A Guide to GDPR compliance for US eCommerce businesses

The EU General Data Protection Regulation (GDPR) takes effect on May 25, 2018, and will change the way companies can store and track data from any user in the EU region of the world.

For US-based businesses, this GDPR compliance also applies to anyone who is currently tracking, collecting and storing personal data from citizens of the EU. As we live in a globally connected world today, businesses must prepare for the compliance of different regions.

If you are an eCommerce business based in the US, you are likely already compliant with the PCI DSS (Payment Card Industry Data Security Standard). Now you must also look at the requirements that are a part of the GDPR.

Why is GDPR compliance important to US Business?

Any company that fails to comply with the GDPR’s requirements may be susceptible to fines of up to £20m ($26M) or 4% of turnover (whichever is greater) in the case of a data breach or failure to report within 72 hours.

Everyone in your organization responsible for regulatory compliance and data processing will need to understand their obligations. The Regulation requires organizations to make an inventory of all the personal data they hold and examine it under the following questions:

  • Why are you holding it?
  • How did you obtain it?
  • Why was it originally gathered?
  • How long will you retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Do you ever share it with third parties, and on what basis might you do so?

The GDPR states that individuals have a number of rights when it comes to the way organizations collect and hold their data. EU citizens will have the right to request their data be corrected, provided to them, prohibited for specific uses, or removed entirely. It is also vital that these requests be handled promptly.

Standing firmly on legal ground

Most of these rights are similar to those in current data protection laws, but there are changes. It’s important to familiarise yourself with those changes and plan accordingly.

Moving forward when collecting personal data from staff, clients or service users in the EU, you need to inform them of their rights.

Organisations need to prove that they have a legal ground to process data. IT Governance, who are a global provider of IT governance, risk management and compliance solutions name five lawful grounds for processing data:

  • A contract with the individual
  • Compliance with a legal obligation
  • Vital interests
  • A public task
  • Legitimate interests

Updating your consent requests

The central aspect of the GDPR is that subscribers must explicitly accept being on your lists and you must clearly explain how you plan to use their data. To gain permission to process the personal data of EU citizens, the GDPR details that you must obtain specific consent from your contacts.

Adding a checkbox for subscribers to give their consent about how to be contacted by you is one way to ensure you are compliant. For additional protection and guarantee of consent, you may choose to turn on double opt-in.

Also adding a legal explanation of your intended use of the personal data is mandatory. Listing other policies and practices (such as cookie use) and any other treatment, must also be included.

MailChimp, a prominent US-based email marketing platform also suggest checking third-party integrations don’t automatically add people to your lists without an opt-in checkbox.

Be aware of age limits

The GDPR states that children cannot give legal consent as they ‘may be less aware of the risks, consequences and safeguards‘ of sharing data. For this reason, data controllers must know the age of consent in particular EU countries. This may be especially important for ecommerce sites selling youth-oriented products.

Plan for data breaches and reporting

One of the most significant challenges that the GDPR presents to organizations is its data breach notification requirements. Data breaches for companies are unfortunately a reality in the current landscape, and for this reason, we must be prepared.

If a data breach does occur, a company must report data breaches to an authority within 72 hours of discovery, and provide them with as much detail as possible.

Manage your US business by GDPR compliance standards

Although you may not today deal with EU based customers, this may change in the future. As your business expands, it is essential to be aware of changes in GDPR compliance.

For further reading on this topic, you can visit GDPR Checklist which is a project created to help businesses navigate the new GDPR landscape.

Brandastic is a digital marketing agency located in Orange County California. We work with companies in Irvine, Costa Mesa, Newport Beach and all the surrounding cities to enhance their branding and customer reach. Talk to us today about stepping up your online marketing game.

We want to reward you!
Enter your info below and upon a successful referral, we want to gift you with rewards!
  • This field is for validation purposes and should be left unchanged.
*Those who submit customer referrals can be rewarded with Starbucks, Cash and Amazon gifts.
Free Quote
This form will help us to understand your business and project goals.
  • Please describe your requirements and goals for this project.
  • This field is for validation purposes and should be left unchanged.