Boring but necessary: GDPR Compliance
Disclaimer: I’m not an attorney and never will be. My father is an attorney and often quotes a [probably made up] statistic that 80% of working lawyers don’t want their children to follow their career paths because it’s miserable. Please don’t mistake this article for actual legal advice, and if you have any pressing questions or fear you may breach GDPR, contact real legal counsel.
On May 25th, the European Union will begin enforcing General Data Protection Regulations on any business that receives data from the EU. Even if your company isn’t headquartered in the EU, these rules will apply to you if:
- You have customers who live in the EU.
- You have non-customers on your email list who live in the EU.
- Your website captures the IP addresses of EU-based visitors (Usually for retargeting purposes).
- You collect any information that may personally identify an individual.
The big, scary penalty for non-compliance is €20 million ($28 million) or 4% of your company’s annual revenue, whichever is greater.
If you’re reading this, you’re likely a small business without in-house legal counsel or a Data Protection Officer. The good news for you is any company with less than 250 employees doesn’t need to provide documentation as to why personal data is being collected and processed, the information you’re storing, or how long you’re saving it. Now, if you are a mid-to-large scale company, I must ask why you’re reading this blog.
Whether you’re dealing with EU customers or not, adjusting your online dealings to the most current, stringent standards puts you in a better position for not only future regulations in your home country but will build trust with customers.
Unethical, but not illegal (yet)
Customers are usually perceptive to dodgy marketing tactics, especially now, after the Cambridge Analytica fiasco. Cambridge Analytica didn’t break the law by using third-party data purchased from one of those annoying quiz apps. Instead, two complaints filed with federal prosecutors insist they broke US law because they're British, and it's illegal for foreign nationals to play significant roles in US elections. According to the Guardian:
The complaints allege that several Cambridge Analytica employees, including Alexander Nix, the company’s CEO who was recently suspended, performed significant work that constituted being part of the “decision-making process” in campaigns during the 2014 and 2016 US election cycles.
My friends were shocked – SHOCKED, I say! – when news broke of Cambridge Analytica may have used their data. I mean, my friends seemed like they were listening to me when I told them how Facebook retargeting works. When we think Facebook is listening to our conversations because there's an ad for a curry restaurant and we were JUST saying we wanted a curry, that’s Facebook tracking our online behavior, reading Yelp reviews for Indian restaurants; and people like me buy that information from Facebook to sell stuff. Cambridge Analytica’s problem was they legally collected user data to influence Brexit and the US presidential election.
As an ethical business, your ethical practices shouldn’t only be woven into your supply chain and result in a fair product but reflected in how you treat sensitive customer information. Hopefully, I can provide easy-to-follow steps on how to approach this delicate, complicated matter.
Scrutinize your sales funnel
Knowing how customers make purchases on your website is something you should know, anyway. Sit down with a pen and paper and take note of single instance you may collect a customer’s data and think about why you use it. Here’s an example from MadeFAIR:
- We collected IP addresses on every single landing page via a Facebook pixel and tracking tags from Google and retargeting apps.
- Our affiliate program used cookies and stored IP addresses for 30 days to keep track of affiliate earnings.
- We gave out a discount code in exchange for email addresses for shameless re-marketing purposes.
- If a customer abandoned their cart, we captured their email address and sent them abandoned cart emails.
- When a customer made a purchase, we became privy to their home and work addresses, phone numbers, and emails.
- If a customer signed-up for an account, but didn’t make a purchase, we still captured most of this information.
Does this sound familiar? It’s the most basic form of e-commerce data capture, so you’re probably doing it, too. Once you map-out your sales funnel, list any apps involved with data collection.
- Retargeting: Facebook, Google, AdRoll (businessy note: don’t use AdRoll. They’ve had attribution reporting issues in the past).
- Affiliate program: Shareasale
- Email List: WisePops, MailChimp
- Abandoned Cart: Spently and Shopify
- Customer accounts: Shopify
- Payments and delivery: Shopify, PayPal, and third-party contractors.
Fixing the problems
The software companies I listed above can’t shoulder the blame if your company isn’t GDPR compliant because you're a data controller using those companies as processors. If they haven’t taken steps to become compliant and you continue to use them, then you’re still breaching the GDPR.
Here are a few things you can do to make sure you won’t have to fork-over €20 million to the EU:
Take MailChimp’s advice
Even if you don’t use MailChimp for your newsletter, they offer invaluable information on how to implement a new data protection policy. It involves sending a mass email to all customers so they can opt-in to your email list with the information they may have missed the first time around. Don’t worry if this reduces your list, because you retain engaged customers who would be more likely to make a purchase, anyway.
Dedicate a few hours to study-up on GDPR
Helpful resources via Bold Commerce:
- EU’s Primary GDPR Page
- An easy to read resource for browsing the complete legislation
- GDPR Wiki page. It provides an excellent overview, but for specific compliance advice, it’s best to speak with a lawyer.
- The UK’s Information Commission Officer has provided a thorough page to becoming GDPR compliant.
- ICO’s 12 step guide for GDPR compliance
- A marketer's guide to becoming GDPR compliant