GDPR – what ecommerce needs to know

If you’re in the marketing industry, you’ll have no doubt heard about the EU’s oncoming General Data Protection Regulation (GDPR). It was officially adopted by The European Union in April, 2016 – and it’s finally about to kick in. The sky isn’t falling, but it’s still important to stay up to date. Especially when we consider only 15% of Australian marketers are compliant with these new laws.

So what is GDPR? What will it mean for your ecommerce business?  

GDPR is a new regulation that affects the way companies and organisations are allowed to collect and use consumer data. At 88 pages and 50,000 words, it’s a behemoth. But don’t let its length worry you too much. At the crux, it’s quite simple. Simply put, the main goal is to help internet users take more control over their personal information, and to ensure that organisations are transparent about how they handle people’s data.

When we say data – we mean all data. GDPR doesn’t discriminate. Photos, social media posts, IP addresses, bank details, the list goes on. If you want to collect any data that could identify a person, it now must be opt-in only, stored securely and used only with the permission of the customer.

You can read the official European Parliament’s press release here.  

Because the law affects European residents, not companies, this new regulation has global consequences. Even if your operation is based in Australia – if you have customers in Europe, this applies to you. You may need to make a few changes before May 25 when these new regulations kick in.

We’ve put together a quick brief on the new laws to give you an overview of what, if any, of your processes will need to change. Here’s our rundown of the most important information for digital marketers:

What does GDPR mean for marketers?

Okay let’s start with some of the key privacy requirements.

Because these regulations aim to put customers in control of all their data, we’re going to need to be a lot more open about what we have, why we have it, and how we use it. For most businesses, this shouldn’t be too much of an issue.

Here’s a few of the most important requirements:

  • You’ll need the consent of all customers before processing their data
  • Any collected data must be anonymised to protect privacy
  • All customers must be notified in the event of a data breach
  • Certain companies may want to appoint a data protection officer to oversee GDPR compliance

More so, you’ll need to publically document the following, so all your customers know what is going on behind the scenes:  

  • What personal data you hold
  • Where and when you obtained it
  • How often you update it
  • All of the places it is stored within your organization
  • How the data flows from one place to another, and who (if anyone) you share it with
  • Who has access to the data throughout its journey
  • How and where it is stored
  • Your retention policy for each datum

Who is liable?

GDPR is equal parts about keeping your customers informed, and keeping their data safe. You might be thinking; “But all our data is in the cloud?” And you’d be right.

That’s why GDPR puts equal liability on the ‘Data Controllers’ (the organization that owns the data; i.e, your ecommerce business), and ‘Data Processors’ (third party organizations that help manage that data; i.e, Shopify or Klaviyo).

Knowing that you share liability with your software providers might sound relieving, but it also puts another responsibility on your business. If your ecommerce or marketing platform is not in compliance with these new regulations, in the eyes of the law, you aren’t either. That makes it more important than ever that you ensure the services you do business with are up to standard.

Secondarily, a large part of the new regulation deals with reporting any data breaches. These laws are strict: everyone in the chain must inform customers of their rights under GDPR, and report any incidents of data being leaked within 72 hours. You’ll want to make sure all the software providers your business works with keep their data safe, and are ready to act fast should anything happen.  

If you haven’t already, it might be worthwhile considering moving to a new platform. Get in touch with us for a run through of some of the better options on the market for your business.

All this might seem at first like an enormous spanner to have thrown in your digital marketing clockwork. You’ve probably spent years – not to mention thousands of dollars – building up a customer database. So where’s the silver lining?

We like to keep things positive when possible, so it’s worth pointing out this is also a huge opportunity for building trust with your audience.

GDPR and building trust with your customers

We can all get a little creeped out by how much companies know about us these days. Extremely relevant ads have even convinced some that Google is monitoring their microphones, or Facebook is watching them shop.

The reality is that we have largely provided all the data these companies need to work their magic willingly. But often, we don’t know the extent of how much we’ve given up.

Now that these new regulations are in place, companies will (legally) need to be completely transparent about how they use customer data. This has many worried that consumers will flock to erase their profiles, or start suing like mad at every possible opportunity.

Time will tell if this is the case for invasive services (like certain social media websites) – but perhaps this new transparency could actually be a good opportunity for ecommerce?

Marketers do a lot to ensure their materials are as relevant as possible. In the past, this was all behind the scenes magic – but now that the curtain is about to be pulled away, maybe we can turn this into a positive? Letting your customers know you’re trying to offer them a personalised, highly-relevant service can’t be a bad thing when they’re online shopping.  

Here’s a few tips:

  • When asking for any information, explain exactly why you need it, with a real focus on the benefits for the customer. And remember to keep this in your brand’s existing voice and tone! You don’t need to revert to legalese!

  • Don’t ask for more information than you need. Companies that hoard vast troves of data often look suspicious, and don’t seem to most to have their customers’ best interests at heart.

  • Take the opportunity to be transparent. Openness and honesty are traits that work for any and every brand. Unless you’re up to some serious machiavellian marketing schemes, you shouldn’t have anything to worry about!

  • If it’s relevant, take the opportunity to explain your security measures. Let your customers know their data will be anonymised and kept safe.    

Further reading –  relevant GDPR articles:

If you’d like to read some of these articles for yourself, you can find the full text here.

For those of you who don’t quite have the time for 50,000 words of European techno-babble, we’ve summarised and linked to some of the most relevant articles below:  

  • 17 and 20 – “Right to erasure”; “Right to portability”: Customers can request that any organisation that is holding data on them erase it permanently. You must comply with the request, and you cannot charge for the service. Customers must also be allowed to request a structured, comprehensive report of all the data they have provided to you and/or that you have saved regarding them.

  • 23 and 30Implement reasonable protection measures; Record of Processing Activities (RoPA): You must do everything within your power to ensure the data you are holding on your customers is secure and not vulnerable to hacking or leaks. You must also maintain a complete log of all your processing activities.

  • 33, 34, and 35Breach notifications within 72 hours; Incident response plan: In the case of a data breach, you must notify supervisory authorities and all affected parties within 72 hours. You will also need to prepare a “Data Protection Impact Assessment”.

  • 37Appoint Data Protection Officer: Depending on the size of your organisation and the amount of data you are collecting, you may be required to hire or appoint a Data Protection Officer. Likewise, if you use in-house servers rather than relying on the cloud, you will need to employ a Data Protection Officer. This person will be held accountable for any breaches or violations of GDPR.

  • 82Right to compensation and liability: Any infringement of the regulation can lead to additional compensation to the affected customer.

Remember: If your business markets goods or services to European consumers – regardless of your location – you’re subject to the regulation.

If you have customers in the EU, we are more than happy to assist you with new, compliant strategies to ensure your business avoids any ills, and makes the most out of this opportunity! Get in touch before May 25!

Hi, I’m Jackson; Andzen's Digital Content Producer. I write copy for our client businesses - whether it be email campaigns, blog posts, social media posts or something new. It's my job to write stuff that converts, boosts engagement and pushes brands to new heights. In my spare time, I enjoy piano, reading books, and writing short stories.

Enquire now

Give us a call or fill in the form below and we will contact you as soon as possible.

Need help

  • Drop your details in below and one of our strategists will get in touch.