• Home
  • About Us
  • Contact Us
  • Privacy Policy
  • Special Offers
Business Intelligence Info
  • Business Intelligence
    • BI News and Info
    • Big Data
    • Mobile and Cloud
    • Self-Service BI
  • CRM
    • CRM News and Info
    • InfusionSoft
    • Microsoft Dynamics CRM
    • NetSuite
    • OnContact
    • Salesforce
    • Workbooks
  • Data Mining
    • Pentaho
    • Sisense
    • Tableau
    • TIBCO Spotfire
  • Data Warehousing
    • DWH News and Info
    • IBM DB2
    • Microsoft SQL Server
    • Oracle
    • Teradata
  • Predictive Analytics
    • FICO
    • KNIME
    • Mathematica
    • Matlab
    • Minitab
    • RapidMiner
    • Revolution
    • SAP
    • SAS/SPSS
  • Humor

What the GDPR Means for Small US Etailers

June 22, 2018   CRM News and Info

Large corporations are not the only businesses governed by the
European General Data Protection Regulation, or GDPR, which became effective last month.

Small and mid-sized businesses also are subject to its provisions.

The regulation applies to the processing of personal data of individuals in the EU by an individual, a company or an organization engaged in professional or commercial activities.

“The common misconception is that if you don’t have an office in the EU, then the GDPR doesn’t apply to you,” said Cindy Zhou, principal analyst at Constellation Research.

However, shipping products to the European Economic Area (EEA) or sourcing them from the region are activities governed by the GDPR, she told the E-Commerce Times.

“The online marketplace has no borders,” noted Wesley Young, VP for public affairs at the Local Search Association.

That may be changing, however.

“We have seen many small businesses … exclude EU subjects from their clientele to avoid exposure to GDPR risks,” observed Andrew Frank, distinguished analyst at Gartner.

“This could impact assumptions about the frictionless global nature of e-business,” he told the E-Commerce Times.

GDPR Pitfalls for Unwary SMBs

The GDPR’s definition of personal data is “very broad,” LSA’s Young told the E-Commerce Times. “That would include IP addresses, location information, demographic information, and other general data used for targeting ads.”

The term “process” also is broadly defined, “and includes collecting and storing data, even if it isn’t further used,” he observed.

“The breadth of the GDPR’s application lends itself to be easily but unintentionally violated,” Young noted. For example, not following through on policy changes — failing to abide by new privacy policies, or not training staff to adhere to them — might be a violation.

Using data beyond the reason for which it was collected might be a violation, suggested Young, as consent has to be given for specific purposes.

The Ins and Outs of Consent

The GDPR “allows six different legal bases for collecting or processing personal data, of which consent is but one,” said Robert Cattanach, partner at
Dorsey & Whitney.

For most e-commerce situations, the transaction arguably constitutes a contract, and “additional consent may not be required” to collect personal data necessary to conclude the transaction, he told the E-Commerce Times. However, the question of consent will arise when a merchant engages third-party vendors to track or monitor customer behavior on its website.

Monitoring or aggregating customer behavior on a merchant’s website to learn when a customer decides to place an order or abandon the search by using cookies is one option, Cattanach noted.

“The UK’s Information Commissioner’s Office has opined that implied consent may be sufficient for such site tracking,” he pointed out. Therefore, a pop-up banner stating continued use of the site means consent to the use of cookies might suffice — although some of the German data protection authorities might not agree.

For the collection of personal data, a pop-up requiring the customer to independently agree to it would be necessary.

Two major issues remain unresolved, according to Cattanach:

  • What constitutes informed consent is still “a matter of ongoing dispute”; and
  • Responses to data subject access requests — such as the right to discover what data has been collected, correct errors, and request to be forgotten — “are legally less problematic on their face but, as a practical matter, may be more difficult to execute.”

Requests to be forgotten require merchants to establish process flows for the intake of such requests; set policies for when such requests will be granted or denied; and implement pocedures for responding within 30 days.

That is “no small undertaking,” Cattanach remarked, “which is why many SMBs have just decided to avoid triggering GDPR by expunging all existing data of EU residents and blocking EU IP addresses from accessing their websites going forward.”

Records of processing were expected to be the most challenging of the data subject rights requirements by 48.5 percent of more than 1,300 U.S. business users and consumers who participated in an online survey
CompliancePoint conducted this spring.

Only 29 percent of respondents to the CompliancePoint survey were fully aware of the GDPR; 44 percent were somewhat aware and 26 percent were unaware.

Other data subject rights problems they anticipated:

  • Accountability – 41 percent;
  • Consent and data portability – 39.7 percent each; and
  • Right to be forgotten – 35.3 percent.

GDPR Readiness

Twenty-four percent of business respondents to the CompliancePoint survey said their organizations were fully prepared for the GDPR, while 31 percent said they were somewhat prepared and 36 percent said their organizations were not prepared.

Following are some of the factors that kept the organizations of CompliancePoint respondents from being GDPR compliant:

  • Waiting to see what enforcement would be applied – 45.6 percent
  • Lack of understanding of the regulations – 39.7 percent;
  • No budget for compliance – 36.8 percent;
  • Low brand visibility – 33.8 percent; and
  • Unconcerned – 27.9 percent.

“SMBs are not immune to the risk of GDPR,” said Greg Sparrow, general manager at CompliancePoint.

“The risk of fines and regulatory action are the same for businesses large and small,” he told the E-Commerce Times.

The financial penalties — 4 percent of annual revenue or 20 million euros — are large, noted Constellation’s Zhou.

However “the indirect costs in terms of impact on customer trust and brand reputation may be even greater,” said Gartner’s Frank.

CRM Software to the Rescue

CRM systems that make it relatively easy to execute functions like erasure and consent modification “can help considerably,” Frank suggested.

“SugarCRM recently released a data privacy module that automates much of the processes for managing the required data governance,” remarked Rebecca Wettemann, VP of research at Nucleus Research.

Zoho, Hubspot, Salesforce and other CRM vendors “are touting GDPR compliance,” Zhou noted.

“SMBs running cloud CRM applications will likely find the easiest path to compliance, because data privacy capabilities have been or are being built into these applications,” Wettemann told the E-Commerce Times.

That said, CRM companies are data processors by definition, Zhou pointed out, and under the guidance of the company that collected the customer data.

“Privacy policies, cookie notices and age consent forms all need to be managed by the SMBs themselves,” she said, “and are often placed on a website or on the e-commerce site which isn’t related to the CRM solution.”
end enn What the GDPR Means for Small US Etailers


Richard%20Adhikari What the GDPR Means for Small US Etailers
Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.

Let’s block ads! (Why?)

CRM Buyer

Etailers, GDPR, Means, Small
  • Recent Posts

    • Improving Dynamics 365 Data Integrations with Alternate Keys
    • Trump’s Note to Biden
    • FSI Blog Series, Part IV: Staying Agile in Trying Times
    • Soci raises $80 million to power data-driven localized marketing for enterprises
    • Conversational Platform Trends for 2021
  • Categories

  • Archives

    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    • December 2016
    • November 2016
    • October 2016
    • September 2016
    • August 2016
    • July 2016
    • June 2016
    • May 2016
    • April 2016
    • March 2016
    • February 2016
    • January 2016
    • December 2015
    • November 2015
    • October 2015
    • September 2015
    • August 2015
    • July 2015
    • June 2015
    • May 2015
    • April 2015
    • March 2015
    • February 2015
    • January 2015
    • December 2014
    • November 2014
© 2021 Business Intelligence Info
Power BI Training | G Com Solutions Limited