OK... let's get the disclaimer out of the way for starters. We are not lawyers, we are ecommerce specialists. And so, nothing on this page represents legal advice in any way - if you need any legal advice please consult a lawyer.
We are sharing the information on this page in order to:
GDPR is the European Union's General Data Protection Regulation.
It is a regulation in EU law on data protection and privacy for everyone within the European Union and applies to all entities who handle any personal data, in any way, relating to people in the EU. Because of its nature, GDPR does not require national governments to pass any enabling legislation and so it is directly binding and applicable.
25th May 2018
Depending on the nature of the issue fines can be up to €20 million or 4% of the annual global turnover of the previous year (whichever is the greater)
Regardless of where you are located, the question you have to answer is:
"Does your ecommerce store cater to customers anywhere in the European Union?"
If the answer is "yes" to that question then you need to comply with GDPR.
GDPR is law to protect everyone in the EU. So it doesn't matter where your store is located outside the EU, you must comply with GDPR if you handle any personal data, in any way, belonging to anyone in the EU.
GDPR applies to all personal data, no matter how it's stored.
You need to review all of the personal data that you hold about your customers and the visitors to your website.
That's all data - online and offline.
You need to decide whether there are good reasons for collecting all of it and remove the collection of anything that is not essential and/or justifiable.
You need to look at how you store the data securely, who has access to it, and how and when you destroy it (also securely).
You need documented procedures for all of this... and also documented procedures of what you will do in the event of a data breach.
No longer is the "by continuing to use this page you accept all of our cookies" message going to cut it (and in truth it never should have done anyway).
You need to make it as easy to withdraw consent to cookies as you to get that consent.
And you have to allow people to change their mind too, so it must be easy for them to change their consents should they wish to whenever they visit your store in the future.
It's tricky... to put it mildly. We needed to find a solution for our ecommerce stores but we wouldn't. So we've created our own and we're sharing it with you...
These lists are by no means exhaustive but they do cover the essence of what GDPR demands.
There's a huge amount of information available online about GDPR but much of it is contradictory, interpretations and/or opinions... or trying to sell you a service!
In truth, very few people to be 100% certain as to exactly how GDPR will pan out so the important thing is that you make sure that you are taking the steps that, from your reading of the information, you believe that you are required to take.
Many of the requirements are common-sense and best-practice and so, although they involve some work up front, they will stand you in good stead in the long-term.
General Information About GDPR
GDPR For Marketers
A Readable, "How-To" Guide from the Information Commissioner's Office in the UK