On May 25th, GRPR will come into effect in the European Union. As an ecommerce seller, this will affect you in many ways – even if you are not based in the EU.
Many online sellers are scared that GDPR means the death of their business, or that they will have to change the way they operate.
Sure, while you will need to do a bit of work, and maybe even modify the way you operate, GDPR will not be the death of you.
In simple terms, GDPR is there to make sure your business is up to a certain standard and that you’re honest and transparent in the way you work.
But before we go any further, here’s what you’re going to learn in this article:
- What GDPR actually is
- How you can get yourself GDPR-ready
- Why GDPR can help you build trust.
So without any more delay, let’s get started and clear one of the biggest myths out there…
What is GDPR?
GDPR is an acronym for General Data Protection Regulation and it will be implemented in the European Union.
It’s a regulation that will come into play from May 25th to protect the data of all European Union Citizens.
In the simplest possible terms, the GDPR will:
- Broaden the rights that EU citizens have over their data
- Widen the definition as to what the law defines as ‘personal data’
- Implement strict rules and guidelines about collecting, keeping and using your customers’ data
Long story short: Your customer will own their data, not you
What will the GDPR change?
The 2 biggest changes that the GDPR will bring for online store owners like yourself is the following:
- You need permission from the individual to collect and use their data.
Today, you’re legally required to offer customers a way to opt-out of having their data collected.
Under GDPR, the opposite will be true. You will only be able to process customer data if they opt-in.
- You will need to delete a customer’s data after you have finished using it.
GDPR states that there is no need for you to have customer data longer than necessary. This means that you cannot retain a customer’s data indefinitely.
Some cases where you will need to actively delete customer data:
1) The data is no longer necessary for the purposes you have collected it
Eg: a customer has made purchases in your online store and the transaction has already been completed.
2) The customer has withdrawn the agreement and there is no other basis for processing.
Eg: the customer has email you specifically ask you to delete his data from the system
3) The person is opposed to the processing of their personal data and there are no reasonable grounds for processing
Eg: a customer has Facebook remarketing ads after visiting your site and specifically asked you to remove their data.
4) The personal data was processed unlawfully
Eg: the customer did not opt-in to you collecting and processing their data, via a form, checkbox, in writing or orally.
What does it mean for you?
You need to have the option of deleting customer data from the system.
Remember that archiving customer data is not the same as deleting it!
There is also one more factor that is scaring a lot of ecommerce sellers about GDPR.
Under GDPR regulations, you are responsible for keeping all data safe.
You are responsible for protecting the data of each individual, even if you use third-party services like Hubspot, MailChimp or GetResponse.
The law states that you will be responsible, should your data be leaked from these third-party providers, but these companies will also be accountable.
This is why many third-party tools that collect customer data are increasing their security protocols.
Now that you know what will change under GDPR, let’s look at what you need to do to become GDPR compliant.
Becoming GDPR compliant
Before starting to change things for GDPR compliance, familiarise yourself with legal definitions and the official law itself to ensure that you’re above board.
Note: “personal data” is not only the first name, surname or address or other data your customer chooses to give you. It is also the IP addresses and cookies collected by the browser.
Before discussing what you need to do to become GDPR compliant, it’s worth noting the following:
Every store is different and therefore every store will need to do something different.
There is no perfect checklist to follow to make sure that your brand is GDPR ready.
If you’re not sure that you’ve done enough, find a lawyer and make sure that you’re as best set up as you can be.
The main goal of GDPR is to stop shady activities and practises. Being deceitful and tricking people into taking an action is what the GDPR is out to stop.
Automatically opting customers into your email newsletter after a purchase is one example.
Becoming GDPR compliant is simple if you’re not sneaky.
This is why the definition of ‘user consent’ changes drastically under GDPR.
Stricter definitions of ‘consent’ will apply and legitimate consent will be harder to obtain. To obtain consent from a customer, you need clear and affirmative action that the user wants you collect their data.
Under GDPR, the following does not count as valid consent:
- Pre-ticked boxes
- Failure to opt-out
So, for example, a pre-ticked newsletter subscription box after a customer makes a purchase is no longer valid.
Here a few things that will apply to most ecommerce stores:
- Review your return and refund policy to reflect that you will retain customer data to process a refund or return
- Have an easy way to remove all data of a customer when they request to do so.
