“Data is the new oil.”

This phrase has been floating on the web for quite a while now. If we go by the phrase, certainly a resource as valuable as this has to be well protected and here’s where GDPR comes into action.

Let’s begin with a quick disclaimer. This blog post is not legal advice and is for informational and/or educational purposes only. By the end of this post, you will get to know what GDPR is, whether it applies to your organization or not, the penalties involved and what steps you must take to make your marketplace comply with it.

WHAT IS GDPR?

GDPR or General Data Protection Regulation is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union. The General Data Protection Regulation determines the ways that personal data about EU citizens can be handled, within the EU and outside the EU in other countries.

EUGDPR.org says GDPR is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

The main aim of this law is to give the control of the data back to the citizens and residents of the European Union. Set to be enforced from 25th May 2018, GDPR brings in game-changing rules in the field of data privacy regulation. 

WHO DOES THE GDPR APPLY TO?

Data collected and processed both before and after May 25th,2018 will have to comply with the new regulation. Even though the General Data Protection Regulation is an EU law, it applies to companies that process personal data from EU. This means that even if you’re a US or Asian company, you can still be subjected to the GDPR as long as you handle the personal data of anyone from the EU. To make this clearer, have a look at the following examples:

• Walter White is an online entrepreneur based in the European Union. So he needs to comply with the GDPR across his business, even though he is collecting data from someone in the US.
  
• Jesse Pinkman is another entrepreneur/marketer based in the US but collecting data from someone in the EU. He too has to comply with the GDPR.

HOW THE DATA SUBJECT, CONTROLLER & PROCESSOR ARE DEFINED

1. The Data Subject: The customer, user, employee or anyone for that matter providing personal data.
   
2. The Data Controller: The companies/ organizations offering services or goods that will state how and why personal data is used and is responsible for the safe storage and use of the data collected from the Data Subjects.
   
3. The Data Processor: Organisations that store, digitize, and catalog all the data on behalf of the Data Controllers. Example, all third-party suppliers such as ERP systems, email marketing services like MailChimp.

How GDPR Impacts Marketing

GDPR has a significant impact on marketing practices, primarily through stricter rules on data collection and consent. Marketers must obtain explicit consent from individuals before collecting, storing, or using their personal data for marketing purposes. This means no more pre-ticked boxes or implied consent; individuals must actively opt-in. Additionally, marketers must clearly explain how they will use the data and provide options for individuals to withdraw consent at any time.

GDPR also emphasizes transparency and accountability. Marketers need to provide clear privacy policies and ensure they only collect the data necessary for specific marketing activities. Data subjects have the right to access, correct, and delete their personal data, which means marketers must have processes in place to comply with these requests promptly. Non-compliance with GDPR can result in hefty fines, so it’s essential for marketers to integrate these regulations into their strategies to build trust and avoid legal issues.

THE EXTENT OF THE PENALTIES

GDPR enforces strict penalties to ensure companies take data protection seriously. If a company doesn’t comply, they can face fines of up to 4% of their annual global revenue or 20 million Euros, whichever is higher. The penalties are designed to be significant enough to encourage compliance and reflect the importance of protecting personal data.

The fines are tiered, meaning they vary depending on the severity of the violation. For less serious breaches, the fines are lower, but for major violations, especially those involving large amounts of data or sensitive information, the penalties can reach the maximum limits. This structure ensures that all organizations, regardless of size, have a strong incentive to comply with GDPR.

Examples of such penalties are 

Google (France): In January 2019, the French data protection authority (CNIL) fined Google €50 million for GDPR violations. The fine was due to Google’s lack of transparency, inadequate information, and failure to obtain valid consent for personalized advertising.

British Airways (UK): In October 2020, the UK Information Commissioner’s Office (ICO) fined British Airways £20 million (reduced from an initial proposal of £183 million) for a data breach that compromised the personal information of over 400,000 customers due to insufficient security measures.

WHAT YOUR COMPANY MUST DO?

Communicate 

Use simple language. Tell users who you are when you request the data. Say why you are processing their data, how long it will be stored and who receives it.

Google mailed its users to notify about the changes in its Privacy Policy.

