Disclosure: Some of the links below are affiliate links, meaning, at no additional cost to you, Storehacks may earn a commission if you click a link to an external source.
One of the best things about being an ecommerce entrepreneur is seeing your products sent to all different parts of the world.
A brand that started in Santiago can have customers in Manilla, Hyderabad and New England.
But the laws for all those countries vary, and very shortly (May 25th to be exact) the rules that apply to the data of EU citizens will change.
And it will affect you.
In this article, you’re going to see:
- What is the GDPR
- How you can get brand GDPR compliant
- What you can do with customer data
Before we get into this, let’s make one thing clear:
Just because you don’t have EU customers now, does not mean that you don’t need to get yourself GDPR compliant.
If you have any customers in the EU, these rules apply to you, regardless of where your brand is based.
By agreeing to sell in Europe, you agree to abide by EU laws – and that means making your store GDPR compliant.
So if you need to get your ecommerce store GDPR compliant, let’s first take a look at what that exactly means.
What exactly is GDPR?
GDPR is an acronym for General Data Protection Regulation. It’s a regulation that will apply to the way anyone handles the data of EU citizens from May 25th.
The GDPR is not to be confused with the EU’s ePrivacy regulation. ePrivacy was implemented to bring the privacy rules of each EU country into alignment.
Now that most of these laws are aligned, the GDPR will aim to make all these laws harmonious over each member state.
When it does come into play, it will be one of the most forward-thinking and restrictive data policies ever. It will no doubt, have a say in how companies of all different shapes and sizes handle the data of their customers.
In the most non-legal way possible, the GDPR will:
- Increase the rights EU citizens have over their personal data
- Widen the scope as to what the law defines as ‘personal data’
- Enforce strict guidelines about getting consent from your customer to collect their data
The overall goal of the GDPR is to make it harder for data-gatherers to do shady stuff with data.
Long story short, the individual will own their data, not you.
The biggest right that the GDPR will give citizens is the right to change, remove and restrict the processing of their data.
Customers currently have access to their data, but ‘data owners’ are allowed to charge a customer 10 pounds to access and modify their data. GDPR will remove this.
If an EU customer requests access to their data, you must provide them access within 30 days. Everyone will also have the right to be informed that your company has data about them.
Under GDPR law, you, the seller, are responsible for protecting the data of that individual, even if you’re using a third party platform, like Shopify or MailChimp.
It also means that if an EU customer gets in contact with you and asks you to remove their data from your store, you are bound under EU law to comply with their request
This is a game-changer for Facebook ads and other forms of personalised marketing. But before we get into that, let’s discuss what you need to do to get your brand GDPR compliant.
How to become GDPR compliant
So now we know what exactly GDPR is, it’s time to take a quick look at what you need to do to get your store above board before May 25th.
Keep in mind that every store is different and therefore, every store will need something a little different.
If you’re not entirely sure that what you’ve done is enough, find a lawyer to help you out and make sure you’re free of vulnerabilities.
Now, what exactly do you need to do to be GDPR compliant?
- Update your store’s privacy policy to reflect how you will handle data
- Review your return and refund policy to inform buyers that you will need access to their data to process a return
- Review third-party apps and themes that you use in your store. Email marketing, Facebook Ads and Google AdWords, for example.
- Create a playbook – if a German customer emails you and asks you to remove every trace of their data, how will you do it?
- Establish how you will ask your customers for their permission to process their data.
Remember:
These steps are only basic, and the extent that you need to go to in order to become GDPR compliant will vary.
Familiarise yourself with legal definitions and the official law itself to ensure that you’re above board.
Let’s take a look at a few actionable things that you can do to get your store GDPR compliant right now:
Remove default opt-ins
Gathering and storing customers data in a safe yet accessible way is just one of the hurdles many ecommerce sellers face under the new GDPR law.
You will also need to remove any default ‘opt-ins’ that you may have for newsletters, notifications or further marketing material.
When showing that you use cookies, you cannot just state that you use cookies.
You must now offer an opt-in option for customers to select if they want their cookies to be retained.
