We know, it’s not 2018, but the General Data Protection Regulation (GDPR) is still very much relevant. Even four years later, a lot of eCommerce store owners and digital agencies find themselves challenged by GDPR and its implications.
Don’t get us wrong, GDPR is a good thing that is meant to protect users’ personal data and provide individuals more control over their personal data. But for many businesses, it’s a bit complicated and hard to follow, the things to consider are overwhelming, and the penalties are quite frightening.
That’s why we decided to write this piece, to offer a comprehensive (but practical) guide to GDPR compliance for eCommerce. It will show you how to implement GDPR requirements quickly and easily.
First, let’s define what GDPR is.
GDPR is a regulation or data protection law in Europe (by the European Union), that took effect on the 25th of May 2018 and replaced the Data Protection Directive (DPD) from 1995.
It stands for General Data Protection Regulation and sets the tone for how European residents’ personal data should be collected, stored and handled. Personal data means “any information relating to an identified or identifiable natural person.”
It offers consumers eight individual rights: to be informed, to access, to rectify, to have erasure, to restrict processing, to have data portability, to object and to make decisions concerning automated decision-making and profiling.
The important thing to note is that while it applies to EU residents, it should be a concern for all businesses that offer goods or services in Europe or monitor EU users' behavior in some way. Even one EU customer is enough to cause an eCommerce store legal obligations.
Well, pretty much everybody, or everybody that is doing business with EU citizens. For that matter, if your client’s eCommerce store is available in Europe, they have to comply with GDPR.
Since eCommerce stores handle a lot of private information, such as names, email addresses, shipping info, phone numbers, credit cards and more, they are required to abide by GDPR (as long as they cater to EU citizens).
Non-compliance to these legal requirements can have severe consequences for business owners.
The fines are enormous and can amount to 20 million euros or 4% of the global turnover, whichever is higher. Giants like Google and Amazon were already fined. Others, such as Etsy and eBay had shut down the EU operation until they were compliant.
So as an agency that manages eCommerce sites for SMBs, you need to watch and adapt the way you collect, use, store and share personal data so it's compliant with eCommerce GDPR regulations. Just as a reference, IP addresses, and cookie identifiers are also considered personal data. These are online identifiers. What else? Genetic data, social media profiles, biometric data, location data, political opinions, religious beliefs, health data, etc.
Furthermore, the GDPR states that children cannot give legal consent as they may be less aware of the risks, consequences and safeguards of sharing data. Which means data controllers must know the age of consent in particular EU countries.
But what does GDPR really mean for eCommerce sites? Let’s review a complete checklist to understand.
Wouldn’t you love a checklist of primary action items to sort through the clutter of this GDPR mess? This checklist should organize things for you and allow you to understand the scope of the GDPR-compliant project and legal requirements for eCommerce companies.
However, this information is by no means a substitute for legal advice. Be sure to consult with a legal representative with GDPR expertise.
So let’s get started…
GDPR came and swept us away with all sorts of restrictions and obligations. With all the hassle involved, it’s important to remember that GDPR is a good thing. Be minded of the fact that you hold one of the users’ most precious assets, their privacy. Respecting the user’s rights to their privacy is what GDPR is all about.
Data privacy is a standard to work by, and the world, indeed, is embracing that standard. True, GDPR is a regulation for data protection in Europe, not the entire world, but it holds for all businesses that offer goods or services in Europe or monitor EU users' behavior in some way. So pretty much, everybody.
Also, building that trust with customers and potential customers is crucial for every online business, let alone an eCommerce business. The above checklist is an important place to start with (however, be sure to contact a law representative for a full GDPR-compliant plan).
One of the items on that list is using a website builder/CMS that supports building GDPR-compliant sites. I can’t stress this enough. Your chosen website builder/CMS is the infrastructure that will allow you to take GDPR compliance measures. Make sure you choose wisely.
