The General Data Protection Regulation (GDPR) is an extended series of guidelines designed to govern how personal data is collected, processed, and stored. The GDPR was agreed on by the European Parliament and Council in April 2016, and its purpose is to impose a uniform data security law on all EU members. It became effective on May 25, 2018, replacing the Data Protection Directive 95/46/ec as the primary law instructing a baseline set of standards for companies that handle EU citizen’s personal data to safeguard better the collection, storage, processing, and movement of it. Its main goal is improving data security, minimise data breaches, and increase transparency between companies and users.
What is personal data?
The GDPR officially defines personal data as: ‘any information relating to an identified or identifiable natural person’, and it states that this information can be collected and stored if it is properly anonymised. A subset of personal data is the ‘sensitive personal data’ category that includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical and mental health data, genetic and biometric data, sexual orientation, past or spent criminal convictions, location data, and online identifiers.
For an ecommerce company, that translates into information about an individual who could be identified from that data (or from the combination of that data with other information) and could include not only your customers’ personal details and IP addresses but also data your company has collected to identify and approach potential customers as well as data that visitors generate while accessing or using your website, apps, etc. (cookie identifiers).
Requirements of the GDPR
The GDPR contains 11 chapters and 91 articles, and it is mainly designed to ensure trust between EU customers and retailers by clarifying the rights of each. The companies GDPR is addressing can be classified as ‘Controllers’ (companies or organisations that collect and use user data) or ‘Processors’ (companies or organisations that process user data on behalf of other companies/organisations). In some instances, companies can be classified as both a Controller and Processor. ‘Subjects’ are the users whose data the Controllers have collected.
Articles 17 and 18 give subjects more control over personal data that is processed automatically. According to GDPR, users have the ‘right to access’ which specifies that controllers must be able to provide a free copy of the subject’s data (‘in an electronic format’) if requested. That data can then be shared or transferred to a new processor if necessary. Moreover, the ‘right to erasure’ specifies that users can request at any given time to have their data deleted and also immediately unavailable to any other third-party provider.
Articles 23 and 30 require companies to maintain a detailed, up-to-date map of their data practices and implement data protection measures that safeguard subjects’ personal data and privacy against lost and exposure. Furthermore, according to article 28, controllers should impose strict contractual requirements of data usage and processing when they engage a processor.
Article 31 states that controllers must notify Supervising Authorities (SA) of a personal data breach within 72 hours and provide specific details of it. Article 32 requires controllers to notify subjects as soon as possible in the event of a data breach. Articles 33 and 33a need companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
Article 35 necessitates that individual companies should appoint a Data Protection Officer (DPO). These officers advise companies about compliance with the GPDR and act as a point of contact with the Supervising Authorities. Articles 36 and 37 outline the Data Protection Officer’s position and responsibilities. The Information Commissioner’s Office (ICO) offers a detailed guide on how to appoint a DPO if necessary.
Finally, article 45 specifies that international companies that collect or process EU citizens’ personal data are subject to the same requirements and penalties as EU-based companies.
Penalties for non-compliance
Companies that fail to comply with GDPR’s guidelines are subject to penalties and fines as outlined by article 79 of the regulation. There are two levels of fines depending on the nature of the violation. For lower-level violations like gathering or processing data against GPDR’s rules, a company can be fined up to €10 million or up to two per cent of its worldwide annual revenue, whichever is higher. More serious violations, like data breaches, can result in a fine of up to €20 million, or up to four per cent of the company's worldwide annual revenue - again, whichever is higher.
It is important to note that even if your ecommerce store is not based in Europe if it provides products or services to EU residents, is still subject to GDPR. Additionally, the general requirements of GDPR relate to every aspect of your business and not just to your website or online store. Every ecommerce business owner should ensure that their social media channels, marketing strategies, analytics and tracking systems their online store uses, every other third-party plug-in or app, and every third-party company they are sharing data with are also compliant with the GDPR.
Under current law, the same rules apply regardless of the size of your ecommerce business; sole traders and small companies can also face fines and censures for violations that may occur. Nevertheless, GDPR recognises that small and medium-sized enterprises (SEM) require different treatment from large or public enterprises. For example, specific record-keeping requirements under the GDPR do not apply to businesses that employ less than 250 employees.
If your ecommerce store is available in the EU (even if your company is not based there), you must complete a thorough audit of all the data you are collecting on EU citizens as you need to comply with the GDPR. When you design data processes for your ecommerce business, you must ensure that personal data is secure and you collect only the data that is ‘absolutely necessary for the completion of duties’. Take the time to look at what type of data you collect and why you collect it and be always aware of how this data is processed either by you or third-party companies you share this data with. What that means is that you should adequately map out how data is collected, stored, processed, transferred, and deleted.
Every company owner that is subject to the GDPR should attempt to read and understand the legislation. But even if you are not willing to read the actual 50,000 words-long regulation, there are plenty of detailed guides available that can help you with taking the necessary steps to make your ecommerce business GDPR compliant. Shopify’s GDPR whitepaper and ICO’s guide to data protection are two of the best.
Finally, you should always see compliance with the GDPR as a process; meaning that you need to revisit the way your company works on a regular basis and especially when you decide to add a new future, functionality, etc., to your website or online shop. Understandably, GDPR compliance can seem very daunting, especially for new ecommerce business or sole traders. But being GDPR compliant is an excellent opportunity to grow your ecommerce business. By being transparent with your customers regarding what data is collected and why, while at the same time allowing access to their data and the choice to opt-out whenever they want, you make them feel they are in control of their information. And that is a great opportunity to build trust and strengthen your relationship with your customers.