You’ve opened your online shop and you’ve grown so much that you now want to look at expanding to posting to other countries too. That’s great news! However, if you are selling outside the UK, you need to make sure that you are compliant with their laws and that you know a little bit about how they like to do business.
There’s a new regulation coming to the European Union in 2018 called the General Data Protection Regulation (GDPR). You will need to know what it is and how it will affect you and your ecommerce business.
It is basically the European Unions new data privacy law. When it comes into force, it will be the most comprehensive data privacy law in the world. This means that no matter how big or small your business is, you are going to be impacted by it in one way or another (especially when it comes to how you collect and handle your customer data).
To be clear, even if you are not based in an EU country, if your customers are then you will be subject to it.
So, what does it mean?
In a nutshell, it specifically gives people the right to access, correct, delete, and restrict the processing of their data. It sets out strict guidelines on how you need to get customers to agree that you can use their data. This means making sure that you have their consent. If you plan on using your customer’s data for marketing as well as just for filling their order, then you need to pay attention to this.
It also means that you are now responsible for protecting any customer data you collect, even if you are using a third-party processor. You must ensure that your customers and website visitors have easy and clear access to exercise all their new rights.
What is ‘personal data’ under GDPR?
Personal data is classed as any information that can be linked to an individual (names, addresses, phone numbers, emails). If you want to be sure you have all bases covered, you can see a definitive list here: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
When does it come into effect?
GDPR is due to come into effect 25th May 2018, so make sure that you are prepared. Here are things to consider:
- Do your third-party applications also comply with GDPR and if not, do you need to change to ones that do?
- If you don’t have a data protection officer where you work, do you need to appoint one?
- Should you start conducting Data Protection Impact Assessments?
- Will you be able to comply with the rights provided to your customers and users in GDPR? This includes the rights to access, correct, erase, and export their data.
Every business is different and you may discover that you don’t need to change too much to comply. However, as with everything in business, it is always better to check first and make changes before an incident happens, rather than damage control afterwards.
There are some good resources online, but we cannot stress enough that it is important to double check with your business lawyer. They will be able to talk you through how it effects your business and that way you can be sure that you are covered.