Now an Adobe Platinum Partner. Click here to learn more.


Is Your Ecommerce Ready for the General Data Protection Regulation (GDPR)?

By: Christopher Rence
< Back to resources

Ensure your brand thrives under GDPR

Consumers are increasingly mindful of who is accessing, collecting, receiving, storing and otherwise processing their personal data. In an effort to standardize data protection requirements across Europe and improve trust in the rapidly expanding digital economy, the European Parliament and Council introduced the General Data Protection Regulation (GDPR).

GDPR is effectively changing the way business is conducted around the world, with massive implications for global ecommerce. Are you ready?

Our team of compliance experts have spent the year preparing for GDPR; benefit from our heavy lifting and deep analysis to understand what companies need to do to be compliant. Listen to our on-demand webinar outlining 14 steps to ensure GDPR readiness.

What is GDPR?

Let’s start with a quick overview. GDPR sets strict rules for protecting the personal data of EU citizens and becomes enforceable starting May 25, 2018. GDPR gives individuals greater control over their data, and sets out a number of additional safeguards companies need to follow when processing consumer data. It applies to all forms of processing including in the context of marketing, employment, information security, customer service, business-to-business sales, and what we’re most focused on – ecommerce.

Who does GDPR impact?

This new regulation affects nearly every organization that does online business with Europeans, regardless of geographic location. If you process data of an EU citizen – even if your business is located outside of Europe or that individual is outside of Europe – you need to make sure you have systems in place to be GDPR compliant.

A quick note on Brexit – although the UK plans to leave the EU, the exit – scheduled for March 2019 – has not officially taken place. For the time being, the UK is still going to operate under GDPR. This means companies that do online business in the UK must protect the personal data of UK citizens within the requirements of GDPR.

How does this impact ecommerce?

By design, processing, transmitting and storing consumer data is central to an ecommerce transaction, so any company selling to European citzens online needs to take steps to ensure they are complying with this regulation. Here are a few initial considerations for your ecommerce team.

(Note: this is not a comprehensive list; in fact, it’s hardly even a “good start” – GDPR is a long, complex regulation and any company who is impacted should read it in its entirety and consult with legal counsel to ensure compliance.)

I recently dove deeper into how to get your ecommerce ready for GDPR in a webinar you can listen to on-demand.

1. Fully understand how you currently process and store consumer data. One of the key purposes of GDPR is to give consumers more control over their data. This includes things like, understanding the purpose for processing personal data, transparency on how long it will be stored, and details about when and where your data is shared with third parties. GDPR gives consumers the control, with companies needing to ask for explicit permission for their data handling practices where that company intends to rely on consent as the lawful basis for processing – a pre-checked box is not acceptable in certain contexts.

Without a complete understanding of your company’s current practices, it will be impossible to make necessary changes to comply with the regulation.

2. Develop a process for your customers to communicate with you easily. The European Parliament and Council makes it easy for consumers to issue complaints against non-compliant organizations, and the expectation is that companies will create similarly simple systems for customers to communicate with you about their data.

This includes giving your online customers a complete view of what they agree to when submitting their personal data – prior to their decision to submit. Per the regulation, these communications must be in a, “concise, transparent, intelligible and easily accessible form, using clear and plain language”. This also needs to include an easy way for customers to request a copy of their personal data held by your company and a simple way to request removal.

3. Understand how you would deal with a data breach. Under GDPR, it’s mandatory in certain situations to detect and notify a “supervisory authority” within 72 hours of a data breach. Additionally, in certain situations, companies need to notify any impacted – or likely impacted – customer “without undue delay” after becoming aware of a breach. Being able to detect and communicate a breach this quickly is a big leap for many companies. According to a recent Ponemon Institute report, 69% of the 588 information security and compliance professionals interviewed said their organizations would have trouble meeting GDPR’s time limitations, with some companies reporting it took 2 to 5 months to notify victims after experiencing a global breach.

Take this as an opportunity to have frank conversations with your security, legal and executive teams about your company’s ability to detect and work through a data breach.

Is your company GDPR ready?

Most are not. In that same Ponemon Institute report, only a quarter of respondents said their companies were ready to comply with the new regulation.

A regulation with this level of complexity that impacts as many areas of business as GDPR forces companies to rethink their entire business strategy.

For example, many IT decision makers have concerns of what it will cost to be compliant – 70% expect to increase spending in order to meet data protection requirements and over 30% expect budgets to rise by more than 10% over a two-year period. Companies need to evaluate their business strategies and include the possible high cost of complying with regulations in some geographies on their bottom line.

While the costs of compliance may seem high, the risk of non-compliance is much higher. Businesses not fully compliant with GDPR face fines of up to 4% of their annual global revenue, or 20 million Euros – whichever is greater. On top of the tangible costs of non-compliance, businesses stand to lose the trust of their consumers, including significant damage to the company’s brand and image.

No matter how you spin it, compliance with GDPR is imperative for the continued success of your global business.

Your trusted compliance expert

Digital River prides itself on competing aggressively while holding ourselves to the highest ethical standards, including conduct of our data handling practices. While many businesses are still unaware of the impact the GDPR will have on their business, dedicated teams at Digital River have been preparing to ensure GDPR readiness by May 2018.

Disclaimer: This article is intended for informational purposes only and not for the purposes of providing legal advice as Digital River is not engaged in rendering legal or other professional advice and this article is not a substitute for the advice of an attorney or other expert. If you require legal or other expert advice, you should contact an attorney or other expert to obtain advice with respect to any particular issue. Also, the information is current as of January 2017 and this information could change based on additional interpretation and guidance related to the GDPR. Finally, given the complexity of the GDPR, this article is meant to be a brief overview of the regulation rather than outlining all of its very detailed requirements.