Unless you’ve spent the last 12 months on the International Space Station, there’s a very good chance that the Covid 19 pandemic has affected you in some way. For many, it has seen a fundamental shift in the way they run their business. Those in the retail and hospitality sector have been hit particularly hard, and it’s during these difficult times, some find that they have to adapt and try new ways to bolster an income that has been severely reduced. Going online has been the obvious choice, and so 2020 became the year that shop owners, small and large, took the plunge and got themselves a website. Of course, it used to be challenging to start an online shop, but there are so many ways to do it these days; you can be up and running within a day. It’s no surprise that Shopify now has 1.5 million websites hosted on its platform, and it’s one of the fastest-growing systems for starting up an online presence. But there’s a particular responsibility that comes with owning an online store, and it’s something that needs to be taken seriously: GDPR.
It’s not just about that pop-up
For many, they install some pop-up software that tells people they’re using cookies, and that’s it. But it might not be “it” if you want to ship to countries in which GDPR applies. If you’re in the USA, for example, and want to ship to the UK or Europe, you may well have to adhere to GDPR rules and appoint a GDPR representative. Also, if you’re based in the UK, you can no longer simply post things across to Europe friction-free because of Brexit. You may also need to appoint a GDPR representative in a European country.
How and why does Article 27 apply?
Let’s deal with the UK for now. If you have recently set up a store in the UK and want to ship to anywhere in Europe, then it’s likely article 27 will apply, unless the processing of that data is “occasional”. The ICO (the governing body for GDPR in the UK) states that “occasional” use is a “one-off occurrence, something you do rarely”. So, for example, you mainly sell to the UK, but someone in Germany finds your site, buys something and needs the product delivering there. In this case, you are unlikely to need to appoint a GDPR representative. However, suppose you actively market to Germany or France or anywhere else in the EU. You have prices on your site available in euros, and postage rates set up specifically to handle international shipping. In that case, you’re not ticking the occasional box, and you will need to appoint someone. One exemption is if you already have an office in a European country, but if you’ve just signed up for a Shopify site, that’s unlikely to be the case.
What does the GDPR representative do?
Data protection has been top of governments’ agenda for some time now as the prevalence of websites collecting personal data has clashed with the number of breaches and access to that data. It’s in everyone’s interest to ensure information is looked after. Companies should have a straightforward method of ensuring people know that their private data has been compromised if a breach does occur. Also, people who know a company is holding their data should have access to someone they can talk to. Governments should also be able to query the capabilities of companies holding that data. Therefore, a representative needs to be available in the customer’s country and have the necessary authority to act on the company’s behalf should there be any such queries. As a side note, this person or agency needs to be named in your privacy policy.
But I’m a tiny business. Does Article 27 include me?
Sorry, yes. Some tiny businesses process lots of data. If you sell to someone in Europe, then you have details that could personally identify them. Their address and other information will likely stay in your order system for some time, so they need to have confidence that you’re looking after that data.
I’m in the USA. Does it apply to me?
It certainly does! Although the laws are European in origin (and UK due to Brexit), they are international in scope. If you sell to the UK or any European country, you need to appoint an Article 27 GDPR representative.
Is it expensive, surely I don’t need to employ someone?
Luckily there are ways to comply with the law without setting up an office in the country you want to trade with. A GDPR representative can be an agent who will act on your behalf, and DPA-OK is here for you! Contact us today!