The great thing about ecommerce is that it’s easier than ever to grow your business beyond your borders—but once you’re selling in multiple countries, you need to know a bit more about how they do business, and what you need to do to comply with their laws.
There’s a new regulation coming to the European Union in 2018, called the General Data Protection Regulation (GDPR for short).
We sat down with one of our internal experts, Vivek Narayanadas, Shopify’s Data Protection Officer, to chat about what it means for you, and what you should be thinking about ahead of time.
OK, let’s start with the basics: what is GDPR, and is it something I need to care about?
The General Data Protection Regulation—which I’ll now just call GDPR—is the European Union’s new data privacy law. When it takes effect, it’ll be the most comprehensive data privacy law in the world, and it’ll impact how companies (even small ones) collect and handle personal data about their customers.
And you might need to prepare for it even if you’re not based in the EU. GDPR will impact virtually any company that’s either based in Europe, or has any customers in Europe. Since ecommerce is making it easier than ever to sell to the world, that might be your store, too.
GDPR will impact virtually any company that’s either based in Europe, or has any customers in Europe.
So if I have customers (even a few) in Europe, I need to know about this, then. Cool. Can you explain it in real words, not legalese?
GDPR gives people more rights over their personal data, and it defines what counts as personal data very broadly. You can check out a complete guide to the legislation here.
It specifically gives people the right to access, correct, delete, and restrict processing of their data, and sets out strict guidelines about how you need to get customers to agree that you can use their data (aka, consent). This is especially important if you're using your customers’ data for purposes beyond simply filling orders, like for marketing or advertising.
GDPR also makes it your responsibility to protect that data (even if you’re using a processor like Shopify to actually store that data), and to make sure that your customers and website visitors can exercise all the rights they now have.
If someone in the EU emails you and asks you to delete their history of purchases from your store, for example, you’d need to be able to do that.
WANT MORE INFO? We've put together an article in the Shopify Help Center with additional details about GDPR for our merchants, and it links to additional resources.
And OK, this might seem like a softball question, but can you elaborate on what counts as “personal data”?
For sure! Under GDPR, if you collect or store any information that can be linked to an individual, that counts as personal data.
There’s a more in-depth explanation here, but as a quick example, if you let your customers create accounts on your store, or you collect their email addresses, both of those would count as “personal data.”
But GDPR goes broader than that—even information like an IP address that doesn’t identify a specific person counts as personal data.
Got it—I need to be ready to comply with all of this. When is this all going down?
GDPR takes effect on May 25th, 2018.
So you’re saying I’ve got some time. What, specifically, do I need to do before then?
There are a few things you should be thinking about as you get ready for GDPR.
- If you’re using third party applications or themes to support your store, do those apps or themes comply with GDPR?
- Do you need to appoint a Data Protection Officer?
- Do you need to start conducting documented Data Protection Impact Assessments?
- Do you need consent from your customers to process data, and do you need to change how you obtain consent to comply with GDPR’s higher consent requirements?
- Will you be able to comply with the rights provided to your customers and users in GDPR, including the rights to access, correct, erase, and export their data?
You’ll notice those are mostly questions to ask, not action steps to take. That’s because every business is different, and you might need more (or less!) prep than another store to comply with GDPR. Our best recommendation is to consult with a lawyer if you’re not sure how this will impact your business.
Every business is different, and you might need more (or less!) prep than another store to comply with GDPR.
But what about this very specific, nuanced thing about my business?
Well, we’re not your lawyers, so we can’t offer legal advice. That’s why the best thing you can do to prepare yourself (and your customers’ data) for GDPR is to speak with a lawyer IRL about any concerns you have.
The second best thing is to consult these resources, which can help answer many questions you might still have:
- ICO: Guide to data protection
- Data Protection Commissioner: GDPR
- CNIL: Règlement européen : se préparer en 6 étapes
Last but definitely not least, I’m on Shopify. How does that impact how I’m going to handle this and make the required updates? And hey, don’t you folks need to comply too?
We’ve been hard at work preparing for GDPR for a while! So far, we have:
- Appointed an experienced Data Protection Officer (that’s me! 👋)
- Implemented a Data Protection Impact Assessment process
- Started to review our contractual arrangements with subprocessors, to make sure they’re required to protect personal data
- Started to deliver GDPR-focused trainings to key teams and people
- Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests
And even more, but this would be a very long post if we got into the nitty-gritty details. The most important thing to know is that we’re on it.
There’s still more for us to do before May 2018, especially as new guidance and interpretations of GDPR are released. We’re working on preparing even more informational materials about our data protection program for merchants who are trying to make sure Shopify can support their data protection needs—so stay tuned, and know that we’re committed to being prepared for GDPR.