A Guide to GDPR compliance for US eCommerce businesses
The EU General Data Protection Regulation (GDPR) takes effect on May 25, 2018, and will change the way companies can store and track data from any user in the EU region of the world.
For US-based businesses, this GDPR compliance also applies to anyone who is currently tracking, collecting and storing personal data from citizens of the EU. As we live in a globally connected world today, businesses must prepare for the compliance of different regions.
If you are an eCommerce business based in the US, you are likely already compliant with the PCI DSS (Payment Card Industry Data Security Standard). Now you must also look at the requirements that are a part of the GDPR.
Why is GDPR compliance important to US Business?
Any company that fails to comply with the GDPR’s requirements may be susceptible to fines of up to £20m ($26M) or 4% of turnover (whichever is greater) in the case of a data breach or failure to report within 72 hours.
Everyone in your organization responsible for regulatory compliance and data processing will need to understand their obligations. The Regulation requires organizations to make an inventory of all the personal data they hold and examine it under the following questions:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and on what basis might you do so?
The GDPR states that individuals have a number of rights when it comes to the way organizations collect and hold their data. EU citizens will have the right to request their data be corrected, provided to them, prohibited for specific uses, or removed entirely. It is also vital that these requests be handled promptly.
Standing firmly on legal ground
Most of these rights are similar to those in current data protection laws, but there are changes. It’s important to familiarise yourself with those changes and plan accordingly.
Moving forward when collecting personal data from staff, clients or service users in the EU, you need to inform them of their rights.
Organisations need to prove that they have a legal ground to process data. IT Governance, who are a global provider of IT governance, risk management and compliance solutions name five lawful grounds for processing data:
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests
Updating your consent requests
The central aspect of the GDPR is that subscribers must explicitly accept being on your lists and you must clearly explain how you plan to use their data. To gain permission to process the personal data of EU citizens, the GDPR details that you must obtain specific consent from your contacts.
Adding a checkbox for subscribers to give their consent about how to be contacted by you is one way to ensure you are compliant. For additional protection and guarantee of consent, you may choose to turn on double opt-in.
Also adding a legal explanation of your intended use of the personal data is mandatory. Listing other policies and practices (such as cookie use) and any other treatment, must also be included.
MailChimp, a prominent US-based email marketing platform also suggest checking third-party integrations don’t automatically add people to your lists without an opt-in checkbox.
Be aware of age limits
The GDPR states that children cannot give legal consent as they ‘may be less aware of the risks, consequences and safeguards‘ of sharing data. For this reason, data controllers must know the age of consent in particular EU countries. This may be especially important for ecommerce sites selling youth-oriented products.
Plan for data breaches and reporting
One of the most significant challenges that the GDPR presents to organizations is its data breach notification requirements. Data breaches for companies are unfortunately a reality in the current landscape, and for this reason, we must be prepared.
If a data breach does occur, a company must report data breaches to an authority within 72 hours of discovery, and provide them with as much detail as possible.
Manage your US business by GDPR compliance standards
Although you may not today deal with EU based customers, this may change in the future. As your business expands, it is essential to be aware of changes in GDPR compliance.
For further reading on this topic, you can visit GDPR Checklist which is a project created to help businesses navigate the new GDPR landscape.