European consumers have relied on the Data Protection Directive of 1995 for more than 20 years to protect their personal data from inappropriate use. Beginning in May 2018, the old regulation has been replaced by the new General Data Protection Regulation (GDPR). Any Shopify store owner who sells to customers in Europe needs to familiarize him/herself with the new regulation and comply within the next five months of the introduction of GDPR.
To help users get prepared, Shopify has been disseminating information. One such example is a blog post published on December 6 of last year. The post is presented as an interview with Shopify’s Data Protection Officer, Vivek Narayanadas. Needless to say, there is plenty of important information in this post.
The Regulation: A General Synopsis
The GDPR was developed by EU regulators to be a stronger privacy law than the former regulations. Narayanadas says that it is the most comprehensive such law in the world and is capable of impacting how companies of all sizes and sectors do business in Europe. Even small, non-European companies that sell to European customers online are impacted. This includes Shopify sellers.
In a nutshell, the GDPR requires companies selling in Europe to adhere to the following eight principles:
- They must process personal information ‘fairly and lawfully’ according to the conditions laid out in two schedules contained within the regulation.
- They must be completely transparent about their reasons for obtaining, storing, and using personal information.
- They must implement policies to ensure they are collecting and storing only that information they need for their stated purposes, and no more.
- They must implement policies to ensure that personal information is accurate and up-to-date.
- They must not store personal data for any length of time beyond what is necessary to fulfil its intended purpose.
- They must honour six delineated customer rights relating to personal data.
- They must take whatever steps necessary to prevent unauthorized processing of, or damage to, personal information.
- They must not allow data to be transferred to other countries or territories unless adequate consumer protections are in place.
Practically speaking, the regulation is requiring online retailers to take the necessary steps to actively protect customer data and, upon request, completely remove such data from their systems. Bear in mind that this is a very simple explanation.
If you sell in Europe and have any questions about how the GDPR will impact you as a Shopify retailer, you are invited to take a look at the blog post mentioned earlier and more recent information you can find online. Hopefully, Shopify will continue helping its users in becoming and staying compliant to GDPR.
If you don’t sell in Europe, then you can probably disregard the GDPR. It should not impact you in any way. But we’re not lawyers. You will also be required to comply with the GDPR if you begin selling in Europe at a future date.