How Will GDPR Affect My Ecommerce Business? (GDPR: It’s Not Over)
GDPR is the most important change in data privacy regulation in the last 20 years. In this article, we will dive into GDPR and how it can affect your eCommerce business. Plus, how to get in shape and comply with GDPR rules.
1. What is GDPR?
Introducing the EU General Data Protection Regulation. GDPR is the most important change in data privacy regulation in the past 20 years and became enforceable on May 25, 2018. It’s a regulation designed to give individuals more control over the data they give to corporations. It also highlights the responsibilities of the corporations around this data. The GDPR rules are now the new standard for the protection of online privacy, personal data, and consent.
Because our lives revolve around data for almost everything we do from social media, banking information, and personal data like addresses and credit cards, GDPR is a regulatory framework for all businesses that store, use, or otherwise touch the data of individuals. Those that handle this data are now under strict conditions to gather their information legally, and protect it from hacking and other misuses. This legislation not only has teeth (violators can be fined 4% of annual global revenue or €20 million for non-compliance — whichever amounts to more), it looks to lock down key areas of weakness and makes organizations accountable to their customers.
2. Why GDPR Compliance Is Important In Commerce
It’s been almost 3 years since the European Union’s General Data Protection Regulations (EU-GDPR or simply GDPR) came into effect. On the very first day of the regulation’s implementation, the world’s largest companies, Facebook and Google, were hit with lawsuits accusing the companies of “coercing users into sharing personal data“. The fines totaled $8.8 billion dollars.
According to a global co-chair of privacy and data security, Alex van der Wolk, “there was no expectation of a lot of enforcement right away, for regulators to come out shooting.” In the future, it is clear that issuing penalties and making examples out of violators sent the message that ‘there is more to come”. That is why it is important that brands understand what GDPR means for them. So they are aware of what changes need to be implemented across their business.
In North America, eCommerce businesses had generally not been taking these regulations seriously back in 2018. Many North American eCommerce businesses and agencies had no idea about their roles in protecting their data and those of their customers. While many myths and misconceptions still circle GDPR, it is key that Merchants understand what rules apply to them.
2. The Misconceptions — AKA Yes, GDPR Applies To You
There are a startling number of North American eCommerce businesses that seem to be under the impression that GDPR does not affect them if they are headquartered outside of the EU and do not do business with the EU or citizens of any of its countries. This is patently false: all businesses that collect, store, and/or process any data relating to an EU citizen must be secure — including third parties. What this means it’s not just your own business’ data that you need to ensure complies with GDPR, but your trading partners as well.
The “EU citizens” language also reveals the complexity of GDPR that many are unaware of. No matter where in the world the EU citizen lives, they are still protected by GDPR. That means that if I’m a holder of an EU passport but I buy goods from you while I’m visiting Toronto, Canada, you’re still on the hook for GDPR compliance.
And as for ‘data’? Data can be anything from a name, photo, banking details, and much more. The watchword here is Data Governance. If you want to understand how to boost your business’ cybersecurity with data governance and enterprise data management, take a look at this excellent article.
3. Get In Shape To Be GDPR Compliant
If your business is not already GDPR-compliant or hasn’t done a deep dive to ensure you do not need to comply (which does require going through many of the GDPR-compliance motions), you are already behind the eight-ball. Take a close look at your data across your business, in all applications in your technology stack, and in all third parties that have access to any data for an individual. Businesses that need to be compliant with GDPR need to undertake data mapping — including any third parties that have access to that data — to expose compliance obligations.
Documentation with GDPR is key: data flow mappings and the resulting risk management plans need to be comprehensive and detailed. Plus, it has to be available in case of a breach or hack. GDPR compliance is not just a one-time measure. As your business evolves over time you must make sure your methods, applications, and privacy policies are effective and compliant.
4. Consult the Experts
Still, have questions? You should. GDPR is a complex and sometimes extremely confusing set of regulations that are difficult to understand and implement the right processes for compliance. This is not something you can implement within a day. Seeking experts who understand the legislation will help you understand your responsibilities and inform your business on best practices and due diligence. A great place to start is to watch our webinar conversation entitled “GDPR Reality Check: How Will Regulations Impact My E-commerce Business” about GDPR based on your questions and how it impacts businesses lead by a panel of experts.
About Our GDPR Webinar Recording
Our first panelist is Niall Tierney. An Intellectual Property Lawyer with over 20 years of of experience gained in Ireland, Niall has extensive multi-jurisdictional legal experience in European Union Data Protection law. Our second expert is Guy Pearce has served on private and public Boards in banking, financial services, retail, and a not-for-profit over the last decade. Guy currently consults in governance and risk and is the founder of CanadaGDPRCompliance.ca. They focus on ensuring the right levels of oversight for GDPR compliance in Canada. As an industry thought leader, he has published numerous articles on various aspects of governance and risk, particularly in a digital context.
Finally, VL’s own Robin H. Smith will speak to the implementation process from a business owner’s perspective and a broader data integration imperative perspective. VL OMNI became fully EU GDPR compliant in Q1 of 2018. We have revised our privacy and security practices accordingly to comply with and to support our customers and partners in complying with GDPR.