Data privacy is a big deal. The EU’s new approach to online privacy puts individuals first to protect and empower them. GDPR (General Data Protection Regulation) is going to change the way business interacts with its customers.

Even though there’s much hype around GDPR, the truth is companies are underprepared for this new law:

• 90% businesses believe it’s too difficult to delete customer data.
• 60% don’t have the systems in place to do so.

(Source)

What you’ll learn from this blog?

1. Why the EU introduced GDPR?
2. How different E-commerce platforms are getting ready for GDPR:
   1. Magento
   2. WooCommerce
   3. BigCommerce
   4. Shopify
3. What do you need to stop doing right now?
4. How can you use GDPR in your benefit?
5. Quick & Handy Checklist for Store Owners

Why the EU introduced GDPR?

The main reason for introducing this is because the current EU data privacy regulations are outdated. It dates back to 1980, later updated in 1995.

This means it doesn’t take into account smartphones, social media, AI, and other technological advancements.

The current regulation is only an instruction, so companies have a choice to not follow. GDPR is a rule; not following will lead to a fine of 20 million Euros.

Similarly, India is also proposing a Personal Data Protection Bill for the regulation of the Data of Indian users.

How are different e-commerce platforms getting GDPR-ready?

#1 Magento

Being the dominant & most-preferred E-commerce platform in the market, Magento is working hard to ensure it’s prepared for the GDPR. The Magento team is taking following actions:

• Proactively probing and revising its policies
• Contracting & processing with regard to privacy.
• Evaluating its products to help customers find out what exact data is being retained by Magento and where they are keeping it.
• They are advising customers to review extensions that are linked with their accounts.
• Encouraging customers to check all of their contracts and services linked to 3rd party organizations.

#2 WooCommerce

WooCommerce is gearing up for GDPR and helping its customers get ready for the new regulation. In order to help customers with GDPR, they’ve provided information about the new rules alongside.

• They will be obligated to tell customers what the platform is, why they are collecting data, who will have the access to this data, and for how long.
• They will need to get clear consent before receiving any data. Also, giving the authority to users access or delete data.

You can find what exactly WooCommerce is doing to be GDPR compliant here.

#3 BigCommerce

Akin to all the E-commerce platforms, BigCommerce is also working its way out to abide by the EU’s privacy protection rules.

In fact, they have also created a Privacy & Security group to ensure its easiest for customers to know and comply with GDPR policies.

They have also said that their privacy policy will be up to date before 25th May to reflect the latest EU guidelines.

#4 Shopify

Shopify is also reviewing how GDPR affects its platform. Although their services won’t be altered but a change in the way they provide their services will be different.

The main ways Shopify will be affected are:

• Privacy team will be re-organized in order to document and record privacy-related decisions made by them.
• When using a 3rd party subprocessor, they will have to make and receive confirmed contractual commitments with their merchants.
• Ensure the rights of all European merchants and customers are protected when it comes to personal data.

What e-commerce stores need to stop doing?

#1 Can’t check & track IP address

Checking and tracking the visitor’s IP address for the visitor’s location, geographic preferences, or currency is very common. We then alter CTAs, modify pricing, and change available SKUs. However, under the GDPR policies, you’ll now need to explicitly ask permission in order to do these things.

When a European customer visits your site, you will need to ask if you can collect and store their IP address.

#2 Restrictions on personalized content 

Delivering content the user is interested in – Isn’t it a very common practice? For e-commerce stores, this is an integral part of their business activity. You show more of what they are likely to buy by recognizing their preferences and purchase history.  

This personalized or targeted content requires the use of cookies in order to store personal information.

To comply with the GDPR:

1. You need to make sure that your European visitor has a choice when it comes to the use of cookies.
2. The sites with “If you use this site, you accept cookies”, should now properly ask for visitor’s permission.
3. Make sure they have made a clear and affirmative action to accept cookies, with a choice to reject them as well.
4. Extensions such as Magento 2 Custom Popup may have far-reaching consequences and even mean the removal of this feature for European visitors.
5. Also, any extension with the ability to collect and track data need to be removed or should explicitly ask for permissions.

#3 No more identifiable information – Pseudonymisation

Pseudonymization – Processing the personal data in a way that it can no longer be attributed to a specific data subject without further information. In short, making the data unintelligent.

That is, storing personal information directly in your databases is no longer acceptable. Under GDPR, all personally identifiable information collected will need to be pseudonymized. This includes names, IP addresses, locations, gender, race, and more. You can use any of the following methods:

1. You can use the method of tokenization here.
2. Partitioning space on your server and then separating personally identifiable data so that one single set is not sufficient without the other.
3. Masking could also be used. This means partial email addresses and other form data be stored instead of full values.

4. Avoid irrelevant data & multiple copies

The GDPR limits collecting and storing data. If the data is irrelevant, then you can’t collect it. In fact, the store owners can’t keep multiple copies of that data.

It implies cleaning up their databases. This could consume a lot of time. But this is likely to make your website load faster especially if you have a good host who knows the proper implementation of Varnish and Nginx.

This rule also applies to the period for which you can keep that data. For example, if you run a poll and several EU citizens fill it up, you must delete that data once the competition is over. The crux is you must delete the information once they become irrelevant to the purpose they were originally gathered for.

Benefits of GDPR for Ecommerce

I get it. There’s a lot of hassle in complying by GDPR. You need to review your subscribers, client information, marketing strategies, and so much more. But hold on. GDPR isn’t just rules and headaches. There’s a huge opportunity for you.

Let’s see how GDPR is going to benefit you if you’re compliant.

Use it as a selling point.

Yep, you read that right.

Here are a few examples of European companies using General Data Protection Rules (GDPR) in their benefit while being compliant:

1. Homepage of the German Supermarket chain Edeka: When you open their website, it says they use cookies and has a link to a “Privacy Policy” page (Datenschutzhinweisen).

2. eBay-owned, Marktplaats: As soon as the visitor opens this website, the screen gets blocked with this massive cookie notice.

3. Top Dutch news site, Telegraaf: There are 3 data privacy-related sections in the footer.

Why are they doing it?

Let’s face it – Data protection is a big deal in Europe.

1. If you’re compliant, show it off. That’s the new marketing strategy. Don’t just tell you’re GDPR compliant, give details.
2. European visitors will feel comfortable while making a purchase or engaging with your brand if you’re up to date with the data protection and privacy policies.
3. If you’re GDPR compliant and your competitor isn’t, you win. Or even if you both are but you’re the only one to brag about it – then it could help you with selling in the European market.

What companies need to do right now?

1. Conduct privacy impact assessments
2. Strengthen their systems of seeking permission to use customer’s data
3. Document ways they use personal data
4. Communicate data breaches effectively

Conclusion – GDPR for Store Owners

No matter if you’re a huge company or just a startup, located in Europe or outside of it – GDPR will apply to you if you have European visitors.

1. For smaller companies, GRPR compliance is a bit simpler. This means it is simpler if you’ve >250 employees.
2. Make sure your terms and conditions are clear. Remove pre-ticked boxes and collect data that are relevant.
3. Privacy and data protection rules are a great deal today, so if you are GDPR compliant, tell it to your shoppers.
4. Review your marketing tools and third-party channels. They need to be GDPR compliant as well. Uninstall if something’s not in-line with GDPR or contact them if you’ve any questions.

Pro tip: Get a GDPR-ready host so you don’t have to worry about data breaches, security, and inefficient data storage. However, a shared hosting provider can’t do it for you. Get a managed hosting provider today!