It is important to note that nothing below can be interpreted a legal advice. We are not lawyers, nor do we try to play them on the internet. But, in doing a bit of research, we wanted to share a few things we learned. We highly recommend you seek legal advice for specific details, questions, and implementation of GDPR.
So, without any further disclaimers, let’s investigate what we know about GDPR.
What is GDPR?
The General Data Protection Regulation, or GDPR, is the latest European Union (EU) privacy legislation. It goes into effect on May 25th, 2018. And, it has sweeping implications for businesses of all sizes, that do any amount of business within the EU.
GDPR is being put into place to protect individual’s personal data. Thus, everything related to GDPR is discussing personal data.
GDPR requires businesses:
- to get explicit consent for every activity a business performs with regards to personal data;
- it requires individuals the ability to see what personal data of theirs is being processed;
- it requires individuals the ability to be erased completely from a company’s system;
- if data is breached, the individual has the right to know there has been a breach of personal data within a few days.
These are just some of the areas that GDPR covers. There are many more elements to the law, which we will discuss a few of the highlights and important areas for eCommerce below.
What is Considered Personal Data?
Before we dive into more of the specifics of GDPR, we should go over what GDPR considers personal data. Personal data can be a bit vague, so here is a bit of clarity.
Personal data is any information that can be used to personally identify an individual. This can be an email address, IP address, name, phone
number, business email, and even a business IP address. Keep in mind, these are just a few examples of personal data.
What this overview of personal data means is both personal and business details are considered personal data. That means consumer brands and business to business brands are affected by GDPR equally.
Roles in GDPR
Companies and individuals both play different roles in GDPR. Individuals are referred to as data subjects. But, a company can be a couple things. Companies can be a data controller, a data processor, or a data controller and a data processor. A company can even be a data controller for some data and only a data processor for other data.
It can be a bit confusing, but each of these three roles are defined as the following.
GDPR defines a “data subject” as:
Identified or identifiable natural person[s].
A data subject is the individual. This is who GDPR is designed to protect. And, it is the data subject that is referred to when personal data is being referenced. The data subject is identified by personal data like email, name, and IP address.
Another important role is the data controller. GDPR defines the “data controller” as:
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
In short, the data controller is the party that is storing and processing the data. They own the servers where the data is kept. And they own the data processing processes.
The controller has an important responsibility to the data subject and their personal data.
The third important role to understand is the data processor. GDPR defines the “data processor” as:
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In summary, the data processor is like the data middleman. A typical data processor relationship is where a company is using a third-party software. The company collects the data, then stores the data with the third-party software. In this case, the company is the data processor and the third-party software is the data controller.
The distinction between these three roles is important. The most important distinction is between the data controller and the data processor. As each of these has different responsibilities.
When implementing your GDPR strategy, be sure to understand what your role is in a given situation.
GDPR Updates You Need to Address
As we approach the official date for GDPR to take effect, there are certain updates that companies need to make prior to May 25th. Some are easy, others technical, and some require an organizational shift.
Some of the most important updates you need to address are the following.
Data Subject Consent
The next important area of GDPR is consent. A data subject needs to consent to everything separately. This means that there cannot be bundled consent.
This might be a bit confusing, so let’s use an example.
An example is when a contact downloads an eBook, they have to opt-in to a newsletter. By filling out a form, they are only consenting to that eBook, unless they separately opt-in to the newsletter as well.
To be emailed for things outside of that eBook, there has to be separate consent given each time.
But don’t worry, the next section discusses how to structure your forms for proper opt-ins.
Form Submission Opt-in
How forms are structured now have to be updated as well. No longer can we use hidden fields and fields which are “pre-checked”. In other words, a “soft opt-in”.
All opt-ins have to be explicit. That means on a given form, there needs to be a line item for each data processing activity you wish to perform with a contacts data.
Request a Data Processing Report
An important update with GDPR is that a data subject has the right to request what data you are processing. That means, if a data subject asks, a company must provide all the data that is collected and being processed.
Most often, if a third-party software is being used, like Shopify or Magento, they will have this capability. Just ensure the third-party software is GDPR compliant.
The Right to be Forgotten
The last item we will discuss is the right to be forgotten. This means that a data subject can request to be deleted from your database. And, this has to be honored. And, the data subject has to be deleted from your database and servers. It is like you never knew the data subject.
Again, GDPR compliant third-party software should have this capability built in.
This is not everything that needs to be incorporated into GDPR. But, these are some of the most urgent items that effect eCommerce companies.
Where GDPR is Confusing
As GDPR is new legislation, we just do not understand everything. Some language is explicit, while other language is not. In looking at GDPR, there are a few areas that are unclear. These are topics where we should all proceed with caution.
The Concept of Legitimate Interest
The first area is that of legitimate interest. This is a peculiar concept relating to emailing contacts who have not explicitly opted into a message. This can be a one-off email. Or, part of a cold prospecting campaign.
Now, these can all be done, but legitimate interest needs to be established. This means that it has to be proven that the data subject has legitimate interest in the service being offered.
As this is quite unclear, it might be worth treading with caution. Or, staying clear of this all together. Whatever you decide, check with a lawyer and a specialist.
There is a lot of confusion around the area of Double Opt-In. While it doesn’t look like there is explicit language around double opt-in, it is best to seek expert guidance in this area. This applies to gaining double opt-in consent. And, it concerns how you deal with your current database and whether it was double opted-in or not.
Again, this is an area where expert and legal advice is probably best suited.
These are just two examples of vague language in GDPR. And, it is always best to consult an expert and a lawyer with regards to GDPR.
A Few GDPR Privacy Tools
As GDPR shapes our businesses, we are going to need help with the implementation. Managing the privacy of our prospects and customers is not going to be easy. So, it makes sense that we take a look at a few tools to help us out.
A few of the tools we have found that can help are the following.
- Privacy Insights – They can help extensively in the Netherlands.
- OneTrust – A robust GDPR management Software.
- Privacy Perfect – A GDPR Compliance Software.
Also, here are some resources with some more extensive analyses of GDPR and privacy tools.
Hopefully these tools can help in ensuring you get your eCommerce business GDPR compliant.
How GDPR Changes our Business
GDPR is no doubt going to shape our business practices. In particular, our marketing. It isn’t necessarily all bad either. Or at least this is what we are hoping. One of the positives is that we might be able to gain a more engaged audience.
Also, what may result is the actual implementation of Permission Marketing. Which, if you are not familiar with the concept, is a marketing theory led by Seth Godin. It was published as a book in the late 1990s, and as he has famously said, it almost got him thrown out of the Direct Marketing Institute.
Permission Marketing is all about getting permission from our prospects and customers to ask the next question. And take the next step in the buying process. Which, is quite possibly what GDPR is going to force marketers to do.
So, while our acquisition costs might increase at the beginning, we just might get customers that provide us with more permission and more engagement.