E-commerce merchants that collect any online data from citizens of the European Union (E.U.) need to be compliant with the General Data Protection Regulation (GDPR) — a new E.U. privacy regulation going into effect May 25, 2018.
When it goes into effect, GDPR will be the most comprehensive privacy law ever enacted and will dramatically change how companies collect, use, transmit and store data on E.U. citizens.
May 25 is just around the corner, so let’s look at the intent of the regulation, the risks of not complying, and the steps merchants can take to ensure GDPR compliance.
As a supplement to the E.U’s 1995 Data Protection Directive, GDPR mandates how companies handle the personal data of residents of any of the 27 E.U. member states. Specifically, it gives consumers the right to access, change, remove, and restrict processing of their personal data.
What Is Personal Data?
“Personal data,” when it comes to the GDPR, has a very broad definition: It’s any information companies process that can be linked to an individual. And that can range from personal data (Social Security numbers, physical addresses, names, etc.) to data, on its own, couldn’t identify a specific person (IP addresses, behavioral data, ethnic origin, etc.).
GDPR also requires companies to obtain explicit approval from consumers before collecting any data. “Explicit approval” means no more prepopulated consent forms or single-click agreements — consumers must manually opt-in to consent.
A company must also make it clear who’s collecting the data, why it’s being collected, how they will protect that data, and how long they will keep it.
Even more important, companies must now offer consumers a clear way to access their personal data and be able to easily change subscription preferences and delete their personal data at any time.
Compliance with GDPR isn’t optional, and there’s no grace period for becoming compliant, either. But while retailers may think the cost of complying with GDPR is prohibitive, the penalties for noncompliance are even worse.
Companies who fail to comply with the new regulations will face sanctions that can reach as high as €20 million (nearly $25 million) or 4% of annual revenue — whichever is greater.
GDPR affects every company that collects or processes the data of any E.U. citizen, regardless of where that the citizen is located or where the company is based, what industry they’re in, or how big they are.
To prepare for the May deadline, merchants should implement multiple new GDPR compliance best practices, including:
In the end, GDPR compliance comes down to honesty and transparency. When you’re clear and upfront, compliance becomes simpler. But remember: Every business is different and requires different preparation for GDPR compliance. So consider consulting a lawyer to understand how GDPR will affect your business and what your responsibilities are.
Even if your company isn’t affected by GDPR this May, improving security is always a smart business move. Privacy is a big concern for customers and merchants worldwide — not just those in the European Union — so an increased awareness today of how to secure customer data may give you a competitive advantage tomorrow, when and if GDPR expands worldwide.
While ensuring compliance with GDPR regulations may seem overwhelming, protecting clients against fraud doesn’t have to be. ClearSale is a global pioneer and trusted leader in fraud protection solutions, helping businesses confidently approve more legitimate transactions and safely and securely grow their business.
Contact us today to learn why companies around the world put their trust in ClearSale.