“Data is the new oil.”

This phrase has been floating on the web for quite a while now. If we go by the phrase, certainly a resource as valuable as this has to be well protected and here’s where GDPR comes into action.

Let’s begin with a quick disclaimer. This blog post is not legal advice and is for informational and/or educational purposes only. By the end of this post, you will get to know what GDPR is, whether it applies to your organization or not, the penalties involved and what steps you must take to make your marketplace comply with it.

WHAT IS GDPR?

GDPR or General Data Protection Regulation is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union. The General Data Protection Regulation determines the ways that personal data about EU citizens can be handled, within the EU and outside the EU in other countries.

EUGDPR.org says GDPR is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

The main aim of this law is to give the control of the data back to the citizens and residents of the European Union. Set to be enforced from 25th May 2018, GDPR brings in game-changing rules in the field of data privacy regulation. 

WHO DOES THE GDPR APPLY TO?

Data collected and processed both before and after May 25th,2018 will have to comply with the new regulation. Even though the General Data Protection Regulation is an EU law, it applies to companies that process personal data from EU. This means that even if you’re a US or Asian company, you can still be subjected to the GDPR as long as you handle the personal data of anyone from the EU. To make this clearer, have a look at the following examples:

• Walter White is an online entrepreneur based in the European Union. So he needs to comply with the GDPR across his business, even though he is collecting data from someone in the US.
  
• Jesse Pinkman is another entrepreneur/marketer based in the US but collecting data from someone in the EU. He too has to comply with the GDPR.

HOW THE DATA SUBJECT, CONTROLLER & PROCESSOR ARE DEFINED

1. The Data Subject: The customer, user, employee or anyone for that matter providing personal data.
   
2. The Data Controller: The companies/ organizations offering services or goods that will state how and why personal data is used and is responsible for the safe storage and use of the data collected from the Data Subjects.
   
3. The Data Processor: Organisations that store, digitize, and catalog all the data on behalf of the Data Controllers. Example, all third-party suppliers such as ERP systems, email marketing services like MailChimp.

Understanding GDPR and Its Impact on Marketplaces

The General Data Protection Regulation (GDPR) has a significant impact on ecommerce businesses, particularly marketplaces. It applies to any organization processing the personal data of individuals within the EU, regardless of the company’s location. GDPR aims to give EU citizens greater control over their personal data and reshape how organizations handle data privacy. Key components include principles of data processing, accountability, data subject rights, and consent requirements. For marketplaces, this means implementing robust data protection measures and obtaining explicit consent from users before collecting their personal information. Failure to comply can result in severe penalties, with fines of up to €20 million or 4% of a company’s global turnover, whichever is higher 1. To ensure GDPR compliance, marketplaces must adapt their data collection practices, implement security measures, and be prepared to facilitate data subject rights.

How GDPR Impacts Marketing

GDPR has a significant impact on marketing practices, primarily through stricter rules on data collection and consent. Marketers must obtain explicit consent from individuals before collecting, storing, or using their personal data for marketing purposes. This means no more pre-ticked boxes or implied consent; individuals must actively opt-in. Additionally, marketers must clearly explain how they will use the data and provide options for individuals to withdraw consent at any time.

GDPR also emphasizes transparency and accountability. Marketers need to provide clear privacy policies and ensure they only collect the data necessary for specific marketing activities. Data subjects have the right to access, correct, and delete their personal data, which means marketers must have processes in place to comply with these requests promptly. Non-compliance with GDPR can result in hefty fines, so it’s essential for marketers to integrate these regulations into their strategies to build trust and avoid legal issues.

THE EXTENT OF THE PENALTIES

GDPR enforces strict penalties to ensure companies take data protection seriously. If a company doesn’t comply, they can face fines of up to 4% of their annual global revenue or 20 million Euros, whichever is higher. The penalties are designed to be significant enough to encourage compliance and reflect the importance of protecting personal data.

The fines are tiered, meaning they vary depending on the severity of the violation. For less serious breaches, the fines are lower, but for major violations, especially those involving large amounts of data or sensitive information, the penalties can reach the maximum limits. This structure ensures that all organizations, regardless of size, have a strong incentive to comply with GDPR.

Examples of such penalties are 

Google (France): In January 2019, the French data protection authority (CNIL) fined Google €50 million for GDPR violations. The fine was due to Google’s lack of transparency, inadequate information, and failure to obtain valid consent for personalized advertising.

British Airways (UK): In October 2020, the UK Information Commissioner’s Office (ICO) fined British Airways £20 million (reduced from an initial proposal of £183 million) for a data breach that compromised the personal information of over 400,000 customers due to insufficient security measures.

WHAT YOUR COMPANY MUST DO?

Communicate 

Use simple language. Tell users who you are when you request the data. Say why you are processing their data, how long it will be stored and who receives it.

Google mailed its users to notify about the changes in its Privacy Policy.

• Take their consent
  
• Get their clear consent to process the data. When collecting from children for social media, check age limit for parental consent.
  
• Give them access, Let people access their data and take it with them.
• Alert them, Let them know if data breaches occur
  
• Give them the right to erase, Erase their personal data if they ask to do so.
• Give them the right to data portability
  
  People have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another).
  
• Notify third parties regarding rectification, erasure or restriction, Notify any third parties with whom you have shared the relevant data that the data subject has exercised those rights.
  