- If you use other tools, check if they are also GDPR compliant. This applies to things like:
- Email marketing platforms
- Online store providers
- Third-party WooCommerce and Shopify Apps
Keep in mind that these steps are very generic and that the best solution for your store depends on too many things to list here.
For now, let’s take a closer look at some actionable things you can do to get your store ready for GDPR.
Design your own data protection system
There is no one right way to store data. The GDPR does not say how you should store and protect data, only that you should do it in some way.
That’s why you have to be creative. Sounds vague and mysterious, right?
As an ecommerce seller, your brand is built on many online tools. As mentioned earlier, these tools may help you collect your data.
For the companies that create these tools to become GDPR compliant themselves, they need to pass a tight GDPR audit.
What does this mean in simple terms?
By using trustworthy names, you’re keeping yourself (and your data) safe.
Even though you are responsible for the data that your third-party tools collect, these tools themselves need to be GDPR compliant.
Organize customer data
Obviously, you collect customer data, but have you ever asked yourself why?
To become GDPR compliant you need to have a reason to have that data – and keep that data organised.
|What is the data?||Why do I need it?|
|Address of residence||I need it to complete the order and send the order|
|Telephone Number||I need to contact the customer about their order and the delivery of their package.|
|Email address||I need to confirm the order and use follow-up marketing.|
Once you have a reason to collect this data, you need to be able to share it.
Share your data with clients in an XML, JSON or CSV file
Under GDPR, you are required to share the data you have on a customer if they request.
It’s suggested that you be able to share your data with a customer in 3 formats.
XML, JSON or CSV.
What does this mean for you?
You must show your client the data that you have obtained if they request.
This is actually beneficial for you, as it gives your customer a sense of security and convenience.
The customer will also be able to ask you to forward his personal data to another company. If that happens, you are required to do so.
Delete customer data upon request
If you’re able to organize and share customer data, you must also be able to delete it.
Therefore, make sure that you can easily delete your clients’ personal information.
Do not process data if you do not have a legal basis
You can collect and use your customers’ personal data ONLY if you have been given consent to do so.
There are multiple ways you can get this consent:
You can collect and process personal details if they are necessary for you to fulfil your role.
Example: Your client bought something with you and gave his address. You process personal information to provide them with their order.
You can process your client’s personal data if they have agreed and expressed consent for you to do so.
Example: The customer has marked the appropriate checkbox on your website.
- A legitimate interest
You can gather and process personal information in a situation where a customer has expressed a legitimate interest in a product.
Example: You process customer’s personal data to advertise products similar to those they have purchased (They bought a bikini, you advertise a beach towel).
If you have at least one of the legal grounds listed above, you’re able to process collected data.
How can GDPR help you gain the trust of customers?
It easy to look at GDPR as ‘just another rule’ that makes your life harder.
But after scratching the surface, it’s easy to see how you can leverage it and use it to your advantage.
GDPR can positively affect the development of your business.
GDPR answers the questions of online buyers.
- Is the store trustworthy? Yes
- Do they use my data? Yes
- Will they try to influence my behaviour (eg through a targeted advertising)? Yes
- Can I have my data removed if I want? Yes
- Will they sell my data to other services? No
- Can I predict and justify the processing of my data? Yes
- Are they legally responsible for the safety of my data? Yes
By telling your customer what you’re doing with their data, you build a relationship based on respect and trust.
For this reason, GDPR works in your favour because it gives your customers a sense of security on a fraud-filled internet.
When your potential customers feel safe, they will be more likely to shop in your store.
It’s hard to be too excited about the oncoming GDPR legislation. It simply creates more work for you, yes.
But it also makes you more accountable.
There’s no doubt that GDPR will be responsible for the death of brands that don’t want to become more secure and trustworthy, but this ultimately means less competition for you.
GDPR will be a breeze for you if you’re not shady or out to take advantage of people.
If you’re out to try and trick your customer into giving them your data, GDPR will burn you.
But if you’re up-front and trustworthy (most of all, transparent) with your data collection and processing, GDPR will be less of a headache.
What are your thoughts on the incoming GDPR?
Let us know your concerns in the comments!