Large corporations are not the only businesses governed by the European General Data Protection Regulation, or GDPR, which became effective last month.
Small and mid-sized businesses also are subject to its provisions.
The regulation applies to the processing of personal data of individuals in the EU by an individual, a company or an organization engaged in professional or commercial activities.
“The common misconception is that if you don’t have an office in the EU, then the GDPR doesn’t apply to you,” said Cindy Zhou, principal analyst at Constellation Research.
However, shipping products to the European Economic Area (EEA) or sourcing them from the region are activities governed by the GDPR, she told the E-Commerce Times.
“The online marketplace has no borders,” noted Wesley Young, VP for public affairs at the Local Search Association.
That may be changing, however.
“We have seen many small businesses … exclude EU subjects from their clientele to avoid exposure to GDPR risks,” observed Andrew Frank, distinguished analyst at Gartner.
“This could impact assumptions about the frictionless global nature of e-business,” he told the E-Commerce Times.
GDPR Pitfalls for Unwary SMBs
The GDPR’s definition of personal data is “very broad,” LSA’s Young told the E-Commerce Times. “That would include IP addresses, location information, demographic information, and other general data used for targeting ads.”
The term “process” also is broadly defined, “and includes collecting and storing data, even if it isn’t further used,” he observed.
“The breadth of the GDPR’s application lends itself to be easily but unintentionally violated,” Young noted. For example, not following through on policy changes — failing to abide by new privacy policies, or not training staff to adhere to them — might be a violation.
Using data beyond the reason for which it was collected might be a violation, suggested Young, as consent has to be given for specific purposes.
The Ins and Outs of Consent
The GDPR “allows six different legal bases for collecting or processing personal data, of which consent is but one,” said Robert Cattanach, partner at Dorsey & Whitney.
For most e-commerce situations, the transaction arguably constitutes a contract, and “additional consent may not be required” to collect personal data necessary to conclude the transaction, he told the E-Commerce Times. However, the question of consent will arise when a merchant engages third-party vendors to track or monitor customer behavior on its website.
Monitoring or aggregating customer behavior on a merchant’s website to learn when a customer decides to place an order or abandon the search by using cookies is one option, Cattanach noted.
For the collection of personal data, a pop-up requiring the customer to independently agree to it would be necessary.
Two major issues remain unresolved, according to Cattanach:
- What constitutes informed consent is still “a matter of ongoing dispute”; and
- Responses to data subject access requests — such as the right to discover what data has been collected, correct errors, and request to be forgotten — “are legally less problematic on their face but, as a practical matter, may be more difficult to execute.”
Requests to be forgotten require merchants to establish process flows for the intake of such requests; set policies for when such requests will be granted or denied; and implement procedures for responding within 30 days.
That is “no small undertaking,” Cattanach remarked, “which is why many SMBs have just decided to avoid triggering GDPR by expunging all existing data of EU residents and blocking EU IP addresses from accessing their websites going forward.”
Records of processing were expected to be the most challenging of the data subject rights requirements by 48.5 percent of more than 1,300 U.S. business users and consumers who participated in an online survey CompliancePoint conducted this spring.
Only 29 percent of respondents to the CompliancePoint survey were fully aware of the GDPR; 44 percent were somewhat aware and 26 percent were unaware.
Other data subject rights problems they anticipated:
- Accountability – 41 percent;
- Consent and data portability – 39.7 percent each; and
- Right to be forgotten – 35.3 percent.
Twenty-four percent of business respondents to the CompliancePoint survey said their organizations were fully prepared for the GDPR, while 31 percent said they were somewhat prepared and 36 percent said their organizations were not prepared.
Following are some of the factors that kept the organizations of CompliancePoint respondents from being GDPR compliant:
- Waiting to see what enforcement would be applied – 45.6 percent
- Lack of understanding of the regulations – 39.7 percent;
- No budget for compliance – 36.8 percent;
- Low brand visibility – 33.8 percent; and
- Unconcerned – 27.9 percent.
“SMBs are not immune to the risk of GDPR,” said Greg Sparrow, general manager at CompliancePoint.
“The risk of fines and regulatory action are the same for businesses large and small,” he told the E-Commerce Times.
The financial penalties — 4 percent of annual revenue or 20 million euros — are large, noted Constellation’s Zhou.
However “the indirect costs in terms of impact on customer trust and brand reputation may be even greater,” said Gartner’s Frank.
CRM Software to the Rescue
CRM systems that make it relatively easy to execute functions like erasure and consent modification “can help considerably,” Frank suggested.
“SugarCRM recently released a data privacy module that automates much of the processes for managing the required data governance,” remarked Rebecca Wettemann, VP of research at Nucleus Research.
Zoho, Hubspot, Salesforce and other CRM vendors “are touting GDPR compliance,” Zhou noted.
“SMBs running cloud CRM applications will likely find the easiest path to compliance, because data privacy capabilities have been or are being built into these applications,” Wettemann told the E-Commerce Times.
That said, CRM companies are data processors by definition, Zhou pointed out, and under the guidance of the company that collected the customer data.
“Privacy policies, cookie notices and age consent forms all need to be managed by the SMBs themselves,” she said, “and are often placed on a website or on the e-commerce site which isn’t related to the CRM solution.”