The first paragraph of a new report from the National Retail Federation and EuroCommerce is grim: “The General Data Protection Regulation (GDPR) sets out changes to almost every area of customer data processing. Retailers with storefronts, websites, mobile apps or other digital platforms through which they serve customers face new compliance standards, additional administrative burdens and liability for violations, as well more stringent enforcement and penalties.”
GDPR was created by regulators in Europe concerned about how companies have collected data online about their citizens, but it very much targets all companies inside and outside of the European Union – if there’s any chance someone living in the EU so much as visits your website, you must comply, according to the legislation.
NRF President and CEO Matt Shay said, “These are European rules but they have significant implications for many U.S. retailers.”
However, many US-based sellers and businesses are unaware of GDPR, never mind that it impacts them, especially small businesses. EU expects companies here to comply, but it isn’t clear how they expected them to know that.
Tech publication The Verge explained the complexity in this May 22nd article, “No one’s ready for GDPR,” published 3 days before the rules take effect. EU regulators seem to have created a monster – a very stressful and expensive one, at that.
Among the challenges for companies, The Verge explains:
“But perhaps the GDPR requirement that has everyone tearing their hair out the most is the data subject access request. EU residents have the right to request access to review personal information gathered by companies. Those users – called “data subjects” in GDPR parlance – can ask for their information to be deleted, to be corrected if it’s incorrect, and even get delivered to them in a portable form. But that data might be on five different servers and in god knows how many formats.”
But not so fast. The National Retail Federation (NRF) points out “due to the transactional nature of product purchase data, retailers must continue to maintain records of goods purchased by their customers.”
The NRF and EuroCommerce report further notes, “Erasing transactional data necessary to prevent fraud or reconcile card transactions, or to permit customers to return or exchange products, would frustrate customer expectations. It would also harm customers who could not later obtain a refund for unwanted products, or who could not exchange a product to maintain its value to the customer (e.g., exchange clothing so it is the right size).”
“Staggeringly complex” and “ambiguous,” The Verge calls GDPR, and quotes an expert who says absolute compliance may not even be possible.
Even European regulators aren’t prepared: “Seventeen of 24 European regulators surveyed by Reuters earlier this month said they weren’t ready for the new law to come into effect because they didn’t yet have the funding or the legal powers to fulfill their duties,” according to The Verge.
Another stumbling block for small sellers and others: no one wants to offer advice on how to comply because of uncertainty around GDPR, and fear of liability.
Sellers may wish to do what many companies are doing: adding “cookie banners” to their website and rewriting their privacy policies to comply with GDPR. Service providers such as email list-hosting services and ecommerce and publishing platforms are creating tools help their customers comply.
Even if you don’t operate in or market to Europeans, many of the services you use do, and many feel pressured to ensure their business customers are also in compliance.
While some lawyers, consultants, and vendors are making big bucks advising companies on GDPR compliance issues, PayPal told small businesses in the UK, don’t panic. “There have been some scare stories in the media but the reality is that the GDPR and the ICO are there to help you do the right thing for your customers and others whose personal data you hold.” But that doesn’t let you off the hook from doing your homework.
A few resources that may be helpful in your research:
GDPR for smaller organisations (PayPal)
GDPR: What Small U.S. Craft Businesses Need to Know (Craft Industry Alliance)
Helping publishers and advertisers with consent (Google)