If you’re anything like most of us, right about now you’re probably sick of your inbox being flooded with “privacy updates” from companies far and wide –many you may not even remember subscribing to in the first place.
Why are obscure companies suddenly reaching out? You can blame the GDPR deadline.
Compliance with the new EU GDPR requirements is something companies are taking seriously, and for good reason; businesses that are found to be in violation face hefty fines of 22 million EUR or four percent of their global revenue. Then of course, for major organizations with their reputations on the line, there’s also the potential for non-compliance to result in damaged customer trust and even lower revenue.
So what does it all mean? What do the new regulations require and as an e-commerce store, do you need to ensure compliance yourself?
Let’s take a look now.
GDPR: What Is It?
In a nutshell, the European Union General Data Protection Regulation (GDPR) is a set of requirements for organizations concerning the processing of personal data. GDPR outlines the responsibility of companies to ensure the privacy and protection of this data. This law applies to companies that provide service or sales to EU countries, or that hold data on EU citizens. The law is effective May 25, 2018 –and companies that are not compliant could be subject to heavy fines.
So for US-based companies, selling only in the US; there’s no need to worry about these changes, at least for now. Especially if you ensure that your customers and visitors only come from the US.
However, if your customer base includes any country inside of the EU, then you’ll need to ensure compliance with the GDPR. Additionally, if you’d like to expand your operations to include a more global customer base and your plans for expansion include the EU, then you’ll want to start taking steps towards becoming compliant.
GDPR explained: watch this video.
For companies in the US, ensuring compliance with yet another set of laws can seem tedious, and you may be tempted to evade the issue by simply excluding Europe from your customer base. However, it’s important to keep in mind that overall, ensuring compliance with the new laws isn’t exactly a bad thing.
For companies that comply with these laws, there are a number of benefits to be had. Additional customer security, improved customer trust, and of course, increased revenue as you expand your market. Additionally, there’s never anything wrong with stepping up your security practices.
After all, no matter how you look at it, anything that helps to safeguard customer information can only be a good thing.
Ensuring Compliance: What’s It All Mean?
While companies far and wide are rushing to ensure compliance, some are taking the issue just a bit too far.
Since the regulations are so new and have yet to play out practically, there’s a lot of misinformation on GDPR, and flawed advice on which steps should be taken. Unfortunately, the lack of clarity on some of the issues, coupled with the unsavory prospect of a 22 million EUR fine has resulted in some people taking their compliance efforts to the extreme.
I’ve heard of some so-called experts claiming that marketers need to delete all of their customer information and start again from scratch. Other supposed experts claim that it just might be a good idea to remove customer names from invoices. I’ve even heard of some mention that you should avoid taking photos of events or in public.
“But, while “GDPR-phobia” may be understandable,” writes Tim Woods on Information Management, “it’s not necessary.”
The fact is that companies have always had to comply with regulations. This latest update is nothing new.
“Organizations have been working to comply with various government regulations for decades;” writes Woods, Vice President of technology alliances at FireMon. “The GDPR is just the latest law taking the world by storm. And the data protection methods needed to adhere to the GDPR are not new – in fact, they’re measures that have served as the foundation of information security and compliance efforts for more than 20 years.”
So for companies who already take data protection seriously, and have been proactively taking steps to safeguard customer data, there’s a good chance that it won’t take too much to bring your company into compliance. In fact, you may already be there.
Looking to ensure compliance?
Spamming your subscribers may not be the best option. In fact, according to some experts, most of the emails you’ve been receiving may themselves be completely pointless.
As Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, told The Guardian: “Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR.”
So if a business had permission to communicate with a customer before GDPR, then that consent should carry over. And, as Harvey Day explains in his article on ShortList, “If the business didn’t have the proper permission before GDPR, then it probably shouldn’t be emailing you anyway.”
In fact, somewhat ironically, in many cases the senders of those annoying emails –at least those that are targeting customers in the UK, may themselves be breeching another set of laws; the Privacy and Electronic Communications Regulations. Similar to the US National Do Not Call Registry, these UK regulations make it an offense to email people asking for consent to send them marketing emails.
All jokes aside though, instead of spamming their subscribers, companies may be better to adopt what Steve Wood, the UK’s Deputy Information Commissioner calls a “data protection by design approach.” They should ask, “Where can this information be embedded to have the best impact.”
While the GDPR document in its entirety is long and quite complicated, let’s take a look at some of the key GDPR requirements that are most likely to impact you.
- Take a Risk-Based Approach to Safeguarding DataFirst, organizations are required to determine the right data protection methods for their company in order to remove as much risk as possible. This means taking a good look at your existing network infrastructure and potential hazards that may occur.“Knowing your assets is a fundamental component of any information security program, and it’s equally important for GDPR compliance,” writes FireMon’s Tim Woods. “Network topologies reveal just how these assets can communicate and travel, and therefore signal transferable compromise and potential points of non-compliance. And network policies can help you move beyond what you have (assets) and how they relate (topologies) to what is allowed within context and framework.”It’s also important to look for vulnerabilities and evaluate the risk of threats, exposures, attackers and security breaches.
