[This post doesn’t constitute legal advice. If you want advice on what your business needs to do to be GDPR compliant, you should consult a lawyer.]
The General Data Protection Regulation (GDPR) is a data privacy law in the European Union that protects EU individuals’ personal data. It comes into effect on May 25th, 2018, and it’s going to impact all businesses that operate in and have ties to the EU.
Why should you care? Because you don’t have to be located in the EU to fall under this regulation. Even if you’re a US-based business, you need to pay attention to the GDPR if you have customers in the EU.
These are sweeping new regulations, so do your part as a business owner to stay informed. Start your research with this post! It goes over what exactly the GDPR is, how it affects online stores, and what we’re doing at Printful to protect your data.
What are the main elements of the GDPR?
The main goal of the GDPR is to foster trust between consumers and businesses. It gives EU citizens (referred to as data subjects) more control over how their personal data is used. And it requires that businesses are transparent about how they use collected data.
In the context of GDPR, personal data refers to any information that can be traced to an identifiable person. That can include their name, email address, IP address, etc.
The GDPR is comprised of a long list of rules and regulations. Its legalese doesn’t exactly make for the most exciting read, so we broke down its basic principles.
Under the GDPR, data subjects are granted:
- The right of access, which means data subjects have the right to know how their data is being used. Businesses need to provide this information upon request.
- The right to data transfer, which means data subjects have the right to transfer data from one company to another.
- The right to be forgotten, which means that if a data subject wants all of their personal data erased, businesses must comply.
Under the GDPR, businesses must:
- Disclose and report data breaches within 72 hours.
- Appoint a data protection officer if they handle a substantial amount of data
- Take reasonable steps to keep data secure.
- If a business needs to collect data, they must collect the minimum amount they need for their service to function.
- Obtain explicit consent from data subjects before collecting personal data.
The GDPR will push all companies with business activity in the EU to think more carefully about their customers, their privacy, and overall user experience. They need to obtain consent from their data subjects and be transparent about how personal data is used.
These are the strictest privacy regulations in the world, and penalties are big. Businesses that don’t comply can be fined up to €20 million or 4% of their global revenue, whichever is greater.
Why is the GDPR being implemented?
The European Commission believes that maintaining higher standards across the continent – and building trust with consumers – will help grow the digital economy in the long run.
The right to privacy is extremely important in Europe. The first data protection law was passed in Sweden in the 1970s. Europe has had some form of privacy law in place since then. The most comprehensive privacy law up until now was passed in 1995 – the European Data Protection Directive.
As the digital economy is growing and the means of data collection and processing have drastically changed since 1995, the European Commission understood that it’s time for an updated privacy law that works with today’s digital landscape.
The GDPR is now the strictest, most encompassing privacy regulation that exists today. We don’t know its full impact, but chances are it will set the bar high for other countries to follow.
What does the GDPR mean for online stores?
Even if you’re not physically operating your business in the EU, the GDPR affects your online store if you have customers in the EU. That’s because you’re handling the data of EU citizens and you’re responsible for keeping it safe.
You should talk to a lawyer to learn specifically what your business needs to do to comply with the GDPR.
And if you don’t have any customers in the EU?
It’s still a good idea to take an interest in the GDPR. These are the world’s strictest privacy regulations, so if you comply with them, it lets your customers all over the world know that their data is safe. It helps build trust with your customers if they know you take their privacy seriously.
What is Printful doing to prepare?
Printful has always taken data security seriously. Now with the GDPR, we’re implementing more internal policies and security measures to comply. Here’s what we’ve been up to:
- We hired a Data Protection Officer to join our team
- We implemented new security measures
- We trained all of our departments about GDPR compliance
We’re also upholding the same security standards for all of our customers, whether they’re located in the EU or elsewhere.
Be ready for the GDPR
The GDPR is coming fast – it’ll be here before you know it. So it’s time to plan what your business needs to be compliant. Remember, even if you’re not physically located in the EU, the GDPR applies to you if you have customers there. Talk to a lawyer to learn your specific obligations!