The General Data Protection Regulation (GDPR) was drafted in 2016 and put into effect in May 2018, and ever since it has been majorly impactful in transforming how websites, email marketing, and businesses in general function. The fines for non-compliance are hefty – either 4% of your annual revenue or €20 million (whichever is greater), making it a crucial law to abide by.
Before discussing how it applies to your eCommerce website, let’s take a look at what GDPR is and who it applies to.
What is GDPR?
GDPR is a set of regulations that grant rights to European citizens giving them much greater control over their personal data and how it is used online. It applies to every website or online service that caters to citizens of the European Union. Your business might not be based out of the EU, but if it deals with EU citizens in any capacity, you’re obligated to be GDPR compliant.
As much as GDPR is seemingly confusing and difficult to comply with, it also makes your website trustworthy for audiences, and eventually, your customers will feel far more confident and comfortable on your website than on other, non-compliant websites.
According to the GDPR, people visiting your website:
- Must clearly be informed about any personal data that is collected about them, and the purpose for this information.
- Should provide clear consent before you can collect or use any personal data
- Should be able to access and change this data at their convenience
- Should be able to completely erase their personal data from your storage if they want to
- Should be able to control what their data is used for, and restrict its processing
How can I make my eCommerce website GDPR compliant?
1. Data Storage And Management On The Website
For your customers to be able to easily access, modify, or delete data, you must be able to store this information in an organized, sophisticated manner. According to the GDPR, if there is any breach in data, the company involved has a maximum of 72 hours to inform and alert the people who are affected about the breach.
Clearly record consent statements, get rid of all possible instances where data is collected by default (with opting out being optional), and replace them with a process where you can ask visitors if they want to be part of your mailing list, or if they want to specifically sign up for any services and so on. Bring in a data processing officer who can revamp your system.
While informing your customers about data storage, be as clear as possible about its purpose. “We store your product purchase history for research purposes”, or “We record your name for better customer service” are too vague and might not be the best possible route to take. Instead, “We save details about your previous purchases to suggest other products you might be interested in” is a much more transparent reason.
2. Email Marketing Strategy
Any outbound email marketing plan will take a massive hit under the GDPR, so it’s important to comb through your existing mailing lists, identify who are potentially EU citizens, and check if you are sending them any unsolicited emails.
Make all your future email marketing inbound. Have a clear form that people can fill in to subscribe to your emails (and perhaps include a checkbox for whether they are EU citizens or not). Have people opt-in to your newsletters and updates, and segment/diversify your mailing lists based on purpose (Product/Company updates, newsletters, special offers, and so on), and let your customers decide which lists they want to be a part of.
The key to GDPR is putting your customers first. As much as it feels like you are restricting them out of your website and placing more barriers between you and them, thinking from the other perspective helps. As a potential customer, you wouldn’t want someone to spam you with emails and marketing, more so when you have not even signed up for it (or when you can’t unsubscribe from them). Additionally, you would want to know how much of your personal information (name, email, address, location, and so on) is being processed and used by a website, and why. That really is the key to GDPR compliance. Apart from keeping you away from hefty fines and legal punishments, you build a healthy customer base that trusts you, and that trust repays in the longer run.