Customers need to give you clear consent if they’re to be contacted via these mediums or if they want you to store their data.
You will also need to keep detailed records of every piece of consent given to you buy a customer.
Give customer access to their data
As mentioned earlier, a user will need to be able to see the data you have on them within 30 days of requesting it.
This means that it’s crucial for you to keep your data clean, tidy, well presented and easy to be digested by the customer at any point in time.
In the unlikely event that your database does suffer a breach (even if customer data is not accessed), you’re legally required to tell your customer base that there has been a security breach.
For these reasons, it’s good to not only have a playbook about how you will show customers their data, but also a contingency plan – how will you tell your customers that there has been a leak?
Mistakes can be costly
Accidents happen and cyber crimes will only grow in numbers (and complexity) in the coming years. This means that you need to be proactive and on the front foot with your database security.
In the event of a data breach, the consequences are harsh.
You may be fined up to 4% of your total annual turnover, or €20 million – whichever is greater.
If your company earns less than €800,000 per year, you will be fined up to €20,000,000 for breaching GDPR rules.
Owning a brand and selling online is going to be either expensive or time-consuming – the choice is yours.
As an online seller, you most certainly rely on other third-party tools to help you deal with your jobs.
These brands are subject to the same laws that you are, so let’s take a look at how they are getting ready for GDPR.
What are all the big names doing?
Facebook, Google, MailChimp – chances are that you use some of their products to operate your online store.
These companies are not only responsible for handling your data, but they’re also responsible for handling the data of your customer.
So what are they doing to become GDPR compliant?
MailChimp is undoubtedly the go-to solution for email marketing. But this is an industry that GDPR will have a massive effect on.
One thing they are doing is making the double-opt-in requirement the default setting for all accounts based in Europe.
They’ve also gone and created an incredibly detailed PDF, GDPR: What it is, what we are doing and what you can do.
Facebook, the new home of the data breach, is not immune to GDPR rules, either. Their suite of companies, like WhatsApp and Instagram, need to be GDPR compliant, too.
What’s more, Facebook Marketing Tools like Custom Audiences will be under huge scrutiny. It’s speculated that Facebook is one of the sole reasons for GDPR to be born.
Facebook’s Irish branch is almost doubling the number of employees to make sure that they will be GDPR compliant come May 25th.
Google is one company that has their work cut out for them.
Google AdWords updated their T&C’s in August 2017 to reflect steps toward becoming more GDPR compliant.
They (Google) plan to have all their products – Cloud services, Analytics and AdWords – ready to go by May 25th.
What you need to do now
In the last few decades, data has become an incredibly valued commodity. In becoming what it is today, the customer themselves has forgotten exactly what data they are giving up.
Many may not have even been aware that their information is being retained for a whole range of purposes.
Now that you’re scared to death about GDPR, let’s make a few things clear:
- Get User consent. Your user must agree to be included in your marketing campaigns, and you must have proof of that
- Secure that data. You must prevent data leaks or face the consequences of leaking valuable data
- Follow through with user requests. If someone asks you to delete or modify their data, do it ASAP.
When it comes to consent, it’s not too hard. You simply cannot advertise to anyone who has not given you clear, specific consent to do so.
In terms of security, it’s your rolls to make sure that the data is safe. This may be as simple as ensuring that all your third-party tools are GDPR compliant themselves.
As for removing data, there’s simply no question about it – do what your customer asks.
While there are plenty more things that you need to do to have a GDPR compliant store, these 3 things are the biggest, and also the hardest to implement.
In Conclusion…
It hard to be enthusiastic about the EU’s new data laws as an online seller. It simply creates more work for you and sucks up time that can be better spent growing your brand.
That being said, GDPR compliance is a breeze if you’re not sneaky.
If your aim is to double cross or con a customer into giving up their data, then yeah, you’re going to get burned.
But if you’re honest and transparent about everything you do in your store, your work will be minimized.
With that in mind, go out and get your store GDPR compliant, knowing that many of these changes will help you serve your customer better!
