On May 25, 2016, the European Union passed a set of privacy laws collectively known as the General Data Protection Regulation (GDPR). These rules are designed to strengthen and unify data protection for consumers across all 28 EU member nations. The GDPR governs the collection, storage and processing of all “personal data,” which includes any online or offline data that can identify a specific individual. This broad definition places equal emphasis on a wide range of data, from credit card details to IP addresses to social media posts. GDPR for ecommerce is not different.

I’m not based in Europe. Do I have to comply with the GDPR?

This might be surprising, but the answer is yes.

The GDPR covers the personal data of all subjects in the EU, regardless of where the processing or controlling organization is located. It also applies regardless of whether any monetary transactions are involved. In other words, if you have any contact with customers in the EU – even if you’re only collecting their email addresses, or tracking their on-site behavior – you will be expected to comply with the GDPR.

The penalties for non-compliance are steep. The GDPR has significantly increased the maximum fine to EUR $20 million or 4% of annual revenue, whichever is higher. So companies not yet in compliance will have until May 25th, 2018 to make the necessary changes and avoid penalties.

Why is the EU doing this?

Europe has historically been a global leader with respect to privacy and protecting the personal data of consumers. In 1995, the EU issued their landmark Data Protection Directive, the world’s first comprehensive, holistic data protection framework. The BBC hailed the directive as the “gold standard” of privacy protection, comparing it favorably against the “patchwork laws in the US and some other countries”.

But that was 22 years ago. Given the rapid pace of technological change, the Directive was badly in need of an update. In addition, the EU has committed to extending the idea of a “single European market” into the digital space. By passing the GDPR, they have taken a step towards establishing a common set of online business standards across the EU.

What do I need to do?

The GDPR is a weighty document, clocking in at 99 articles over 88 pages. But the general mandate is simple: give consumers firm ownership and control of their personal data.

Here are the most important points for ecommerce businesses:

Clear Consent for Data Collection

The GDPR requires a higher standard for consent than previous regulation. Specifically, consent mechanisms have to be:

• Unbundled: Consent requests should not be mandatory for signing up for a service unless necessary for successful delivery of that service.
• Active Opt-in: Pre-ticked opt-in boxes and other pre-selected options are not acceptable.
• Granular: Provide the option to consent separately to different types of processing when appropriate.
• Named: Name your organization and other specific third-parties who will be relying on the data. Even precisely-defined categories of third parties are invalid under the GDPR.
• Documented: Maintain records detailing what customers have consented to, including what they were told and how they consented.

For many, this will be the most visible change mandated by the GDPR. While a few companies have already adopted these standards, most will have to make major adjustments to their existing data collection practices.

Ease of Withdrawal, Transfer and Deletion

GDPR recognizes that individuals own their personal data, and so it should be easy for them to make changes to that data.

First, customers must be able to easily edit their personal data and withdraw consent for marketing activities at any time. Companies are required to inform their customers directly about their right to withdraw and explain how to do so.

Second, customers should be able to freely export and transfer their data between vendors. Since many online businesses have traditionally seen customer data as proprietary assets, this could require a shift in mindset. In fact, many businesses may not even have systems in place for customers to directly export data. This will have to change with GDPR – no more walled data gardens allowed.

Third, customers should also have the option to delete their account and personal information completely. This process must be as easy as it was to provide consent and sign up in the first place. While many companies already offer account deletions, it can often be a tedious process, requiring the customer to directly contact customer support. Under GDPR, such processes will have to be streamlined significantly.

Stronger Data Accountability

The GDPR takes data security very seriously.

At a high level, the regulation requires a “reasonable” level of security to be provided for all types of personal data, from banking details to social media posts. This provides regulators with broad powers to evaluate data security practices on a case-by-case basis.

At the same time, the GDPR also includes more specific data security requirements. For instance, larger companies must appoint a Data Protection Officer, who is responsible for reporting data breaches and misconduct to regulators. All online companies must also have a clear, documented procedure to follow in case of a data breach and must report such breaches to regulators and customers within 72 hours.

Hosted Solutions Make GDPR Compliance Easier

As a comprehensive data privacy framework, GDPR can be very complicated. On the bright side, it’s likely that you won’t have to implement all these changes on your own. If you’re like most independent online businesses, you’re already using a number of hosted tools and services that will do a lot of the heavy lifting for you.

For instance, Google has outlined a detailed plan to comply with the GDPR. If you use Google Cloud services like Analytics, AdWords or Gmail, you can be sure that they will be fully updated by May 2018.

Similarly, Facebook has announced that they have “assembled the largest cross-functional team in the history of the Facebook family of companies” to work on GDPR compliance. Specifically, ““Facebook Ireland’s data protection team will be growing by 250 per cent this year in order to support the GDPR”.

This is great news for ecommerce businesses who depend heavily on these staple web services, as it means some important compliance changes are already being made for them.

However, many of these same businesses also rely on self-hosted solutions for their websites, leaving them with a serious regulatory burden. They will have to conduct extensive security tests and establish processes for end-to-end data protection. Then, once they are in place, those processes will need to be audited on a regular basis to maintain compliance.

Companies that want to avoid those burdens should consider moving to a fully hosted ecommerce solution. Since these are end-to-end ecommerce platforms, all compliance requirements will be handled by your provider, allowing you to focus on growing your business.

What Now?

If you haven’t already, you should start reviewing your data privacy policies and security practices. GDPR is more than just another set of regulations. It marks a major rethinking of data issues for ecommerce and other online businesses. If you're planning on growing, don't forget to read our Definitive Guide to Global Growth.

While compliance can seem like a lot of trouble now, it also suggests an important opportunity for forward-thinking companies. Online customers today are increasingly conscious of data security, and the organizations that are able to safeguard their data are more likely than ever to win their trust and capitalize on their loyalty.

The GDPR is a substantial regulation that impacts essentially every touch point with your consumers. Because of the complexity associated with this new law, you may want to consider collaborating with specialists or legal advisers to gauge how the GDPR applies to your unique situation in order to ensure your business is operating in a compliant way. For more information on GDPR, click here.