How to Prepare Your Ecommerce Site for the GDPR

While the GDPR may represent an extra burden to your business, it may also deliver some long term benefits.

Questions about GDPR? Ecommerce managers everywhere are wondering how their online business will be affected by the General Data Protection Regulation. It is set to become law in the European Union (EU) on May 25, 2018.

But your business isn’t headquartered in the EU?

GDPR requirements will govern the way you interact with EU customers and prospects regardless of where you do business.

I know, GDPR sounds like one more headache you don’t need. I feel your pain.

But, there’s more to the story.

In this article, let’s look at what the GDPR is, why it’s important, and the steps you’ll need to take to ensure compliance.

But, there’s something else.

In the end, you may decide GDPR isn’t a curse word. It could even help you form an even deeper and more trusting relationship with your customers.

And that’s a good thing.

So, what is GDPR?

GDPR is an acronym for “General Data Protection Regulation.” It is a European Union law designed to give consumers in the EU more protection, rights, and control over personal data used online.

EU consumers will have special rights, under the GDPR, to access, correct, delete, and restrict processing of certain information.

As stated in the proposal, the GDPR has three goals:

  • The GDPR will reinforce data protection rights for individuals
  • The GDPR will facilitate the free flow of personal data in the digital market
  • The GDPR will reduce administrative burden

Many ecommerce managers tend to disagree with the latter two points, believing instead this legislation could turn into an administrative nightmare. Others say the GDPR will help protect consumers from abusive and unsolicited marketing.

No matter how you feel about the GDPR, you will be faced with adapting to its demands if you intend to do any business at all with EU citizens.

Why is GDPR compliance important to ecommerce businesses?

If you sell or market to anyone in the EU, you need to be in compliance. Failure to follow GDPR requirements can deliver fines of up to $20 million euros (currently $24.6 million USD) or four percent of your global annual revenue, whichever is higher.

The avoidance of stiff fines may not be the best reason to pay attention to the demands of the GDPR, however – though it’s certainly a convincing reason.

Since GDPR will benefit the people who buy from you, that means it has the potential to benefit your ecommerce business as well.

For example:

  • When you gather a list of prospects without getting permission to mail them, it can erode trust and hurt your brand in the long run
  • When you get permission before emailing a prospect, you are building the relationship on trust right from the beginning.

Trust pays dividends. The more your prospects trust you, the more likely they are to become customers.

Take that line of thought a step further: the more your customers trust you, the longer you’ll keep them, and the more they’ll recommend you to others.

So, what does an ecommerce business need to do to comply?

One more time: this law will affect anyone who does business with EU citizens. You don’t need to opt in, and you can’t waive out. The GDPR has the potential to touch any ecommerce business.

Let’s consider the most likely spots of GDPR friction and suggest steps you can take to protect both your company and your customers.

ecommerce gdpr
The screenshot above shows two of the data subject rights you’ll want to become familiar with. For the full list, go here: GDPR Key Changes

Data Collection and Storage: You’ll need the ability to quickly access records with personally identifiable information so you can supply, modify, or delete that data. You’ll also need to know exactly how that data has been used and where else it has been distributed or stored.

Much of this requirement speaks to smart data management. You may need to tighten up your recordkeeping and make sure you get and record statements of consent. If you suffer a breach in data, you’ll have 72 hours to alert those potentially affected.

If you’re using forms that require visitors to opt out if they don’t want to be on your mailing list or don’t want tracking cookies collecting information about them, you’ll want to reverse the strategy.

Under GDPR, you should ask those who want to join your mailing list or consent to tracking cookies to opt in for those selections. Do not pre-populate consent forms.

Appoint a data protection officer to oversee your systems and monitor your compliance. For many ecommerce marketers, it will be simpler and more cost-effective to bring their database management practices up to GDPR standards rather than to try to sort out EU customers and treat their information more strictly.

The EU Information Commissioner’s Office offers a checklist (the screenshot above is only partial) go make sure you’re asking for consent properly. Get the full checklist here: ICO Consent Checklist

Email Marketing: GDPR will almost certainly have ramifications for your outbound email marketing strategy and the way you grow your email list.

Make sure there’s a clear opt-in on your site forms and that those forms communicate exactly the nature of the content that’ll be sent to those who submit it.

When you send email to people in the EU, make sure it’s only addressed to people who have explicitly requested that you do so. You must also maintain the consent form records you collected when email signups occur. The burden of proof lies with you.

To be safe, you should evaluate your existing email list to ensure you aren’t sending unsolicited emails to the UK. Make sure you’re including a field for those providing their email to note which country they are from (or if they are from the EU at a minimum).

As with data management, most ecommerce businesses will benefit by raising their standards overall to meet GDPR requirements for all their customers – not those from the EU only.

The GDPR event can seem like a big bummer for your business, but in the end if it is preventing that erosion of trust between businesses and consumers, it will only help them in the long run.

The GDPR ecommerce effect may not be a nightmare after all

Most ecommerce managers first heard the rumbling about this new law in 2014, when it was introduced to the European Parliament. It’s not a surprise.

Rogue marketers and data thieves have damaged the reputation above-board ecommerce companies have worked hard to develop. Viewed from that perspective, the GDPR and forthcoming regulations will serve to protect the trust between consumers and ecommerce marketers.

Look at it from the point of view your customers might take. Step up to the plate and go above and beyond to protect their information. Stop marketing to people who haven’t fully and consciously participated in the decision to have their email addresses on your mailing list.

The more you look out for your customers and put them first, the better they’ll appreciate you. Marketing is about a relationship. The GDPR can be a relationship builder.


David Hoos headshot

About the Author

David Hoos

David Hoos is the former Director of Marketing at The Good, conversion rate experts who deliver more revenues, customers, and leads. David and the team at The Good have made a practice of advising brands on how to see online revenue double through their conversion rate optimization services.