- Lawful, Fair, and Transparent ProcessingIf you process personal data, you’re required to do so in a fair and transparent manner. This means that all processing and collection of data should be done for a legitimate reason. Transparency requires that you inform your subscribers or customers about the processing activities on their personal data.
- Data Subject’s RightsYour customers or subscribers that you have data on, have the right to ask you what information you have on them, and what you do with the information. They can also ask for corrections, object to processing, issue a complaint, or ask for their personal data to be deleted.
- Obtaining ConsentShould a company intend to process personal data beyond the legitimate purpose that the data was initially collected for, permission must be obtained from the data subject and this consent must be documented.Take a look at this article, Is consent needed? Six legal bases to process data according to GDPR to see how you can determine if consent is required. Note: it’s not always!
- Handling a Data BreachCompanies must also maintain a Personal Data Breach Register. Based on severity of the breach, the data subject should be informed within 72 hours that a breach is identified.
- A Privacy by Design ApproachCompanies should seek to incorporate systems that are designed to protect personal data by default.
- Establish Technical Measures to Validate that Data is ProtectedOrganizations are also required to demonstrate that data is protected. This means performing regular analysis and taking action when any security risks are identified.“There are five standard methods of analysis that can help organizations validate that their data is protected and GDPR-compliant – security configuration assessments, attack simulations, traffic flow analysis, quantitative risk scores and audits,” writes Tim Woods. “Your organization is likely already using at least one of these processes already.”
- Data TransfersAs a company, you have a responsibility to ensure that your customer data is protected, even if that processing is being done by a third party.
- Provide Awareness and TrainingFor companies with employees, it’s important to make them aware of key GDPR requirements. Companies should conduct regular training sessions to ensure that employees are aware of their responsibility to safeguard customer data.
- Compliance Is an Ongoing Process Data Protection Impact AssessmentFinally, GDPR compliance is an ongoing process. When a new and significant change or process is introduced, a data protection impact assessment must be conducted. Also, companies are required to monitor their network in real-time to ensure that everything is well. The GDPR also states that organizations must have, “a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of [data] processing.”“Organizations are called to maintain ongoing, real-time, continuous compliance,” writes Woods. “Real-time monitoring, scaled data ingest (that supports high-throughput) and customizable reporting – all things that your organization is likely already doing to demonstrate continuous compliance with other regulations – can help you easily satisfy this GDPR mandate.”For most reputable and security-minded companies and marketers today, there’s a good chance that you’re already doing most, if not all of the above steps already.
Tips for obtaining emails for marketing in a complaint way:
- Don’t try to “trick” people into subscribing. Make it clear what they’re opting into.
- Don’t collect data for dubious purposes. Make your intent clear.
- If you’re profiling people to send them marketing messages, inform them, and give them the option to opt out.
- Make it easy for your subscribers to opt out of your mailing list at any time.
The good news for e-commerce stores is that using third-party plugins can be a great way to help ensure compliance, at least in part, without having to do any heavy lifting. As long as you use a plugin or tool that’s GDPR compliant, that is! Just keep in mind that ultimately the responsibility of keeping customer data safe is your responsibility, even if you’re using a third-party tool.
When it comes to WordPress plugins, at least, there are a few different plugins that you can use. The one that seems to be the most comprehensive is GDPR. This plugin is meant to assist a controller, data processor, and data protection officer (DPO), and claims to meet the obligations and rights enacted under the GDPR.
You still need to write and generate all of your own privacy policies, but it does a lot of the work for you when it comes to:
- Consent management
- Privacy management for cookies (Banners and user-interface)
- Rights to erase/export user data
- Encrypted audit logs for the lifetime of data subject compliance
- Sending data breach notification logs and batch email notifications to data subjects.
- Form creation including compliance forms, user data export request form, and user delete request form
In addition to WordPress, if you’re using Shopify, MailChimp, Amazon; or Google products, these companies are also made strides toward becoming GDPR compliant; and have tools that you can use to be compliant as well.
If you’re thinking of expanding your market and offering your services to EU customers, then it’s a good idea to begin working on implementing systems and protocols that are in line with GDPR regulations. For EU-based companies, May 25, 2018 is the deadline for ensuring compliance. And for everyone else, let’s hope that we’ll see a lot fewer “privacy update” emails arriving in our inboxes, as the rush to ensure compliance begins to fade.
Note: While this article is intended to inform and educate, it shouldn’t be taken as legal advice. I’m not a legal advisor. These are just my personal thoughts and attempt to make sense of the new legislation.
Is your company looking to sell to EU countries? What steps have you taken to ensure GDPR compliance?