An eCommerce Expert Guide to Preparing for the GDPR

These days, it seems like every conversation circles back to online privacy and misuse of data. We recently watched Facebook CEO Mark Zuckerberg testify before the U.S. Senate regarding the use of personal data on Facebook — and the company’s subsequent scramble to rebuild its reputation as engagement declined post-scandal. Every day it seems like there’s a new data-related controversy to untangle.

With the public desire for a more anonymous internet and the private sector’s acknowledgment that collecting user data is good for business, the debate presses on. In the meantime, European countries are working to safeguard their citizens against data mismanagement, and the ramifications could be huge for businesses across the globe.

On May 25, 2018, European businesses will be forced to address the way they handle consumer data. As part of the General Data Protection Regulation (GDPR), businesses must give customers more control over how their data is collected, stored and ultimately used.

The regulation aims to strengthen data protection and privacy for citizens within the European Union, regardless of where the data-collecting company exists. In other words, if you’ve had a business that’s open to European customers, you need to be paying attention to the GDPR before it finally goes into effect. If your company processes data from EU users, then you should take some time to get to know this new regulation.

What is the GDPR? Common Questions and Answers

The GDPR was officially adopted on April 27, 2016, but it won’t become enforceable until May 25, 2018, due to a two-year transition period designed to help companies adjust to the new rules. In short, the regulation is meant to give consumers total control of how their data is collected and used. The EU defines personal data as “any information relating to an identified or identifiable natural person,” including birthday, address, phone number, salary, rent and IP address.

Here are a few common questions related to this critical regulation so that you can get a better understanding of whether you need to spend additional resources to prepare for this industry shift.

  • Can I be fined if I don’t comply?

    Yes, organizations that don’t comply with the new regulations will face heavy fines. The regulations dictate that any breach of the GDPR could result in a penalty of up to four percent of annual global turnover or €20 million (roughly $24 million), whichever is greater.

  • Does it apply to my business?

    The scope of the GDPR is decidedly huge. It applies to any company that processes data of European Union residents. With that being said, the regulation doesn’t apply if you use data exclusively for personal or household use, and it may be less stringent for companies with fewer than 250 employees. Regardless of the size of your business, you still have to keep detailed internal records and comply with the GDPR, but the record-keeping requirements are different.

  • Can U.S. companies be fined?

    U.S. companies will be held liable for non-compliance, and they can be fined to the same standards under international law. Even businesses without a physical presence in the European Union must abide the new regulation, say the experts.

  • What does the GDPR protect?

    The principal objective of the legislation is to give consumers clear, non-confusing opt-in language about data collection. It offers consumers eight individual rights: to be informed, to access, to rectify, to erase, to restrict processing, to have data portability, to object and to make decisions concerning automated decision-making and profiling.

  • How does the GDPR benefit consumers?

    The main benefit of the new regulation is that it keeps consumers’ data private, which means better protection for those who choose to remain private. As we’ll cover below, the new rules may have several measurable benefits for businesses.

What Does This Mean for eCommerce Businesses?

There’s no doubt about it. Understanding your consumer through eCommerce analytics tools like Springbot — which can efficiently gather valuable data on your consumers for things like retargeting ads, email marketing efforts and ad personalization — is generally a substantial investment for most online stores. You don’t have to stop relying on these valuable tools in the face of the GDPR and similar regulations, so long as you collect data responsibly. The bottom line is that personal data mining is incredibly murky, and most consumers only support it when they’re in control.

What the shift in rules represents is a push for more standardized data collection, which actually could mean better things for your business. In practice, it means that anytime you process a person’s data — whether they’re signing up for your email list or making a purchase — you have to give them the right to review, adjust, erase and restrict access.

In the bigger picture, it means that you’re putting the consumer first, improving your business’s cybersecurity and even safeguarding its reputation. When you’re collecting data from people who are willing to share it, you can still aggregate key analytics, and minimize customer dissatisfaction from people who don’t want their information stored.

Top Five Things You Should Do to Prepare

The most important thing you can do to get your business ready for the official GDPR implementation is to learn the law. The formal regulation is lengthy and filled with legal jargon, but there are quality online resources that provide an excellent summary of new rules around data collection. For example, the new law states that you must inform consumers of a data breach within 72 hours, that you must give consumers the right to access how their data is being used and that you must allow them to become “forgotten,” or removed from your system, upon request.