• Do not track, GDPR also stipulates people have a right to ‘block’ or suppress processing of personal data.
  
• Data transfer outside EU, Make legal arrangements when you transfer data to countries that the EU authorities have not approved.
  
• Consult your lawyer and Data Protection Officer
  Audit your site with the help of your lawyer and your appointed Data protection officer. 

Things to do to ensure GDPR compliance in your Online Marketplace.

• Terms and Conditions page – If you didn’t have a T&C page, you definitely need it now and also a checkout checkbox that users must click (it should not be “checked” by default). Amend your T&C page in regard to the new GDPR terminology and the gathering of customer data from the checkout page.
  
• Privacy Policy Page – The page that requires the most attention right now is your Privacy Policy page. The user must be informed here of how the data is processed- How it’s collected, stored and used? Just like the T&C page, here too users need to check a checkbox to “agree” to the privacy policy.
  
  Pro tip: Go through the Privacy policy pages of reliable e-commerce websites and observe how they are approaching the  GDPR rules.
  
  An overview of the points that you can’t miss while revising your Privacy policy page:
  
  1. Who you are (your address, etc)
  2. What data you collect (Name, email, phone, address, IP addresses, etc)
  3. For what reason you collect the data (invoicing, tracking, email communication, etc)
  4. For how long you retain it (e.g. you keep invoices for 5 years for accounting purposes)
  5. Which third parties receive it (Google, CRM, MailChimp, etc)
  6. How to delete data (either automatically or by emailing the Data Protection Officer)
  7. How to get in touch with you for data-related issue.
  
  
• Customer Registration – Try to collect only those information from the user that you strictly require. Be extra cautious since you are collecting personal data here. Moreover, add a Privacy Policy check box to the registration form.
• Vendor Registration – We at MultiVendorX allow you to create a customizable Vendor registration form. Here too you should try to collect only the most necessary information from the vendor. Add a Privacy Policy checkbox similar to what we’ve done in the customer registration page.
• Plugins – There are certain plugins like the Cart Abandonment plugins that collect the user’s email addresses without their consent, which is against the GDPR rules. In case of such plugins, make sure to add them to the list of “third parties” that get access to user data in your Privacy Policy, check or ask the plugin developers how they are going to implement GDPR compliance.
• Product Reviews and Comments – Product reviews are important for all online stores. If you allow non logged in users to leave a review on your site, then you need to add the privacy policy checkbox to the product review form. Alternatively, you can change the settings to allow only verified users to leave a review. Follow a similar approach for Comments section.
• Send a re-permission email to your existing list– If you’ve previously obtained consent from your contacts in a manner that complies with the GDPR, there’s no need to ask for their permission again. But if you’d like a fresh bill of consent to demonstrate that you’re in compliance with the new laws, you can send a re-permission email to your list.
• Be Aware of Special Category Data
• Special category data is personal information that the GDPR deems particularly sensitive, requiring extra protection. This includes details about a person’s race, ethnic origin, religion, genetics, health, or sexual orientation. To process this type of data, you must not only identify a lawful basis but also meet a separate condition specifically for handling special category data.
• Handling this data comes with more significant risks to individuals’ fundamental rights and freedoms, so it’s crucial to treat it with extra care. The GDPR outlines 10 specific conditions for processing special category data. Before you begin processing, you must identify which condition applies to your situation and ensure you document your justification for processing this data.
  
  

Conclusion

GDPR compliance has a significant impact on how online marketplaces handle customer data. This guide has explored the key steps to ensure GDPR compliance, including conducting data audits, implementing clear privacy policies, and setting up robust data protection measures. It has also highlighted the importance of respecting user rights and managing data effectively to build trust with customers.

For ecommerce businesses, GDPR compliance is not just about avoiding penalties but also about creating a trustworthy environment for customers. By following the steps outlined in this guide, marketplaces can navigate the complexities of data protection regulations and strengthen their relationships with users. This approach not only helps to meet legal requirements but also positions businesses as responsible stewards of customer data in the digital marketplace.

FAQs

Q: How can I ensure my business complies with GDPR?
A: To make your business GDPR compliant, you may need to appoint a Data Protection Officer depending on your data processing scale and risk. Familiarize yourself with GDPR requirements, conduct an information audit, determine your lawful basis for processing data, and implement necessary processes. Establish thorough documentation and ensure your team is trained on GDPR policies.

Q: What are the requirements for making forms GDPR compliant?
A: To ensure forms are GDPR compliant, avoid using pre-ticked boxes as consent must be explicitly given. Use clear, straightforward language to explain what users are consenting to. Do not bundle multiple consents together, and always provide an easy option for users to withdraw their consent.

Q: What steps should I take to make my website GDPR compliant?
A: Start by assessing your current GDPR compliance status. Include explicit requests for permission as necessary, and clearly inform users about what data you collect on your site. Review and manage any third-party apps, plug-ins, or tools for compliance. Ensure there are avenues for users to contact you, update your data security measures, and develop comprehensive GDPR policies.Q: Is GDPR compliance necessary for my US-based website?
A: If your US website collects data from EU citizens, such as through sign-ups or other forms of data input, GDPR compliance is required. This applies even if the data is processed or stored via third-party services like email marketing tools or customer relationship management systems.