• Take their consent
  
• Get their clear consent to process the data. When collecting from children for social media, check age limit for parental consent.
  
• Give them access, Let people access their data and take it with them.
• Alert them, Let them know if data breaches occur
  
• Give them the right to erase, Erase their personal data if they ask to do so.
• Give them the right to data portability
  
  People have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another).
  
• Notify third parties regarding rectification, erasure or restriction, Notify any third parties with whom you have shared the relevant data that the data subject has exercised those rights.
  
• Do not track, GDPR also stipulates people have a right to ‘block’ or suppress processing of personal data.
  
• Data transfer outside EU, Make legal arrangements when you transfer data to countries that the EU authorities have not approved.
  
• Consult your lawyer and Data Protection Officer
  Audit your site with the help of your lawyer and your appointed Data protection officer. 

Things to do to ensure GDPR compliance in your Online Marketplace.

• Terms and Conditions page – If you didn’t have a T&C page, you definitely need it now and also a checkout checkbox that users must click (it should not be “checked” by default). Amend your T&C page in regard to the new GDPR terminology and the gathering of customer data from the checkout page.
  
• Privacy Policy Page – The page that requires the most attention right now is your Privacy Policy page. The user must be informed here of how the data is processed- How it’s collected, stored and used? Just like the T&C page, here too users need to check a checkbox to “agree” to the privacy policy.
  
  Pro tip: Go through the Privacy policy pages of reliable e-commerce websites and observe how they are approaching the  GDPR rules.
  
  An overview of the points that you can’t miss while revising your Privacy policy page:
  
  1. Who you are (your address, etc)
  2. What data you collect (Name, email, phone, address, IP addresses, etc)
  3. For what reason you collect the data (invoicing, tracking, email communication, etc)
  4. For how long you retain it (e.g. you keep invoices for 5 years for accounting purposes)
  5. Which third parties receive it (Google, CRM, MailChimp, etc)
  6. How to delete data (either automatically or by emailing the Data Protection Officer)
  7. How to get in touch with you for data-related issue.
  
  
• Customer Registration – Try to collect only those information from the user that you strictly require. Be extra cautious since you are collecting personal data here. Moreover, add a Privacy Policy check box to the registration form.
• Vendor Registration – We at MultiVendorX allow you to create a customizable Vendor registration form. Here too you should try to collect only the most necessary information from the vendor. Add a Privacy Policy checkbox similar to what we’ve done in the customer registration page.
  
  
• Plugins – There are certain plugins like the Cart Abandonment plugins that collect the user’s email addresses without their consent, which is against the GDPR rules. In case of such plugins, make sure to add them to the list of “third parties” that get access to user data in your Privacy Policy, check or ask the plugin developers how they are going to implement GDPR compliance.
• Product Reviews and Comments – Product reviews are important for all online stores. If you allow non logged in users to leave a review on your site, then you need to add the privacy policy checkbox to the product review form. Alternatively, you can change the settings to allow only verified users to leave a review. Follow a similar approach for Comments section.
• Send a re-permission email to your existing list– If you’ve previously obtained consent from your contacts in a manner that complies with the GDPR, there’s no need to ask for their permission again. But if you’d like a fresh bill of consent to demonstrate that you’re in compliance with the new laws, you can send a re-permission email to your list.
• Be Aware of Special Category Data
• Special category data is personal information that the GDPR deems particularly sensitive, requiring extra protection. This includes details about a person’s race, ethnic origin, religion, genetics, health, or sexual orientation. To process this type of data, you must not only identify a lawful basis but also meet a separate condition specifically for handling special category data.
• Handling this data comes with more significant risks to individuals’ fundamental rights and freedoms, so it’s crucial to treat it with extra care. The GDPR outlines 10 specific conditions for processing special category data. Before you begin processing, you must identify which condition applies to your situation and ensure you document your justification for processing this data.
  
  

Conclusion

It is EU today, tomorrow it will be other geographies. So even if you are not from EU or if you don’t deal with European customers for the time being, taking the necessary precautions can still be beneficial, to prepare for GDPR type legislation in future.

How are you dealing with GDPR and what are the challenges you are facing? Let us know in the comment section below.