GDPR: What it means for subscription merchants

GDPR is one of those buzzwords you’re probably hearing a lot about lately. Everyone’s talking about how it’s coming soon and that you’ll need to prepare for it.
But what is it? And what does it mean for your subscription business?
In this post, we’ll dive into the details around GDPR and help you get an understanding of what you need to do to get ready for the changes coming.
Before we discuss, if you’re a subscription merchant that is based in the US and only sells to US-based customers, you can stop reading right now — you won’t be impacted by these changes. However, if you do sell to international customers based in the EU, you will need to consider making some changes to be compliant with the new GDPR regulations.

What is GDPR?

First of all, let’s get on the same page about what GDPR is (and what it means).
GDPR stands for General Data Protection Regulation, which is a new EU regulation that relates to how businesses deal with personal data. Personal data is defined as any information that relates to an individual who can be identified from that data (think email addresses and phone numbers).
GDPR will be formally launched into UK law on May 25, 2018, and will impact any business that:

  • Is established in the EU
  • Sells to customers in the EU
  • Is outside the EU but monitors behaviors of EU citizens

What Subscription Merchants Need to Do

There’s a lot of reading you’ll want to do to get up to speed on the specifics of GDPR, but here are some of the key changes and high-level to-do items to keep in mind as you think about GDPR prep.
1. Set up a data processing record
GDPR requires merchants to ensure they have a lawful means of processing personal data that can be demonstrated via reporting purposes. This means you’ll need to establish a reporting record that includes:

  • The types of personal data you process
  • The purpose of said processing
  • Categories of recipients of that data
  • How long you’ll retain this data
  • Details of data transfers outside the EU
  • The steps being taken to keep data safe

The good news is: If you already have a CRM system or use an analytics tool like Google Analytics, it will make tracking and reporting this information pretty simple.
2. Demonstrate ongoing compliance
Next, you’ll want to put together a data protection policy that outlines the data above, as well who will handle access requests to customer data and processes for how data is dealt with. Your policy should also cover:

  • Data breach policy: What you’ll do if data is breached
  • Data retention policy: Outline of how long you’ll hold onto data
  • Data protection staff: Who will manage your data protection efforts from inside the company
  • Safe data training: How you’ll train all staff on data protection
  • Audit procedures: How you’ll monitor your GDPR efforts on an ongoing basis
  • Customer consent: Clear language around your terms of service for customers related to data security

Here’s a sample in case you need some direction on where to start.
3. New Policies for Data Transfers
Under GDPR, transferring data out of the EU may be more difficult. The good news is: If you can guarantee the data is safe (and will be subjected to the same GDPR standards outside the EU) you can perform the data transfer. To get an idea of what this policy should look like, check out what your competitors are doing and see how they’re framing language and policies around GDPR and data privacy.

FAQs about GDPR

Still have questions? Let’s go over some of the FAQs around GDPR:
1. What are the penalties for non-compliance with GDPR?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million max. This is the maximum fine that can be charged for the most serious policy breaches (such as not having sufficient customer consent to process data). There is a tiered approach to fines, so a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, not conducting an impact assessment, etc.
2. How does GDPR impact customers under the age of 16?
Parents will need to consent to process the data of children under age 16, although states may legislate for a lower age of consent. Regardless, this age will not be below the age of 13.
3. Do I need to hire a Data Protection Officer?
You only need to appoint a DPO if you are a public authority, a large scale business with systematic monitoring, or a large scale organization processing sensitive personal data.
4. Will Brexit impact GDPR?
It’s still uncertain at this time, but all organizations are strongly encouraged to proceed with preparation and compliance.

Make a Plan & Get Ready for GDPR

With this information, you can get started on your GDPR strategy so that when May 25 rolls around, you’re compliant and ready to go. Remember to cover the basics outlined here and to take the time to develop a thorough strategy that keeps your business (and its customers) safe and secure.