GDPR Compliance Actions for Merchants. The privacy laws have changed, you now need to adhere to the following directive EU’s General Data Protection Regulation (GDPR). It is already having a major impact on merchants who target the EU. We want to share the best practices we have received from conversations across our industry.
Here are three ways merchants can prepare for GDPR:
1. SCRUTINIZE PRIVACY POLICIES…AND WHETHER YOUR POLICIES ARE ALIGNED WITH REALITY
Transparency is at the core of what regulators care about. Merchants should, in a nutshell, do what they say and say what they do. Merchants should be communicating to customers in clear, concise and specific language that any layman can understand quickly. Think logic, not legal-ease. Privacy policies are often treated as set-it-and-forget-it. With GDPR, merchants not only need to examine their privacy policies but behaviour as well—and make sure those policies match behaviour.
Regulators also care deeply about protecting the privacy of minors. If your potential audience includes minors, all of the above applies, but it’s magnified. Merchants must take extra care that their policies and behaviour follow both GDPR requirements and country-specific rules based on the residency of the individual. This is an area around which merchants can definitely expect increased scrutiny.
2. BE SURE TO KEEP THOROUGH DOCUMENTATION
GDPR is complicated, and many of the details around the regulations are still being developed. Nevertheless, being able to demonstrate diligent, authentic, and earnest effort to comply with GDPR and the spirit behind it will be critical. Think documentation. Big technology players like Facebook and Google are not the only businesses that may face private-sector complaints and public-sector enforcement. The more merchants can show they operate as they say they do, and demonstrate a healthy respect for the privacy and will of their customers, the better off they will be.
3. COMPLY EVEN IF YOUR BUSINESS IS NOT BASED IN THE EU
The internet is global. If you are a global business or have ambitions of a globally scalable product or service, you need to comply. In other words, as a practical matter, all of your data processes and disclosures to customers globally will need to be compliant with these EU regulations. It’s hard to imagine a global business, even with a small EU presence, building two versions of a product or service it intends to scale globally.
4. CHECK YOUR TERMS AND CONDITIONS
It would be wise to be able to provide evidence of compliance of the new regulations to any adjudicating authority that comes knocking, as well as adhere to, and offer best-practise of it. We, therefore, recommend that no transaction is capable of being made on your site without the customer having to agree to your terms and conditions. Nearly every retailer does this now anyway, a simple tick box to say they do is sufficient, usually during checkout. Those that try and be different and put it somewhere else, do so at their peril. You can either include in those terms the customer approval to your right to hold their emails details in your database and that they also agree to allow you to email them within those terms. You could offer a second tick-box for this, but experience suggests that it is more beneficial not to single it out for special attention. If they don’t agree to this, you can’t send them confirmation of orders anyway. No tick, no goods, no hassle.