GDPR Compliance Actions for Merchants. The privacy laws have changed, you now need to adhere to the following directive EU’s General Data Protection Regulation (GDPR). It is already having a major impact on merchants who target the EU. We want to share the best practices we have received from conversations across our industry.
Here are three ways merchants can prepare for GDPR:
1. SCRUTINISE PRIVACY POLICIES…AND WHETHER YOUR POLICIES ARE ALIGNED WITH REALITY
Transparency is at the core of what regulators care about. Merchants should, in a nutshell, do what they say and say what they do. Merchants should be communicating to customers in clear, concise and specific language that any layman can understand quickly. Think logic, not legal-ease. Privacy policies are often treated as set-it-and-forget-it. With GDPR, merchants not only need to examine their privacy policies but behaviour as well—and make sure those policies match behaviour.
Regulators also care deeply about protecting the privacy of minors. If your potential audience includes minors, all of the above applies, but it’s magnified. Merchants must take extra care that their policies and behaviour follow both GDPR requirements and country-specific rules based on the residency of the individual. This is an area around which merchants can definitely expect increased scrutiny.
2. BE SURE TO KEEP THOROUGH DOCUMENTATION
GDPR is complicated, and many of the details around the regulations are still being developed. Nevertheless, being able to demonstrate diligent, authentic, and earnest effort to comply with GDPR and the spirit behind it will be critical. Think documentation. Big technology players like Facebook and Google are not the only businesses that may face private-sector complaints and public-sector enforcement. The more merchants can show they operate as they say they do, and demonstrate a healthy respect for the privacy and will of their customers, the better off they will be.
3. COMPLY EVEN IF YOUR BUSINESS IS NOT BASED IN THE EU
The internet is global. If you are a global business or have ambitions of a globally scalable product or service, you need to comply. In other words, as a practical matter, all of your data processes and disclosures to customers globally will need to be compliant with these EU regulations. It’s hard to imagine a global business, even with a small EU presence, building two versions of a product or service it intends to scale globally.
4. CHECK YOUR TERMS AND CONDITIONS
It would be wise to be able to provide evidence of compliance of the new regulations to any adjudicating authority that comes knocking, as well as adhere to, and offer best-practise of it. We, therefore, recommend that no transaction is capable of being made on your site without the customer having to agree to your terms and conditions. Nearly every retailer does this now anyway, a simple tick box to say they do is sufficient, usually during checkout. Those that try and be different and put it somewhere else, do so at their peril. You can either include in those terms the customer approval to your right to hold their emails details in your database and that they also agree to allow you to email them within those terms. You could offer a second tick-box for this, but experience suggests that it is more beneficial not to single it out for special attention. If they don’t agree to this, you can’t send them confirmation of orders anyway. No tick, no goods, no hassle.
Latest Post-Brexit Compliance regulations here.
2 Responses
Evidence of active consent to receive marketing email is a must from 25th May. How do you get a customer to activily consent to a auto generated email, if you cannot have a pre-determed ticked box, or a statement stating that by accepting this order you consent. As I understand there must be a record recorded of a submit action with an IP address and data and time stamp. With SwiftERM what is the best method to comply?
You are making a distinction between types of email. There is no provision for this in the GDPR regulations. What the industry typically does is to ask the consumer to consent to provide their email address, allowing you to keep it, providing permission for you to use it. The caveat being, that unless they do, they cannot place an order. This is achieved by providing a tick box (opt-in) acknowledgement for any order, you need to do nothing more. After all, how can you confirm an order if they don’t tell you their email address, and to be able to identify them for security?
Therefore you don’t need to distinguish a SwiftERM email from this, we are not an ESP. We take your data, identify what the consumer is most likely to buy next, prepare their individual email stylesheet and return it to your platform to send it to them in turn. The email comes from you, as it would if you mailed the customer from any mailbox on your server.