General Data Protection Regulation (GDPR): What Internet Retailers Need to Know

Several years ago, the term “big data” became standard jargon in the world of eCommerce. Everyone was trying to collect it, measure it, store it, and most importantly, leverage it to win new customers and sales. Big data is really powerful, and it didn’t take long until its power was being used in questionable or even malicious ways.

We all deserve some basic privacy. Many countries are wrestling with how to protect individual privacy in light of new technology. The European Union (EU) has addressed this problem with a new regulation: the General Data Protection Regulation, or GDPR.

The GDPR is a hot topic right now; it launches in full force in May 2018. This regulation applies to every retailer who has customers within the European Union. Penalties for violating it are steep—up to 4% of the offending company’s annual global turnover, with a cap of €20M. Yet even if you don’t do business within the EU right now, it’s important to understand the basics of this regulation. The GDPR is just the beginning of global data regulation and individual data privacy laws. Once other countries see its implementation, it will likely become the model for more regulations across the globe.

The Basics: What You Need To Know

The GDPR was developed to replace the EU’s Data Protection Directive, which was put in place in 1995. The difference between a directive and a regulation is pretty simple: a directive is a suggestion and a regulation is a legal mandate.

The GDPR is a huge document; it took a bunch of dignitaries over two years to write. But, for most retailers, it can be distilled to five primary enforceable code regulations. The five points below are a perfect starting point for understanding this new law and what compliance could mean for you.

Important Note: This post is a personal interpretation and overview of the most pressing points of GDPR. It’s not legal advice. If you have customers in the EU, I encourage you to dig into the articles of the regulation linked below. For specific questions about compliance, please see a lawyer.

All Data Subjects Must Actively Consent to All Data Collection

Consumer consent, as defined by the GDPR, must be “clear and distinguishable.” This definition implies two things: (1) the data subject (customer) must opt in to any data collection, and (2) all data to be collected and maintained must be clearly defined. The GDPR also specifies that your data collection policy must be “given in an intelligible and easily accessible form.” Basically, all data collection policies must be stated in plain language, free of dense and confusing legalese. It’s no longer legal to bury a description of how you’ll use collected data deep within the legal fine print of your privacy policy.

There are two important common practices you may need to revise to comply with this part of the regulation:

1. Customers must proactively opt into your mailing lists or other marketing materials. It’s common practice to add new customer email addresses to your email marketing lists, unless the customer opts out during checkout. That will no longer be legal for EU customers. You can still ask customers to opt in to your marketing lists during checkout, but customer must say “Yes, add me!” rather than “No, don’t add me.”

2. Customers must be given easy and direct access to information about how their data will be used when they opt in. Essentially, whenever you give a customer the opportunity to opt in, you must link to your easy-to-understand data and privacy policy.  

All Data Subjects Have the Right to Access Their Data

There are two important points to this part of the regulation:

1. You must be prepared to show your customer all data you’ve collected about them at any time. Customers can request this data and you must deliver it in digital format, free of charge.

2. The customer can also request a definition of purpose for all data collected. In other words, you must be able to explain to the customer how their data has been used. This is where third-party services can make things complicated. Under this regulation, you must understand how every third-party service uses your customer data, and be able to explain it to your customers at the drop of a hat. We’ll get more into third-party services later in this article.

All Data Subjects Have the Right to Be Forgotten

Oh how many times I would have loved to apply this to my real life! The right to be forgotten, also known as erasure, is exactly what its name implies. Your customers can ask to be completely scrubbed from your databases at any time, and you must comply. Think of it as a massive “Unsubscribe” button that includes every bit of data related to that customer. This also applies to any third-party services that may have received that data from you.

All Data Subjects Have the Right to Data Portability

Customers can request that you provide a copy of all data collected about them to a party of their choosing. For example, they can request that you send their data to another company or a lawyer. This particular point of the regulation does provide some protection for retailers. It specifies that this is applicable “as technically feasible and available.” That gives retailers room to dispute particularly complex or difficult requests.

Have questions about GDPR?

Download our guide, GDPR: What you need to know, and make sure you have all the information you need to be ready.

Download Now

All Data Subjects Have the Right to Rectification

This point gives customers the right to request the correction of any incorrect or inaccurate data, “without undue delay.” This shouldn’t result in too many headaches for retailers, because accurate data means more effective marketing. It’s in your benefit to keep customer information correct and up to date.

Third Party Services and Data

This just may be the most cumbersome part of the GDPR for internet retailers. Data is a tool; it’s only as good as how you use it. We all rely on third-party services to collect, organize, interpret, and use the data we collect. Think about the third-party services or extensions you use, like services for A/B testing, target marketing, demographic profiling, geographic data, or customer lifetime purchasing cycle information. Every third-party service works differently. This means you could have many different versions of customer data being used and shared at any time.

To comply with the mandates of the GDPR, you must fully understand what data each service collects and how they use it. You also must be able to collect and transfer all data back to customers whenever they request it, and make sure those services scrub data at the customer’s request. Staying compliant with the GDPR could become a full-time job for small business owners.

Start Preparing Now

Complying with the GDPR adds complexity to business operations. But as consumers demand more transparency and security, regulations like this will become the norm. Begin taking steps now to bring your data management and strategy into compliance. Devoting time to training, documentation, audit, and implementation will put your business in a great position to continue doing business as usual in the EU.

Don’t forget to keep the positives in mind. Regulations like the GDPR are designed to provide more security and protect the rights of citizens around the world. Keeping up with these regulations will ultimately foster trust with your customers and increase communication between retailers and the third party services we use. Those are benefits we can all appreciate!

Like this article? Sign up to receive exclusive eCommerce news, advice, and industry content.