A Seller’s Guide to the GDPR
The GDPR, or General Data Protection Regulation, is set to go into action on May 25th — but not too many US based e-commerce business owners seem too concerned about it. The GDPR is a European law, but it’s essential for US sellers to understand what exactly it means for overall data privacy online. The upcoming changes mark the expansion of General Data Privacy Regulations worldwide. This means that any seller who interacts with customers in the EU needs to be aware of the changes and the potential penalties.
Take note of your email inbox over the past few days: notice anything different? Most likely, there will be some emails in there stating that you’ll need to opt-in if you want to keep receiving emails from a specific company or brand. These companies are preparing for the GDPR law enforcement outside of the EU. Overall, the GDPR outlines the rights your online customers have regarding data, personal privacy, and how companies use the data they submit.
How to Prepare for GDPR Enforcement
So what exactly should Amazon sellers be doing right now to prepare for the GDPR? It’s important to learn what exactly this data protection policy entails and what makes it a key law for Amazon sellers. Below are a few quick points regarding the GDPR’s intention and why it matters for international sellers:
- The EU chose to implement this regulation to better protect the privacy of its citizens. It will go into effect on May 25th, 2018 – three days from now.
- GDPR will now apply in all countries – not just to European sellers. The GDPR law is based in Europe, but its reach expands worldwide as of 5/25/2018. The new regulations specifically apply to international e-commerce business owners who sell in Europe Amazon sellers who use global fulfillment services and interact with customers in the EU need to know about the GDPR. More importantly, sellers need to know how to comply with this new law, and they need to understand the repercussions of practices that may be any less than compliant.
- According to the official statement, the GDPR applies to “the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required).
- The industries most impacted by the GDPR are listed as e-commerce, hospitality, software providers and travel. In a recent release, CNN offers a great explanation of exactly who is impacted by GDPR, what data may be collected, and which companies are already falling behind.
Key Terms and Updates
Right here is the official GDPR statement from the EU government:
The GDPR concerns all companies which process personal data of citizens (‘data subjects’) who reside in the EU, regardless of where these companies (the ‘data processors’ and ‘data controllers’) are located.
When the processing of personal data of EU data subjects is done by a controller or processor that is not present in the EU, the GDPR applies in activities related to offering goods or services to EU citizens (free and paying services) and behavior monitoring of EU data subjects. Moreover, a non-EU company which processes the data of EU citizens needs to appoint a representative in the EU.
Defining Data: “Data” is a broadly defined term and includes your buyer’s names, addresses, and even their IP addresses. Sellers are responsible to keep all of this information confidential and private.
Amazon Advertising: Sellers who use Sponsored Products and other Amazon Marketing Services must be especially aware of the GDPR changes. Double opt-in consent forms must now be used in order to utilize a buyer’s data for any reason.
AWS: Amazon Web Services users must be especially cautious regarding the GDPR changes. More information about AWS and GDPR can be found from the AWS website.
Penalties for GDPR Breaches: Failure to comply with the enhanced data privacy law may result in fines up to €20 million per year, or 4 percent of annual sales from the previous year for sellers.