Are you putting the right processes in place to protect your customer’s privacy? Even if you’re not directly serving customers in the EU, you could land your online business in even hotter water than the current laws would, under new GDPR laws.
GDPR is an upcoming change in the way personal data is stored by companies. It affects any business who collect customer data. (Which, let’s face it, is almost every business - on or offline).
We know that running an online business can be tough at the best of times. But with the GDPR legislation posing huge fines on businesses who aren’t compliant, this guide will save time when digging for information on the checks you’ll need to make.
What is GDPR?
GDPR, which is short for the General Data Protection Regulation, is a new law which affects how the data of EU citizens is kept. It’s the biggest shake-up in legislation since the Data Protection Act of 1998, and comes into play from on May 25, 2018.
These new rules have a huge impact on how small and large businesses store, collect and use the data they’ve generated from customers - including names, addresses and more importantly, emails.
Think about it: How many spam emails make their way to your inbox every day? Although they’re often stored away in the Junk folder, they still exist. GDPR aims to change that, and tackle the 14.5 billion spam messages sent every day.
How GDPR Affects eCommerce Brands
The GDPR laws affect any business that deals with customers in the EU. So if you’re a U.S-based company with as little as one customer in the U.K, you’ll still need to be compliant with GDPR laws.
But what are those laws, and how do they affect eCommerce brands?
You Need Explicit Permission
Well, one of them affects how you collect customer data.
You’ll need explicit permission to email your customers, and they have complete control over the marketing material you send to them.
Remember that not all people are automatically ‘mailable’. People who’ve signed-up to your lead magnet might not be fully aware that they’re joining your mailing list at the same time, so you’ll need to make sure this is clearly stated on all opt-in forms.
Here at Privy, we’re helping businesses with a focus on email marketing to be compliant. We automatically handle email opt-ins in a GDPR compliant manner, but it’s important to ensure that all of your data-related software is compliant, too.
Customers Have Complete Control of Their Data
GDPR also gives customers the right to completely control their data privacy.
If they no longer wish to hear from your company, they must be able to opt-out immediately - and not have to go through a lengthy unsubscribing process.
Your customers will also have the power to request the data you hold on them at any time. If you aren’t able to do this, or spend too much time giving it to them, you could land yourself in hot water.
4 Ways to Prepare Your Online Business for GDPR
If your eCommerce business is found to be non-compliant with GDPR legislation after the introduction date, you could be fined up to €20 million (approximately $24.6 million USD) , or 4% annual global turnover.
But, if you read that with an overwhelming surge of panic, don’t worry.
We’ve listed four easy steps to help your business prepare for the new GDPR law:
1. Understand Your Customer’s Journey
The first step to prepare your eCommerce business for GDPR is to understand your customer’s journey.
Now, if you’re confused by this or already think you know your sales funnels to a T, I urge you not to skip this step!
You might find that you’re automatically collecting data on people before they become a customer. This can happen if you’re exporting the email addresses of your LinkedIn connections, or using data from your analytics to contact customers who haven’t yet chosen to hear from you.
Since these people might not have explicitly opted-in to hear from your brand, you could be GDPR non-compliant... without realizing.
Remember how we mentioned that customers can request to see the data you hold on them at any given time?
3. Appoint a Data Protection Officer
It’s also recommended that you appoint a Data Protection Officer (DPO) to handle all GDPR-related issues at your company. They’re responsible for making sure your business is compliant, and could:
- Educate your staff keep them up-to-speed with the law
- Ensure all process are GDPR-compliant
- Handle requests from customers about viewing or deleting the data held on them
Now, if you’re a large-scale company, appointing a DPO is a legal requirement. In this case, it might be wise to appoint someone on your legal, data or IT team to be your business’ DPO.
Small businesses with less than 250 employees aren’t obliged to appoint a DPO, but having one person to control your business’ relationship with data is still a great idea.
A manager from your marketing team or the CEO could take-on this role, but remember to assign it to a person with the most experience in data-related tasks. (For example, an email marketer might be more suitable than a warehouse worker.)
But if you’re a one-man band, it’s your duty to become your business’ DPO!
4. Be Aware of Processes for Data Breaches
Although new GDPR rules mainly focus on how customers control their data, you mustn’t forget about reporting data breaches.
Whether you accidentally placed a file containing customer details in a public folder, or you made a mistake with uploading data to your software, a data breach happens when you haven’t protected the data you hold.
Data breaches - no matter how small - must be reported within 78 hours.
Educating yourself on the process of reporting a data breach can be found on the GDPR website. Not only will you save time (and avoid a fine), but you’ll know the best practices for informing your customers about the issues with their data.
If you have any questions about upcoming GDPR laws and how it affects you as a Privy customer, we’d be happy to help. Let’s tackle data protection one email at a time!