GDPR Compliance: 3 Key Actions that Merchants Need to Take

March 20, 2018

By: Aparna Bawa,

SVP, General Counsel

, Magento Commerce

GDPR Compliance: 3 Key Actions that Merchants Need to Take

The EU's General Data Protection Regulation (GDPR) goes into effect on May 25th, 2018.  It is already having a major impact on merchants who target the EU. We want to share best practices we have received from conversations across our industry. 

Here are three ways merchants can prepare for GDPR:

1. Scrutinize Privacy Policies…And Whether Your Policies are Aligned with Reality

Transparency is at the core of what regulators care about. Merchants should, in a nutshell, do what they say and say what they do. Merchants should be communicating to customers in clear, concise and specific language that any layman can understand quickly. Think logic, not legal-ease. Privacy policies are often treated as set-it-and-forget-it. With GDPR, merchants not only need to examine their privacy policies, but behavior as well—and make sure those policies match behavior.

Regulators also care deeply about protecting the privacy of minors. If your potential audience includes minors, all of the above applies, but it’s magnified. Merchants must take extra care that their policies and behavior follow both GDPR requirements and country-specific rules based on the residency of the individual. This is an area around which merchants can definitely expect increased scrutiny.

2. Be Sure to Keep Thorough Documentation

GDPR is complicated, and many of the details around the regulations are still being developed.  Nevertheless, being able to demonstrate diligent, authentic, and earnest effort to comply with GDPR and the spirit behind it will be critical. Think documentation.  Big technology players like Facebook and Google are not the only businesses that may face private-sector complaints and public-sector enforcement. The more merchants can show they operate as they say they do, and demonstrate a healthy respect for the privacy and will of their customers, the better off they will be.

3. Comply Even If Your Business is Not Based in the EU

The internet is global. If you are a global business or have ambitions of a globally scalable product or service, you need to comply. In other words, as a practical matter, all of your data processes and disclosures to customers globally will need to be compliant with these EU regulations. It’s hard to imagine a global business, even with a small EU presence, building two versions of a product or service it intends to scale globally.

Visit our GDPR information page for more guidelines and tips and stay tuned for more news as May 25 approaches.