This year, the General Data Protection Regulation (GDPR) went into effect, and it impacts businesses of all sizes. Since many of my clients are small- to medium-sized merchants, I thought I would touch on a few highlights concerning what these new regulations are.
GDPR is a new law regulating the way businesses collect, process, and use data from citizens in the European Union. The law covers any business with EU customers, no matter where or how big the business is: even one-person shops or “mom-and-pop” merchants need to abide by the regulations.
At least half of my clients have no customers in the EU, and at least a third of those have no real prospects of ever GETTING customers in the EU. Nevertheless, I still recommend that they think seriously about implementing the tenets of this law. “At its core,” states one source, “GDPR is designed to protect personally identifiable information by strengthening and unifying the standards for data storage.” Not only is that a good idea, it is an idea I expect to spread: it would not surprise me to see the US adopt similar regulations within the next five years. For that reason, I tell clients, you might as well start planning now.
3 Areas Affected by GDPR
There are three primary areas where the GDRP will have the most dramatic impact. Because this is a blog post (and because I am NOT an attorney), we’ll just touch on these at a high level.
- Lawful Basis
GDPR requires that merchants have a “valid lawful basis” for processing personal data. There are six lawful bases, and mostly they get down to whether the processing is necessary: in other words, if there is a feasible way to accomplish the same goals without processing personal data, you probably won’t legally be allowed to process it.
- Data Processing Contract
If you accept credit or debit cards through a third-party data processor such as PayPal, you must have a detailed contract with that company. Typically referred to as a Data Processing Agreement, or DPA, the contract must spell out–again, in language an average person could be reasonably expected to understand–the purpose of processing the personal data, as well as who will be liable for that data at any given stage.
What Happens if I Don’t Comply?
Again, these new regulations are in effect even for small companies based outside the EU: if you collect, process, or use personal data of any EU citizens, you are liable. Not complying to GDPR can result in fines–some of them quite high. EU regulators are allowed to fine US companies for GDPR violations; in some cases, US authorities may even help.
No Time to Be Complacent
All the new stipulations associated with the GDPR have left some merchants feeling overwhelmed. While that’s understandable, it’s good to keep in mind that the end goal is relevant: the protection of our personal data. We all want our customers to feel confident that their information is safe in our hands.
And remember: help is available. Here at Spilled Milkshake, we have the knowledge and experience to help you navigate the sometimes-choppy seas of GDPR. Contact us today to learn how we can make sure your site adheres to GDPR standards going into the future.