building GDPR-compliant sites. I can’t stress this enough. Your chosen website builder/CMS is the infrastructure that will allow you to take GDPR compliance measures. Make sure you choose wisely.
Related Posts
By Shawn Davis
•
October 15, 2024
With the holiday shopping season just around the corner, there’s never been a better time to focus on increasing your clients’ conversion rates. Uncover a few easy strategies you can implement today to do just that.
By Renana Dar
•
October 6, 2024
To understand the status of your client's eCommerce website and areas for improvement, you must conduct an eCommerce SEO audit. Here's the complete checklist!
By Shawn Davis
•
September 26, 2024
Online and offline shopping don’t have to compete. Learn how you can blend SMB commerce into one holistic solution.
Show More