The 3 Foundations of the GDPR
When it comes to the GDPR and ecommerce, there are only 3 important things to remember. When you do, you’ll be able to understand the GDPR in full and see how you can become fully compliant.
These three areas are:
- Consent: the user must agree to be included in your marketing campaigns
- Data Protection: you must protect the user’s personal data adequately
- Requests for Deletion or Correction: if the user requests you delete, correct, or restrict the personal data you have, you must comply quickly
Let’s go over these three points in depth.
One of the most important parts of the GDPR for ecommerce businesses is the idea of “consent.”
If the user has consented to the message and communication channel that you are offering, then you can continue to do as you always have. But if there was no consent, then you cannot send them marketing materials or advertise to them.
I’ll repeat: get consent when you collect their information, and make sure you have consent to send them various messages.
You’ll usually be fine if your customer signs up for your newsletter, since it’s understood as a regular marketing channel.
And of course, this goes for any type of marketing you’ll be doing with them, including retargeting, emails, Messenger, SMS/text message, etc.
If you don’t have explicit, unambiguous consent from the visitor to get these kinds of marketing messages, then you won’t be able to send them messages—or else face heavy fines.
The second core of the GDPR for ecommerce and other businesses revolves around the idea of personal data protection.
If a user does consent to your storing and processing their personal data (through personalized marketing or advertising messages, for example) you have the obligation to make sure that that data is adequately protected.
When it comes to exactly what “personal data” is, according to the GDPR the definition is pretty broad: any data that can be used alone or in combination to link to or point to a person.
This includes the visitor’s:
- physical address
- demographic data (age, location, etc.)
- email address
- IP address
If you have any of this kind of data from your shoppers or subscribers, then you need to make sure the data is adequately protected.
Now, because it is a law that has not been enforced yet, there are still some remaining questions. One big question concerns what “adequate data protection” actually means.
According to the GDPR, businesses are supposed to appoint a Data Protection Officer (DPO), who will be responsible for ensuring adequate security for the personal data.
It simply states that DPOs will be required for companies that process large amounts of personal data, so smaller ecommerce stores should be in the clear.
However, it’s still very important that you have someone in your organization who is in charge of data protection.
The last of the 3 essential areas of the GDPR for ecommerce concerns user requests to have their personal data deleted, corrected or restricted.
The GDPR allows, at its core, for European citizens and residents to have more complete control over how their personal data is used.
For that reason, if an EU subscriber or shopper whose personal data you have asks you to erase or change it in any way, you have to do so within a reasonable amount of time.
We don’t know how long this reasonable amount of time should be, but we can assume that for ecommerce stores, it shouldn’t take more than a week.
Out of all the essential parts of GDPR for ecommerce, this one should be the easiest to adjust to. In fact, you probably should already be doing it.
If a user asks you to change or delete their personal data, it’s best to do it sooner rather than later.
With that, you’ll have nothing to worry about for this part of GDPR.
How to become GDPR-ready today
GDPR is all about the principles, not necessarily the techniques. They tell you what you should be doing, but they’re not too specific on how.
Usually, that’s up to you, such as your Privacy and Cookie Policies.
But those are one-off things. You need to make sure your daily process from May 25th onwards are GDPR-compliant, and that’s related to your marketing.
But luckily, you don’t to do mental gymnastics to figure out how to make sure all your separate marketing ecommerce apps are in line with the GDPR.
Omnisend has all the features you’re using, all rolled into one powerful marketing automation platform. We’re pretty much made for smart marketers.
If you want to stop stressing out about whether you’re GPDR-compliant or not, you can stop worrying today.