The GDPR: What Every E-Commerce Merchant Needs to Know Before May 25th
Posted Apr 26, 2018 by Kristen Pinkman, Ecwid Team

The GDPR: What Every E-Commerce Merchant Needs to Know Before May 25th

The 25th of May 2018 is the enforcement date of the GDPR, a new European data protection law.

This law can affect you as an e-commerce merchant even if you are not located in the EU. If you offer products and services to EU citizens, then there is a requirement for you to comply with the GDPR. Otherwise, you can face a heavy fine.

In this post, we’ve outlined what you need to know about this data protection law to prepare for the change. You’ll get an understanding of how to act to comply with the GDPR. Note that the requirements may vary from business to business, so please don’t take this information as legal advice.

The GDPR: What It Is 

The General Data Protection Regulation is a new data privacy law in the European Union. It is aimed to strengthen EU citizens’ rights to control how companies use their personal data. The law unifies the requirements for personal data processing in cross-border data flows.

What is personal data under the GDPR?

Under the GDPR, personal data is any information that can be used to directly or indirectly identify a person.

If customers enter their names, email addresses, and dates of birth on your website, you are collecting personal data. What if you track IP addresses to segment your website visitors by country? Yes, everything that can help identify a person counts.

If you collect data relating to an individual, his or her private, professional, or public life, you should make sure you comply with the GDPR.

How will the GDPR affect my business?

Generally speaking, it’s now you who is entirely responsible for the personal data of EU residents that you collect and for providing them with the ability to control how their data is used.

  • You have to actively get consent for any customer data you collect for marketing, sales, accounting, etc.
  • You must provide an easy way for your customers to access, change, and erase the data they’ve shared with you.
  • You (or someone in your business) become responsible for the data you store and reporting data breaches and GDPR violations to the ICO.

Violating the GDPR can cost you a fortune (up to €20 million, or 4% of annual revenue). Unless you can be 100% sure that no EU citizen can browse your website or mobile application, you’d better develop a compliant way of collecting and processing personal data.

If you collect any personal data of EU customers, take the necessary steps to comply with the GDPR before May 25th, 2018.

How to Comply With the GDPR

Well, there’s a number of required changes to your business processes, so our first recommendation would be to act immediately. Below, we are sharing the bare minimum to comply with the GDPR, but don’t forget to consult a lawyer for your particular case.

Let your team know about the change. Share this blog post with your employees and  instruct everyone who is dealing with customer data in a meeting.

You may need to appoint a Data Protection Officer. A DPO keeps track of GDPR compliance. Appointing a DPO is a must if you process large-scale and systematic monitoring (such as behavioral tracking).

Carry out an information audit to map flows of data that you collect. You should record in detail how customer data flows into, around and out of your organization. Document:

  • What personal data you hold (e.g. names, emails)
  • In what formats it comes to you (e.g. digital or hard paper)
  • Where it comes from (e.g. phone, third-party services, social media)
  • How you store it (e.g. cloud service, third-party, your own office)
  • How you use it (e.g. how long it is held, who you share it with).

This process is needed to find out who is accountable for customer data at each stage. With your data audit in place, you’ll be able to identify any risks connected to the data flow.

Update your Privacy Policy. It’s officially required to have your Privacy Policy written in clear and concise language. You also have to provide easy access to it on your website.

What exactly do you write in your Privacy Policy to comply with the GDPR? Here’s the list of essentials (be very specific when writing that down):

  • What data you collect
  • Why you need it (on a legal basis, e.g. consent)
  • How you obtain it (phone, email, etc. — manually or automatically)
  • For how long you retain it (on a legal basis, e.g. due to product warranty duration)
  • Who you share it with (including any third-party services)
  • How users can access their data, change or delete it 
  • How they can opt out of your marketing messages.

If your organization does business in more than one EU member state, you will have to identify your data protection supervisory authority and document it within your Privacy Policy.

You must update your customers about every change to your Privacy Policy. Don’t forget to communicate the updated document to your team, too.

Read how to manage legal pages in Ecwid.

Opt-in consent for customer data to be stored and used in any way. Users should be able to give a separate clear opt-in consent for their data to be stored and used for each purpose.

 GDPR compliant checkbox

Catalystone displays a separate checkbox for the blog newsletter subscription in their sign-up form

Your checkbox copy must clearly state what the users are consenting to and who they are giving consent to  including any third parties. No more pre-filled checkboxes, consent below the fold, and confusing language, such as legalese and double negatives.

GDPR compliant checkbox

Standard wording for opting into consent recommended by the ICO

Read how to add a consent checkbox in Ecwid.

Develop a process to let customers easily access, correct, and erase their data. Under the GDPR, you must be able to provide customers with a readable and portable copy of their personal data. If you are requested to provide customer data, you can find it in your Ecwid Control panel. In case of further questions, Ecwid can give you the information that it stores.

You should be able to correct inaccurate customer data promptly and let customers update their data-sharing preferences. If a customer wants to unsubscribe from your marketing emails, it needs to be easy. Include the “Unsubscribe” link for every email you send. React to direct requests quickly: if a customer asks you to update their last name in your mailing base, you have to do it within 30 days.

EU customers can appeal to the Right to Be Forgotten. If there is “no overriding legitimate interest” for you to keep their data, they can use the right to erase it. You should have processes in place to enable that. Ecwid can help delete personal data that it stores on your behalf.

For each case mentioned above, you should also take into consideration any third-party services you use that may have access to your customers’ personal data.

Detect, report, and investigate data breaches. If you become aware of a personal data breach, notify your customers about it within 72 hours.

You should process personal data in a way that ensures appropriate security. Take a look at your personal data map and ask yourself — is there any potential risk?

Customer data that is stored in Ecwid is protected. You don’t have to worry about it. However, there are still precautions you need to take:

  1. Make sure not to share your Ecwid store login/password with others. If you need to give access to someone else, use Staff Accounts. Use only reliable passwords.
  2. If you’ve added Ecwid to your website, make sure it runs on HTTPS and uses end-to-end data encryption.
  3. Use only GDPR-compliant services and third-party apps.

What Did Ecwid Do to Comply?

Ecwid collects, stores, processes, and shares personal data based on the GDPR guidelines.
We comply with the GDPR requirements in the following ways:

  • We have assigned a Data Protection Officer who is in charge of the Ecwid Data Protection Policy.
  • We’ve started to deliver GDPR-focused training to our key teams and personnel.
  • We have implemented a detailed procedure to deal with all data subject access requests, deletion requests, and government access requests.
  • We work only with sub-processors who provide an adequate protection of the personal data through robust technical and organizational measures.
  • We have developed a reliable method to detect, report, and investigate a personal data breach.
  • We have established the necessary records of data-processing activities.
  • We are certified under the EU  U.S. and Swiss — U.S. Privacy Shield frameworks. This arrangement calls for certified organizations to guarantee a level of security in line with the EU data protection law regarding the transfer of personal data from the EEA and Switzerland to the U.S.

The transition to the GDPR is easier for companies that use trusted cloud services like Ecwid than for those who rely on in-house servers or custom-built software. We have made sure that Ecwid complies with the GDPR to help your business get ready for the change.

Helpful resources:

About the author
Kristen is a сontent creator at Ecwid. She finds inspiration in sci-fi books, jazz music, and home-cooked food.