The GDPR: What Every
E-Commerce Merchant Needs to Know Before May 25th
The 25th of May 2018 is the enforcement date of the GDPR, a new European data protection law.
This law can affect you as an
In this post, we’ve outlined what you need to know about this data protection law to prepare for the change. You’ll get an understanding of how to act to comply with the GDPR. Note that the requirements may vary from business to business, so please don’t take this information as legal advice.
The GDPR: What It Is
The General Data Protection Regulation is a new data privacy law in the European Union. It is aimed to strengthen EU citizens’ rights to control how companies use their personal data. The law unifies the requirements for personal data processing in
What is personal data under the GDPR?
Under the GDPR, personal data is any information that can be used to directly or indirectly identify a person.
If customers enter their names, email addresses, and dates of birth on your website, you are collecting personal data. What if you track IP addresses to segment your website visitors by country? Yes, everything that can help identify a person counts.
If you collect data relating to an individual, his or her private, professional, or public life, you should make sure you comply with the GDPR.
How will the GDPR affect my business?
Generally speaking, it’s now you who is entirely responsible for the personal data of EU residents that you collect and for providing them with the ability to control how their data is used.
- You have to actively get consent for any customer data you collect for marketing, sales, accounting, etc.
- You must provide an easy way for your customers to access, change, and erase the data they’ve shared with you.
- You (or someone in your business) become responsible for the data you store and reporting data breaches and GDPR violations to the ICO.
Violating the GDPR can cost you a fortune (up to €20 million, or 4% of annual revenue). Unless you can be 100% sure that no EU citizen can browse your website or mobile application, you’d better develop a compliant way of collecting and processing personal data.
If you collect any personal data of EU customers, take the necessary steps to comply with the GDPR before May 25th, 2018.
How to Comply With the GDPR
Well, there’s a number of required changes to your business processes, so our first recommendation would be to act immediately. Below, we are sharing the bare minimum to comply with the GDPR, but don’t forget to consult a lawyer for your particular case.
Let your team know about the change. Share this blog post with your employees and instruct everyone who is dealing with customer data in a meeting.
You may need to appoint a Data Protection Officer. A DPO keeps track of GDPR compliance. Appointing a DPO is a must if you process
Carry out an information audit to map flows of data that you collect. You should record in detail how customer data flows into, around and out of your organization. Document:
- What personal data you hold (e.g. names, emails)
- In what formats it comes to you (e.g. digital or hard paper)
- Where it comes from (e.g. phone,
third-partyservices, social media)
- How you store it (e.g. cloud service,
third-party,your own office)
- How you use it (e.g. how long it is held, who you share it with).
This process is needed to find out who is accountable for customer data at each stage. With your data audit in place, you’ll be able to identify any risks connected to the data flow.
- What data you collect
- Why you need it (on a legal basis, e.g. consent)
- How you obtain it (phone, email, etc. — manually or automatically)
- For how long you retain it (on a legal basis, e.g. due to product warranty duration)
- Who you share it with (including any
- How users can access their data, change or delete it
- How they can opt out of your marketing messages.
Read how to manage legal pages in Ecwid.
Your checkbox copy must clearly state what the users are consenting to and who they are giving consent to
Read how to add a consent checkbox in Ecwid.
Develop a process to let customers easily access, correct, and erase their data. Under the GDPR, you must be able to provide customers with a readable and portable copy of their personal data. If you are requested to provide customer data, you can find it in your Ecwid Control panel. In case of further questions, Ecwid can give you the information that it stores.
You should be able to correct inaccurate customer data promptly and let customers update their
EU customers can appeal to the Right to Be Forgotten. If there is no overriding legitimate interest for you to keep their data, they can use the right to erase it. You should have processes in place to enable that. Ecwid can help delete personal data that it stores on your behalf.
For each case mentioned above, you should also take into consideration any
Detect, report, and investigate data breaches. If you become aware of a personal data breach, notify your customers about it within 72 hours.
You should process personal data in a way that ensures appropriate security. Take a look at your personal data map and ask yourself — is there any potential risk?
Customer data that is stored in Ecwid is protected. You don’t have to worry about it. However, there are still precautions you need to take:
- Make sure not to share your Ecwid store login/password with others. If you need to give access to someone else, use Staff Accounts. Use only reliable passwords.
- If you’ve added Ecwid to your website, make sure it runs on HTTPS and uses
- Use only
GDPR-compliantservices and third-partyapps.
What Did Ecwid Do to Comply?
Ecwid collects, stores, processes, and shares personal data based on the GDPR guidelines.
We comply with the GDPR requirements in the following ways:
- We have assigned a Data Protection Officer who is in charge of the Ecwid Data Protection Policy.
- We’ve started to deliver
GDPR-focusedtraining to our key teams and personnel.
- We have implemented a detailed procedure to deal with all data subject access requests, deletion requests, and government access requests.
- We work only with
sub-processorswho provide an adequate protection of the personal data through robust technical and organizational measures.
- We have developed a reliable method to detect, report, and investigate a personal data breach.
- We have established the necessary records of
- We are certified under the EU
–U.S. and Swiss — U.S. Privacy Shield frameworks. This arrangement calls for certified organizations to guarantee a level of security in line with the EU data protection law regarding the transfer of personal data from the EEA and Switzerland to the U.S.
The transition to the GDPR is easier for companies that use trusted cloud services like Ecwid than for those who rely on