The European Union’s General Data Protection Regulation (GDPR) is a piece of legislation aimed at protecting the data privacy of European citizens. According to Entrepreneur, “Under GDPR, information such as customer IP addresses and even web cookies will be subject to the same strict security standards as physical addresses and social security numbers.” So how might GDPR impact your store when it takes effect on May 25th?
First, you should know that Volusion is committed to compliance with GDPR. However, while we work to ensure all our internal operations comply with these new regulations, each merchant is ultimately responsible for ensuring that their business complies with all laws and regulations for the jurisdictions in which they operate as well as those in which their users reside. That being said, here is some information for you to be aware of:
As a merchant based outside of the EU, why should I be concerned?
GDPR will affect all EU-based merchants, as well as global merchants who market, sell to, or capture data associated with any individuals located within the EU. Since the majority of ecommerce sites can be accessed internationally, all ecommerce merchants should make themselves aware of their responsibilities under GDPR.
I use Volusion so I don’t need to do anything else to be GDPR compliant, right?
Unfortunately, no. While much of Volusion’s efforts towards GDPR will assist you with your own compliance, there are steps which you will need to do as well. Simply using the Volusion platform will not guarantee that a merchant is compliant with GDPR.
So what do I need to do?
Below are some steps you can take to begin the journey to GDPR compliance.
1. Familiarize Yourself with GDPR
You have probably heard of GDPR, but if you don’t have a working knowledge of its principles, please familiarize yourself with the basics here.
Additionally, there are a number of resources available on the steps companies must take in order to comply with GDPR, including an open source (free) checklist you can use to evaluate your company for its readiness for GDPR here.
2. Take Stock of Your Data
Under the GDPR, every business is responsible for documenting:
1. What personal data it collects. (Ex. shopper name, address, email, payment info, etc.)
2. A legitimate business reason to collect it. (Address/to ship products, payment info/process payments for goods, etc.)
3. How it is shared with third parties. (Payment data sent to bank for transaction approval)
If you haven’t already, you should begin this process.
3. Communicate Your Cookie Policy
Under GDPR, among other regulations, all businesses are required to transparently communicate the ways that personal data is being collected and used and are expected to ask for consent in advance of collection. In this case, cookie policies will need to be documented and provided to visitors to your store.
Given the diversity of merchants, partners, and integrators using the Volusion platform, creating a single list/policy that would be applicable for every merchant isn’t feasible. That being said, we are working on materials related to the common cookies used by Volusion merchants.
4. Update Your Privacy Policy
Once you’ve reviewed how your organization is collecting and processing data, it is time to work on updating an integral part of your GDPR compliance, your privacy policy. A privacy policy is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible on your store by individuals looking to visit or shop.
A great resource to help navigate the details of your privacy policy can be found here.
5. Protect Your Consumers’ Personal Data
While Volusion offers strong security, there are still steps merchants will need to address regarding the protection of shopper data. This is particularly true if you are processing shopper data outside of the Volusion platform, such as a brick-and-mortar store swiping cards manually or using phone orders to enter data on workstations. A key element of this will be the creation (or updating) of a data protection policy.
Your data protection policy will outline key controls your company uses to ensure data remains secure while processed, transmitted, or stored. This should also outline the steps you will take in the event you suspect data has been compromised, to include notification in accordance with GDPR (within 72 hours of becoming aware of a breach).
6. Beware of GDPR “Certifications”
At this time, there is no formal certification process to undergo which will result in an officially-recognized GDPR compliant certification. Despite this, there are companies looking to take advantage of the anxiety around GDPR compliance and the upcoming deadline by offering such a certification. Please be careful when you see these types of claims. We encourage partnering with respected consulting and/or legal firms offering guidance and advice related to GDPR.
If you have additional questions about Volusion’s efforts toward GDPR, please send them to [email protected].