E-commerce merchants that collect any online data from citizens of the European Union (E.U.) need to be compliant with the General Data Protection Regulation (GDPR) — a new E.U. privacy regulation going into effect May 25, 2018.
When it goes into effect, GDPR will be the most comprehensive privacy law ever enacted and will dramatically change how companies collect, use, transmit and store data on E.U. citizens.
May 25 is just around the corner, so let’s look at the intent of the regulation, the risks of not complying, and the steps merchants can take to ensure GDPR compliance.
What GDPR Is and Why It’s Important
As a supplement to the E.U’s 1995 Data Protection Directive, GDPR mandates how companies handle the personal data of residents of any of the 27 E.U. member states. Specifically, it gives consumers the right to access, change, remove, and restrict processing of their personal data.
What Is Personal Data?
“Personal data,” when it comes to the GDPR, has a very broad definition: It’s any information companies process that can be linked to an individual. And that can range from personal data (Social Security numbers, physical addresses, names, etc.) to data, on its own, couldn’t identify a specific person (IP addresses, behavioral data, ethnic origin, etc.).
GDPR also requires companies to obtain explicit approval from consumers before collecting any data. “Explicit approval” means no more prepopulated consent forms or single-click agreements — consumers must manually opt-in to consent.
A company must also make it clear who’s collecting the data, why it’s being collected, how they will protect that data, and how long they will keep it.
Even more important, companies must now offer consumers a clear way to access their personal data and be able to easily change subscription preferences and delete their personal data at any time.
The Cost of Noncompliance — and How to Avoid Penalties
Compliance with GDPR isn’t optional, and there’s no grace period for becoming compliant, either. But while retailers may think the cost of complying with GDPR is prohibitive, the penalties for noncompliance are even worse.
Companies who fail to comply with the new regulations will face sanctions that can reach as high as €20 million (nearly $25 million) or 4% of annual revenue — whichever is greater.
GDPR affects every company that collects or processes the data of any E.U. citizen, regardless of where that the citizen is located or where the company is based, what industry they’re in, or how big they are.
To prepare for the May deadline, merchants should implement multiple new GDPR compliance best practices, including:
- 1. Collect only data that’s needed. If you aren’t going to use the information (e.g., employer, phone number), don’t ask for it.
- 2. Deactivate any prechecked boxes on opt-in and consent forms or any default opt-ins. Inactivity and precompleted forms don’t constitute consent.
- 3. Update privacy policies and disclosure documents to inform customers who is collecting and viewing their data and how the data is being stored.
- 4. Be transparent and provide links on website footers for unsubscribing, to terms and conditions, and to privacy policies.
- 5. Confirm your third-party vendors and tools are GDPR-compliant.
- 6. Review your processes for obtaining customer consent and ensure you have that consent from current customers.
- 7. Confirm that any data you or third parties collect from consumers is secure against external threats.
- 8. Establish procedures for fulfilling requests for personal data within the mandatory one-month response timeframe.
- 9. Ensure methods are in place to document consent, including what was consented to and how, and for consumers to withdraw consent.
- 10. Establish procedures for notifying customers within 72 hours of a data breach.
In the end, GDPR compliance comes down to honesty and transparency. When you’re clear and upfront, compliance becomes simpler. But remember: Every business is different and requires different preparation for GDPR compliance. So consider consulting a lawyer to understand how GDPR will affect your business and what your responsibilities are.
Protecting Each of Your Customers
Even if your company isn’t affected by GDPR this May, improving security is always a smart business move. Privacy is a big concern for customers and merchants worldwide — not just those in the European Union — so an increased awareness today of how to secure customer data may give you a competitive advantage tomorrow, when and if GDPR expands worldwide.
While ensuring compliance with GDPR regulations may seem overwhelming, protecting clients against fraud doesn’t have to be. ClearSale is a global pioneer and trusted leader in fraud protection solutions, helping businesses confidently approve more legitimate transactions and safely and securely grow their business.
Contact us today to learn why companies around the world put their trust in ClearSale.