Are You GDPR Compliant? Changing Your Privacy Policy Is Not Enough

As we count down to our much-anticipated webinar GDPR: How Will Regulations Impact My Ecommerce Business, we start to take a closer look at GDPR regulations and the ways in which it will impact ecommerce business across the world.

With misconceptions running wild and businesses implementing, at best, ineffective or irrelevant GDPR data protection policies and at worse, no policies at all, we strive to provide the facts on an issue that is… Well, let’s face it — hopelessly complex and boring. But essential. As technology advances faster than we could ever dream of, our governments, laws, and regulations are behind the eight-ball when it comes to protecting us and our data. In the wake of the Cambridge Analytica scandal, Facebook’s testimony and apologies in front of the US Congress, the world and its businesses are slowly waking up to the enormity of GDPR and the complex solutions that we must implement to protect everyone’s data as we continue to innovate and drive ever further forward.

What State Are We In?

↓     ↓     ↓

“The hope is that the GDPR will be a gold standard for how to feasibly check the power of big tech companies whose market value dwarfs the GDP of some of the countries trying to hold them accountable.” 

↑     ↑     ↑

You may be thinking at this point, “big corporations like Google and Facebook will have to adhere to these new EU data protection regulations. But me? I’m just an SME ecommerce merchant that has very little data collected. I don’t have to worry!”

Unfortunately, you do have to worry. GDPR applies to your business — large or small — and no matter where your business is located.

“The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” This statement unequivocally lays out that GDPR is not constrained or confined to the European Union Nations. Even if your business does not actively do any business within the EU, GDPR still applies. If a person with an EU passport is living anywhere else in the world, that individual’s data is still protected by GDPR. Who’s to say which of your customers are EU citizens and which are not? To selectively apply a GDPR compliance plan for those EU customers — if you could know which of your customers these are — is unrealistic. Ultimately, this means that your business needs to be GDPR compliant to cover any potential EU citizens’ data by default, or else run the risk of a hefty fine.

(Probably) Not Enough

In the weeks before GDPR came into effect, there was a flurry of action. Emails were sent asking users to reconfirm their subscription preferences. Pop-ups cookie notices were added to websites en masse. Privacy policies were updated to include the four-letter acronym in among the other standard legalese. Firewalls were beefed up.

What did your company do to prepare for GDPR?

Would you be surprised find that everything we just listed above does not make you GDPR compliant?

↓     ↓     ↓

 “Legally, the GDPR demands that any communication is “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” 

↑     ↑     ↑

How GDPR was incorporated into many non-EU businesses has been haphazard, at best. Only the savvy reached out to their corporate lawyers, and only the extremely savvy reached out to lawyers specializing in GDPR. VL OMNI reached out to Niall Tierney, Registered Intellectual Property Attorney, Tierney IP out of Ireland, in late 2017 to begin our EU-GDPR compliance process. Involving roughly 6 months of work, including creating a comprehensive data protection plan and heavily revising our contracts, VL OMNI was officially GDPR-compliant by the end of May, 2018.

Ultimately, your customers and partners must have a clear understanding of where their data is going and who has access at any given time. You and your employees also need to have an understanding of your GDPR compliance efforts, data protection plan, and what to do in the event that there is a data breach. Your whole organization must be knowledgeable about how your data is used within your business. Your business development, marketing, legal and technology teams must work together on the implementation and ongoing compliance of GDPR, and it’s much, much more than just updating your Privacy and Terms of Service pages on your website.

Who Else Controls Your Data?

Another giant misunderstanding about GDPR is how it applies to your business’s partners, AKA third parties in the data ownership and responsibility chain. For ecommerce and multichannel businesses, having many trading partners and suppliers is the norm — you need great partners of all types to help your business grow.

So while you may be GDPR compliant, is your ERP? How about your loyalty program? Or your iPaaS data integration platform? Understanding how GDPR can affect your business beyond your own organization is critical. Taking stock of the value of your trading partners is be huge, and having a comprehensive data protection plan is absolutely necessary and mandatory for this part of your business as well as all other parts that touch user data. Your business must be compliant and protected, and surrounding yourself with partners have not taken GDPR seriously or are not GDPR compliant themselves only opens your business up to unnecessary risk. 

↓     ↓     ↓

“In a recent Deloitte survey, 56 percent of organizations said they have yet to figure out what data they have passed to third parties or how the new law will affect it. An additional 10 percent hadn’t addressed whether their policies on third parties fit with the GDPR at all.” 

↑     ↑     ↑

Rather than seeing GDPR has an annoying, cumbersome regulation, consider it as an opportunity to take a deep look and map out where your data is, how it moves throughout your organization and how third parties access and use your data. The information you glean will only serve to point out where vulnerabilities lie, where efficiencies can be made and how to connect your data throughout your business in a safe and holistically integrated manner. 

GDPR is not going anywhere. It is important to go beyond just covering the basics or running on assumptions and rumors about how to be GDPR compliant. Start with registering for our webinar and ask your questions to the GDPR experts — Niall Tierney, Registered Intellectual Property Attorney, Tierney IP, Guy Pearce, GDPR Team Lead and Governance, Risk and Compliance (GRC) professional, Canadian GDPR Compliance, and Robin H. Smith, CEO, VL OMNI. Leverage their knowledge of not only of the legislation itself, but the business risk management and implementation considerations for GDPR: register today as seats are limited!

Time For A GDPR Reality Check



VL OMNI Newsletter signup

Subscribe to VL OMNI

Get expert advice, resources, and industry news for your growing ecommerce store delivered to your inbox