Next, it’s essential that you determine how the law will specifically affect your business. As mentioned, reporting aspects and record-keeping rules differ for small and medium-sized businesses (SMBs) compared with large-scale corporations, so you should be aware of your company’s responsibilities.

Naturally, there are many beneficial things you can do to get your business prepared for compliance. In addition to the recommended tips below, we suggest consulting with a legal advisor to ensure that your processes don’t contain any vulnerabilities.

1. Shift to Transparent Processes

The key takeaway from this regulation’s passage is that people want — and laws will enforce — the right for consumers to know everything about how their data is being used. That means that every single communication with consumers regarding data should be as transparent as possible. Understanding how your company processes data will help you determine whether it’s compliant — so know where your data is stored and how it’s being used.

  • Rewrite consent forms with clear language.
  • Get clear consent from users when you collect their data.
  • Switch from “opt-out” to “opt-in” language.
  • State why you process certain data.
  • Run a data protection impact assessment (DPIA).

2. Appoint Leaders and Share Information

Another important facet of this regulation is that some companies will be required to appoint a Data Protection Officer (DPO), who will be responsible for overseeing data protection processes within the company. Not all companies will need a DPO — only those that process vast amounts of personal data — but every company should designate a compliance leader who can help ensure that all the laws are being correctly followed.

  • Find out if your business requires a DPO.
  • Even if you don’t require a DPO, appoint a data privacy leader.
  • Alert every department of the new rules.
  • Decide how to handle data access requests.

3. Vet All Your Services

Companies are required only to use data processors that help to implement lawful data storage, which means that you should do a robust audit to make sure you don’t have any tools in place that may grossly disregard the new regulations. For example, if you use any analytics plug-ins, make sure they store and manage consumer data in a way that complies with the GDPR. Springbot is committed to helping customers obtain data in a way that’s legal and ethical.

  • Make sure any third-party services are in compliance.
  • Find out whether the tools you use require consent from the user.
  • Look for tools from partners to get your process up to speed.

4. Revamp Your Record-Keeping

One of the most daunting aspects of the GDPR is record-keeping. Because consumers now have the right to be informed about, access and erase their personal data, you have to be sure that your processes are meticulously recorded. You’ll also need to have on-demand access to customer data, should a consumer request it from you.

You must be able to identify and report personal data, regardless of whether you share it with third parties. One of the principal purposes of the more stringent record-keeping rules is to ensure that personal data is accurate. It will be up to you to record correct personal data and to update other organizations accordingly.

  • Get to know Article 30, which covers record-keeping.
  • Record the purpose of any data processing.
  • Keep records on categories of data subjects and recipients.
  • Record everything, beyond what’s required by Article 30.

5. Leverage Data the Right Way

Finally, the last thing you can do to get ready for the transition is to figure out the most responsible way to leverage customer data under these new regulations. The GDPR states that personal data must “be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Therefore, you can still use data for things like retargeting and other longer-term marketing efforts, so long as you inform the consumer that you plan to use it for the stated purpose.

  • Understand how long you’re allowed to keep personal data on record.
  • Develop a plan for when and how to destroy data after that time period.
  • Try to “anonymize” data as much as possible so you can store it for longer.
  • Identify which kinds of personal data present the highest risks.

Why it Matters

This all seems like a lot of work, right? But here’s the thing: The GDPR is good for the customer experience as much as collecting personal data is. That’s because, while consumers overwhelmingly prefer personalized experiences and recognize that data aggregation can lead to a more personal online experience, they also want to be entirely in control of their own data. And, since 92 percent of online shoppers cite security and privacy as a concern, such measures should be taken to make shopping online more private.

With all this in mind, it’s important that we all work to make new adjustments that will help us better cater to the customer without crossing important privacy boundaries. When it comes to marketing, sales and growing your business, the GDPR shouldn’t set you back.

Instead, it should change the way you do things for the better so that you cultivate happy, trusting and loyal customers. Thus, spending a little bit of extra time and money preparing your business for the GDPR will be well worth your efforts.


Do you have more GDPR questions or extra tips we may have missed?  Follow us on Twitter @springbot and share your thoughts using the hashtags #Springbot #GDPR.

1 Comment

  1. […] tax in every state where they have customers. This change, in combination with the update to the EU’s GDPR (General Data Protection Regulation), will likely lead to small eCommerce businesses needing […]