Volusion is committed to compliance with GDPR, which takes effect on May 25th, 2018. While Volusion works to ensure that all of our internal operations comply with these new regulations, each merchant is ultimately responsible for ensuring that their business complies with all laws and regulations for the jurisdictions in which they operate, as well as those in which their users reside.
As a merchant based outside of the EU, why should I be concerned?
GDPR will affect all EU-based merchants, as well as global merchants who market, sell to, or capture data associated with any individuals located within the EU. Since the majority of ecommerce sites can be accessed internationally, all ecommerce merchants should make themselves aware of their responsibilities under GDPR.
I use Volusion, so I don’t need to do anything else to be GDPR compliant, right?
Unfortunately, no. While much of Volusion’s efforts towards GDPR will assist you with your own compliance, there are steps you'll need to take as well. Simply using the Volusion platform will not guarantee that a merchant is compliant with GDPR.
So what do I need to do?
Below are some steps you can take to begin the journey to GDPR compliance:
1. Familiarize Yourself with GDPR
You've probably heard of GDPR, but if you don’t have a working knowledge of its principles, start by understanding the basics through one of these links:
Additionally, there are a number of resources available on the steps companies must take in order to comply with GDPR, including an open source (free) checklist you can use to evaluate your company for its readiness for GDPR:
2. Take Stock of Your Data
Under the GDPR, every business is responsible for documenting:
- What personal data it collects. (Ex. shopper name, address, email, payment info, etc.)
- A legitimate business reason to collect it. (Address/to ship products, payment info/process payments for goods, etc.)
- How the data is shared with third parties. (Payment data sent to bank for transaction approval.)
Under GDPR, among other regulations, all businesses are required to transparently communicate the ways that personal data is being collected and used, and are expected to ask for consent in advance of collection. Because of these regulations, cookie policies will need to be documented and provided to visitors to your store.
Given the diversity of merchants, partners, and integrations that access the Volusion platform, it isn't feasible to create a single list or policy that would be applicable for every merchant. However, you can see a list of the most common cookies used by Volusion merchants in our Volusion Software Cookies article.
5. Protect Your Consumers’ Personal Data
While Volusion’s world class security makes this step easier, there are still steps you'll need to address regarding the protection of your shoppers' data. This is particularly true if you're processing shopper data outside of the Volusion platform, such as a brick and mortar store or by taking phone orders and entering data on workstations.
A key element you'll need to complete is the creation (or updating) of a data protection policy. This document will outline key controls your company uses to ensure data remains secure while processed, transmitted, or stored. This policy should also outline the steps you'll take in the event that you suspect data has been compromised, which must include notification in accordance with GDPR (within 72 hours of becoming aware of a breach).
6. Beware of GDPR “Certifications”
At this time, there's no formal certification process for companies to receive an officially recognized GDPR compliant certification. Despite this, there are companies looking to take advantage of the anxiety around GDPR compliance and the upcoming deadline by offering such a certification. Please be careful when you see these types of claims. We encourage partnering with respected consulting and/or legal firms offering guidance and advice related to GDPR.
If you have additional questions about Volusion’s efforts surrounding GDPR, please send them to firstname.lastname@example.org.