Share this article

Omnichannel commerce | Data

An Intro to GDPR

Image: The EU flag with GDPR lettering
If you number EU citizens among your customers, you need to get compliant

The EU General Data Protection Regulation (GDPR) goes into effect on 25 May 2018. If yours is a large business based in the EU, you have hopefully been working toward compliance throughout the past two years, since the EU Parliament approved of the changes. But the GDPR also affects smaller organisations and businesses outside the EU that sell to or otherwise handle the data of EU citizens. The fines for noncompliance can be steep: up to 4% of the company's annual global turnover or €20 million, whichever is greater. And as technology compliance and security firm TrustArc notes in its "Essential Guide to the GDPR," the fine does not take into consideration "any loss of business, loss of brand trust, loss of goodwill that may come along with noncompliance violations, or internal/external legal fees associated with responding to an inquiry."


Below are the GDPR's most critical changes. These are not the only elements of the GDPR that you need to comply with, but they give you a sense of what you need to do—or if you've already taken these steps, they give you the opportunity to pat yourself on the back for a moment.



Organisations need to present thorough, easily understandable fair-processing notices.

These expanded privacy statements must be easily accessible to consumers—no jargon or legalese, and no hiding them in the depths of your website. A compliant fair-processing notice states:


• What information is being collected

• Who is collecting it

• How it is being collected (Via cookies? By using algorithms to analyse data gathered via social media? IP targeting?)

• How the data will be used

• With whom the information will be shared

• How any and all of the above might affect the individual

• Whether the intended use might cause anyone to object or complain


Except for charging a fee for inquiries regarding which data it holds (under the GDPR, EU citizens have the right to ask free of charge), the privacy policy of Marks & Spencer appears to not only already comply with GDPR but to exceed the requirements—for instance, it details how the company protects data. If you're looking for a template, this statement is one to consider.



To obtain consent, organisations must ask EU citizens to explicitly opt in, rather than require them to opt out.

For instance, when presenting consumers the option to receive email from your company, the opt-in box next to "Subscribe to emails" must be blank so that the individual must act, by ticking the box, in order to subscribe. Having the box automatically ticked, required the individual to act in order to opt out, is not GDPR compliant.


What's more, one blanket opt-in is unacceptable. Say an individual submits his email address in order to download a white paper. If you want to subsequently email him sales promotions, you need to ask permission to do so. Organisations must allow individuals to pick and choose which methods of contact or data usage they are consenting to. The Information Commissioner's Office (ICO) has a useful example.



EU citizens can ask for information regarding which data a business has about them, where the data are stored, and how the data are used.

What's more, an organisation must respond within one month, and it cannot charge a fee for the information. Therefore, your company needs to have a thorough data taxonomy in place. "Organisations must map all incoming and outgoing data flows with customers, vendors, subcontractors, and government agencies," explained attorney Jim Varghese in a blog post for legal website UpCounsel. Furthermore, "companies cannot be compliant with GDPR if they exchange data with noncompliant organisations."



EU citizens can revoke any data consents and permissions they previously granted an organisation, and they have the "right to be forgotten."

In other words, they can ask a company to delete any data concerning them, and they can opt out of any communications at any time. Again, organization must comply with any requests within one month.



Upon becoming aware of a security breach involving EU citizens' personal data, an organisation has 72 hours to notify those who might be affected.

This is just one reason you want to minimise risk and exposure by "holding and processing as little sensitive data as necessary, and limiting data access," according to enterprise information management firm OpenText in its white paper "GDPR Compliance: Preparing Your Organization." Holding onto data only for as long as necessary and making it accessible to as few individuals, servers, and systems as possible are longstanding best data practices, of course.


Your company should also prepare templates for notifying regulatory bodies, individuals, vendors, consumer reporting agencies, and any other parties that would need to be contacted in the event of a breach.


We can't emphasize enough that 1) these are only a few of the components of the GDPR and 2) this article should not be considered legal advice. If you haven't already, you should contact your legal team, data specialists, and any pertinent suppliers or partners. Below are a few additional sources for information:



Direct Marketing Association (UK)
Direct Marketing Association (U.S.)
EU General Data Protection Regulation Portal
European Commission: Data Protection
Federation of European Direct and Interactive Marketing (FEDMA)



author: Zilan Yuan

Zilan Yuan

Zilan Yuan is a freelance writer specializing in marketing and design and editorial assistant of Your Commerce.


Share this article