5 Steps to GDPR Compliance

Joel Filipe on Unsplash
White building and security camera

The General Data Protection Legislation, or better known as GDPR, comes into effect soon on May 25th and has been grabbing a lot of headlines the past few months – whilst this is new EU legislation this will have an impact on businesses around the world. So regardless if you are based in the USA, Canada, Australia, New Zealand or Europe you need to understand now what the legislation means to your business and how to ensure you are in compliance.

This legislation applies to any business that collects any European data even if this is done out of Europe. Think about all the data your business collects, email lists collected on blogs, e-commerce sales information, global clients. The impact of this is huge and we can almost guarantee that this will impact your business.

What makes this even piece of legislation even more scary is that the fines for non compliance can be eye wateringly high – up to 4% of your global revenue.

Our advice is to assume that this legislation applies to your business now and take actions to ensure compliance.

Get A Free Quote

Breakout E-commerce accountants and Xero specialists to supercharge your UK online business growth.

What are the new requirements?

The new requirements are formed around data security and privacy. For a complete list of requirements we recommend visiting the EU’s website on GDPR.

The summary of requirements is here:

    • Safeguards and data protection measures must be in place to protect data.
    • Right to erase – data must be removed when requested or the service comes to an end.
    • Due diligence – Companies must have controls documented and in place and have conducted a full risk assessment.
    • Data breaches – if your data has been breached customers must be notified and authorities within 72 hours.

5 simple steps

Understanding of the GDPR Legislation

In order to have the confidence that you are compliant you need to have an in depth understanding of the framework and really think about how this will impact your business.  The GDPR applies not only to businesses based in the EU, but also to any company that processes the personal data of EU citizens, regardless of the company’s location. Therefore, businesses based outside of the EU must still comply with the GDPR if they collect, store, or process EU citizens’ personal data. You will need to have a base understanding of the legislation and how data can be processed and help.

1. Document your current process

Take some time to document your sources of data – where is this information captured, eg. email lists, online payment etc. Think about where you store the data and how you manage the current privacy and security about the data.

This document will be the start of your data register. The reason this needs to be documented is because each EU country will be setting up a GDPR enforcement team to determine whether breaches have occurred.

The documentation you prepare now (called a data register) helps to show the process your business has undertaken and steps made to ensure compliance. If your business is unable to show proof that a process has commenced to ensure compliance it could be fined without a breach of data even having occurred.

2. Types of data covered

The GDPR covers all personal data, which is any information that can be used to identify an individual, including names, email addresses, IP addresses, social security numbers, and even photos. The GDPR also covers special categories of personal data, such as racial or ethnic origin, political opinions, and health information, bank account details for payment processing by your e-commerce store. Data subject rights:  The GDPR gives individuals several important rights with regards to their personal data, including the right to access their data, the right to have it corrected or erased, the right to restrict its processing, and the right to object to its processing. Businesses must be prepared to handle these requests and provide clear and timely responses to individuals who exercise these rights.

3. Organise your data

You need to make a list of the type of data you hold, where this information is stored and who has access to this information.

4. Improve your internal processes

Once you are aware of your most sensitive data you can develop a process to ensure this is kept securely, limiting access.

This could be by using encryption software, password protection, or software that stores data. There is no definitive method for ensuring privacy and security compliance – it will be dependant on the type of information stored and level of sensitivity.

5. Document your new process

Once you started implementing improvement to your internal processes ensure the new process is documented in your data register.

Get compliant

The road to GDPR compliance is likely to be long and costly for many businesses. Luckily there are some great options to help the process along such as cloud compliance software or hiring a compliance. This is legislation that no business owner can ignore and you really do need to at now rather than put your head in the sand.

We are E-commerce Accountants her to help you with your E-commerce store accounting and tax!

Here at Unicorn Accounting, our team of specialist e-commerce accountants is happy to chat about all of your eCommerce accounting needs. So, what are you waiting for? Let’s talk and maximise the growth of your e-commerce store.


Get A Free Quote

Breakout E-commerce accountants and Xero specialists to supercharge your UK online business growth.