What does GDPR mean for B2B Ecommerce
Since the 25th of May, 2018, all businesses that collect and store personal data of EU citizens have to comply with General Data Privacy Regulation (GDPR). These are a set of regulations put in place to protect identity rights of its citizens.
One of the common misconceptions of GDPR is that if a company caters to businesses, not to individuals, GDPR doesn’t come into the conversation. In fact any person being contacted by a company from a customer’s perspective is protected by GDPR, and B2B marketers should take it into account when using collected customer data for a campaign.
GDPR applies to all companies worldwide and if a company finds itself noncompliant with it they can find themselves with a fine of up to €20 million or 4% of your annual revenue. For example, the day after GDPR came into effect, Facebook, Instagram, WhatsApp, and Google were hit with $8.8 billion in GDPR lawsuits, from four European countries.
Some companies such as the Los Angeles Times and Chicago Tribune could not get themselves in a place to be GDPR compliant and therefore temporarily blocked EU citizens from their platforms.
GDPR rules cover any data that can be considered personal. For example:
Credit card numbers
According to Microsoft there are 4 steps to ensuring compliance with GDPR going forward:
Discover – Identify personal data and where it resides
Manage – Govern how personal data is used and accessed
Protect – Establish security protocols to prevent, detect and respond to data breaches
Report – Address data requests and keep reports
- Evaluate consent given for every piece of this data for each particular purpose. For example, if a customer’s representative gave their email address to download a white paper from your website, under GDPR that does not mean that you can send them emails about your products. If you want to do so, you will have to ask for consent explicitly.
If a user wants a company to stop using their data, the company has to comply and the customer should be informed about it at the first point of contact. If a user tells you they do not want to receive email from you anymore, don’t send them another email asking them to reconsider – this would be a violation of GDPR.
Cookies are also treated as personal data, so a company has to ask for the visitor’s permission to use them on the site.
Privacy policies have to be rewritten to explain new rules and capabilities.
In the opt-in box, the consent to become a member of an emailing list, now may not be checked in advance.
Companies with more than 250 employees will have to have a Data Protection Officer responsible for any data breaches.
So there you have it, for the people who are not sure on the right steps to ensuring they aren’t in breach of GDPR. If you are unsure, please feel free to reach out to us.