Skip to content

Not ready for GDPR? Hey, you’ve got nearly a week



Join our mailing list

Signifyd regularly publishes free reports packed with business insights, commerce trends and data from our massive Commerce Network. We’ll only email when we have something meaningful to share, no more than once per week. And of course you can unsubscribe any time.

What is arguably the most sweeping set of regulations telling businesses what they can and can’t do with the consumer data they collect, store and analyze goes into effect a week from today.

You’re GDPR ready, right?

More likely, you’re as ready as you’re going to be, because the consensus is that pretty much nobody knows exactly what GDPR, aka the General Data Protection Regulation, requires. (The UK’s ICO site might help.)

Oh sure, it’s no mystery that the new European Union regulation, effective Friday, requires companies that do business in the EU or with EU residents to become more transparent about what data they collect and what they use it for. It says consumers must be in control of their personal information, meaning they can ask to have it deleted. It means that companies need to quickly inform authorities and affected parties of any data breach. It requires most companies to name a data protection officer. It requires businesses to make sure that relevant vendors are also GDPR complaint. And, much, much more, as the late-night T.V. commercials say.

GDPR’s ambiguity might be a feature, not a bug

But many of the particulars — the whens, the hows, the whoms — are ambiguous, perhaps deliberately so given the sort of compromises needed to get 28 countries to agree to a regulation that is 261 pages long. Perhaps the most succinct summation of the challenges with GDPR comes from Alison Cool, a University of Colorado professor and author of “Europe’s Data Protection Law is a Big Confusing Mess,” in the New York Times. Her analysis:

“There is just one problem: No one understands the GDPR.”

None of this is a reason for businesses, from social networks to ecommerce merchants, to throw up their hands — and the evidence suggests businesses of all types have spent time and money to bring themselves into compliance. There is a vast cache of resources out there to help guide companies through GDPR. Signifyd, for instance, has produced “Retail’s Data Breach Risk,” a report that covers some data best practices, including GDPR, and suggests ways to make sure your vendors are as careful with the data you collect as you are.

Retail’s Data Breach Risk

Retail’s Data Breach Risk

GDPR is the latest ingredient in the alphabet soup of personal data certification and regulation. Learn more about the rest of the stew — PCI, SOC2 and Privacy Shield — in Signifyd’s “Retail’s Data Breach Risk: How to assess your exposure and why your partners’ data practices are every bit as important as yours.”

No doubt, the law will become clearer as businesses gain experience with it and litigants argue its fine points in court. Meantime, there is a much more positive way to view the GDPR: It’s generally the right approach.

The idea that consumers own their personal information and that companies that collect it have a duty to protect it falls into the category of common decency — and good business. Another way to think about consumers is as customers, the people you started your business to serve. A business should be on its customers’ side, right?

Being transparent about how, as a business, you collect and use a customer’s data is especially important, given the powerful narrative in the media and the U.S. Congress that consumers are being taken advantage of by underhanded companies gobbling up their data. While customer data is extremely valuable, abusing it isn’t a long-term business strategy.

In fact, its short-sighted.

GDPR is a chance to build trust with consumers

GDPR, however, provides businesses, including ecommerce merchants, the opportunity to build a better relationship with customers. Now, it’s true that the new regulations don’t apply to every U.S. based business, nor do they apply to transactions with U.S. customers of U.S. based businesses.

But if you’re a business that needs to adhere to the requirements, why not embrace that openly and share with your customers your high standards when it comes to data? And if you’re a business that doesn’t need to adhere to the rules, or needs only follow them on some transactions, why not adopt them fully — and use your data practices as a differentiator? That will give you a competitive advantage and a head start on rules that quite likely will apply to you in the not-so distant future.

We are operating in an age in which consumers have access to more information than ever before when they consider purchases, or what brands to support, or what stores and sites to shop. Consumers are looking for more than just product and price.

Why not give them something more?

Contact Mike Cassidy at [email protected]; follow him on Twitter at @mikecassidy.

Mike Cassidy

Mike Cassidy

Mike is the head of storytelling at Signifyd. A former journalist and a retail geek, he covers ecommerce and the way technology is transforming digital commerce. Contact him at [email protected].