One of the most important legislations that will impact ecommerce this year is the European Union General Data Protection Regulation (GDPR). With an implementation date of May 25, 2018, these updated regulations will give EU nationals much more control over their data. It applies to your company if you collect, record, organize, store, or perform operations on any data relating to an EU citizen (even if you’re not based in the EU).
The big picture is that GDPR will likely affect your company, and it’s not something you want to ignore: fines can be up to 4% of global turnover or 20 million euro (whichever is higher).
In this post, we break down the key aspects of GDPR, as well as what they mean for you (as a data controller) and us (as a data processor).
A data controller is any company that “determines the purposes and means of the processing of personal data” (you).
A data processor is any company that “processes and stores personal data on behalf of the controller” (us).
The best news is, if you’re mainly using SaaS products (e.g. Shopify and Hive) for your ecommerce business, you’re not going to have to change much. But it is important to know a little bit about the main areas that will be affected.
Here the key aspects of GDPR:
Expanded Definition of Personal Data
What’s covered under personal data has been broadened - it includes any information that can directly or indirectly identify a person.
This all-encompassing definition includes:
- Email addresses
- Banking details
- Posts on social media
- Medical information
- IP addresses
- Code randomly assigned to track users for analytics
- (And more)
Once these new regulations are in place, almost all of the data you collect when someone visits your website or signs up for your mailing list will qualify as Personal Data under the GDPR. This means that it will regulate 99% of data collected on European citizens.
Clear and Easy User Consent
The next key aspect to note is changes to user consent. When the updates to GDPR kick in, giving and withdrawing consent have to be simple, unambiguous and expressly agreed to.
For example, whenever you collect a customer’s email - via purchase (Shopify already has this checkbox baked-in), signup campaign, or other method - they’ll need to expressly opt-in to receive email marketing. Pre-checked boxes or auto opt-in language doesn’t cover it. Users need to actually click a box to give consent. Later, when you’re sending email campaigns, there needs to be a straightforward way to unsubscribe or update subscription preferences (Hive already has this baked-in).
More Control Over Data Rights
There are four key data rights: the right to access, the right to be forgotten, the right to data portability, and the right to notification of personal data breach.
The right to access. EU citizens have the right to know if and how their data is being processed, and for what purpose. If a customer requests it, data controllers (you) have to electronically provide a copy of their data, for free.
For example, when you receive a request from a European customer, you have to provide a list of how you’re using their data - whether that’s in Google Analytics, Hive, Shopify, or Facebook ads.
The good news here is looking this up when you’re using Hive or another software provider is easy on your end!
The right to be forgotten. This is also referred to as data erasure. If a customer asks, their data has to be removed from all the software you have in place (and remember, it has to be equally simple to give and withdraw consent).
The right to data portability. EU citizens can request that all of their personal data be provided in a commonly used and machine readable format. Once you provide them with that data, they have the right to do with it whatever they’d like - including sending it to another company.
The right to notification of a personal data breach. The notification is required when the data breach is likely to “result in a risk for the rights and freedoms of individuals” and it must be done within 72 hours of finding out about the breach. This regulation also applies to data processors (Hive). We’ll let you know “without undue delay” if we ever become aware of a breach - which really is just good business practice, pre or post GDPR.
What does this really mean for you?
First of all, it’s a good idea to get acquainted with the areas of your business that will be affected by GDPR - and you’re off to a great start having read this post!
When it comes down to it, if you’re mainly relying on third-party software providers to process your data, there’s not too much to worry about. GDPR requires data processors (like Hive) to enable you to click the right button to be compliant when data comes in from your customers. If you’re unsure if your current software providers comply with GDPR, get in touch with them before May 25 to confirm.
What we’re doing at Hive
- We’re currently rewriting our terms, and ensuring that we have the necessary data models in place to store all of the data types required by GDPR, allowing for access and portability.
- We already have the functionality to collect and record consent (single or double opt-in) through all of our email collection tools, so no worries there!
- We have simple processes in place to let you easily comply with data erasure when it’s requested by a customer (you or they can email firstname.lastname@example.org to completely remove their data during the same business day).
Here are more resources if you want to do a deep dive: