EU General Data Protection Regulations for ecommerce

The General Data Protection Regulations (GDPR) are new guidelines concerned with protecting European Union citizens’ personal information. As all ecommerce businesses deal with customers’ addresses, bank details and other personal data you’ll need to be GDPR compliant as of May 2018.

What is GDPR?

GDPR’s focus is on giving European citizens greater control over their personal data, and making them more aware of how, where and why their data is being used. However, the scope of the new regulations means that it will affect every company and business that collects or processes any data from EU citizens, even if they’re based outside of Europe.

If you use any email sign up forms for newsletters, product updates, or you collect contact information to process invoices and payments of European Union citizens, then you will need to become GDPR compliant.

When does GDPR come into effect?

From 25 May, 2018 GDPR will become law in all EU member states, and countries outside of the EU dealing with customers in Europe will also need to ensure they’re meeting these regulations. Businesses that don’t make changes to comply and have a data breach could be fined up to 4% of annual global turnover or €20 million, whichever amount is greater.

What is personal data?

Personal data includes any information that relates to someone and could be used to directly or indirectly identify them. This could be their name, a photo of them, their email address, bank details, posts on social networking sites or their computer’s IP address.

How does GDPR affect ecommerce businesses?

As an ecommerce business you collect customer’s personal details whenever they make a purchase, and if you have an option to create an account on your website then you are storing that personal data long term. If you collect email addresses from existing and potential customers, and send out a newsletter, or other marketing materials you will need to update your sign up forms. All of these everyday aspects of an ecommerce business will be affected by the new GDPR regulations.

Main points of GDPR

There are two main areas where the GDPR concerns online sellers: your customers’ rights over their own personal data, and obtaining explicit permission to contact them for specific purposes.

Under GDPR individuals:

• Have the right to access the personal data you’ve collected and to know what it’s being used for. You also have to provide a copy of their data for free if they request it.
  
• Have the right to have their data completely deleted from your system
  
• Have the right to receive their personal data and transmit it to another provider
  
• Are able to request any errors in personal data be corrected, the company must reply to the request within one month.
  
• Must be informed before they submit their personal information about how it’s going to be used. Customers must give consent for their data to be gathered for a specific purpose.
  
• Can block and suppress the processing of their personal data. You can still store the personal information but can’t use it in any way.
  
• Can object to their personal data being used and processed - includes direct marketing, profiling, etc. Once they object all their data processing must cease immediately.
  

What ecommerce businesses need to do to be GDPR compliant

• Collecting email addresses: You’ll need to ask permission for each specific reason that you might want to contact a shopper, before they give you their email address. You won’t be able to email them for any other reason. This means if you get someone’s email address when they place an order, you can’t then send them marketing emails unless you ask their permission beforehand. 
  
• You’ll also need to be able to prove that you have permission to contact individuals - so you will need to keep a record of their consent.
  
• Retaining personal data: You should only store a person’s data for as long as necessary - however, this will be assessed on a case by case basis. It’s advised that you should seek consent from all your existing customers and contacts before GDPR comes into effect, and then seek re-consent every two years. You also need a process for deleting old customer’s data after a certain period of time.
  
• Access to personal data: You need a process for editing, removing and sending customer’s personal data in case someone does ask for it.
  
• Create a data breach response process: If your business does experience a data breach, such as someone deliberately stealing data, or losing a company laptop with customers’ data on, you will need to notify customers within 72 hours.
  

Read the full EU General Data Protection Regulation here.