It’s Not Too Late to Comply with GDPR

As of May 25th, the European Union’s General Data Protection Regulation (GDPR) went into effect in order to grant EU citizens a level of control over the collection of their personal data, and to improve transparency between businesses and consumers. This overhaul has tremendous ramifications for merchants who service European customers (including e-commerce merchants), since it affects how businesses collect and manage data of EU citizens.

In our increasingly interconnected world, many merchants that are located outside of the European Union will nonetheless fall under the radar of GDPR. If you’re not yet compliant, take note that the deadline has passed and non-compliance fees are steep: they could cost your business a maximum of 4% of your annual turnover! Keep reading for some helpful information about GDPR and how you can become compliant.

Why the Change?

GDPR replaces the EU Data Privacy Directive that had been in place since 1995. Since internet was in its infancy in 1995, the directive did not properly address current security threats. The collection and monetization of customer data is a growing strategy for many companies in recent years- think Facebook, Amazon and Google- which is why this legislation will serve an important purpose in keeping customers safe from data breaches.

Who is Affected?

GDPR compliance is necessary for any business that gathers personal data of EU citizens- whether or not it’s for the purpose of a financial transaction. While it’s clear that GDPR will affect e-commerce merchants, it’s important to realize that GDPR compliance is also essential for companies that specifically target EU citizens to gather personal data for marketing purposes.

What is in GDPR?

GDPR is extensive and complex, but here are some main points:

  • Customer consent is required, and it must be “freely given, specific, informed, and unambiguous.” This means that companies must provide a clear and explicit notification when gathering customer data- and not just in the privacy policy.
  • Upon discovering a data breach, companies have 72 hours to inform all those affected.
  • EU citizens have the right to request data erasure and to block further dissemination of their data. This is known as the “Right to be Forgotten.”
  • EU citizens have the right to obtain a copy of their personal data, and to know where and why their data is being processed.

What You Need to Do

Note- this is a general overview and not a comprehensive guideline. Every business should be careful to do their own research.

  • Assess Your Data

A good place to start is by performing a thorough audit of what data your business is collecting, how it’s collected, how and where it is stored, which third parties the data is shared with (if any), when it is destroyed, and what risks the data could be exposed to. Once you’ve done your research, you’ll have a better idea of any areas that need to be addressed.

  • Update Privacy Policies

Your privacy policy will need to include information on why data is collected, who it is shared with, the customer’s rights, how long the data is stored for, the contact information of your data controller, and more. See articles 12-14 of GDPR for more info.

Additionally, it is imperative that your privacy policy is written clearly and in a way that the average person could understand, and that it is easily accessible. This will remove any questions regarding willing consent on the part of the customer.

  • Obtain Consent from Customers Before Sending them Promotional Material

If you are gathering customer emails, you cannot add them to your email marketing list without their consent. You can do this by adding in a check box in the form (but it cannot be pre-checked).

  • Make a Plan of Action for Potential Data Breaches

Since GDPR requires businesses to notify impacted customers within 72 hours of a data breach, you will need to make sure you can carry this out quickly if it becomes necessary.

  • Prepare to Respond to Customer Requests for Data Erasure

As per GDPR guidelines, customers can request their data to be erased. Don’t wait until you receive a request to sort this out, though- start putting the correct steps into place now so this process can be as seamless as possible.

  • Seek Outside Help if Needed

If you’re unsure where to start, or if GDPR compliance is proving to be difficult for your company, you may want to consider seeking legal counsel.


As a final note, remember that GDPR is a data regulation and NOT a payment industry regulation. We are covering this topic since it is significant for merchants, but keep in mind that our customer support team is not equipped to provide individual guidance on this topic. Please reach out to data compliance experts or lawyers should you have any questions.