Starting from May 25, 2018, all businesses that collect and store personal data of EU citizens have to comply with General Data Privacy Regulation (GDPR). It is a set of regulations the EU passed in 2016 to protect identity rights of its citizens.

What does GDPR mean for B2B ecommerce businesses? It would be a mistake to believe that if a company caters to businesses, not to individuals, GDPR won’t affect it. Every contact person from a customer company is, in fact, an individual protected by GDPR, and B2B marketers should take it into account when planning mass-mailings and other campaigns involving customer data.

The scariest thing about GDPR is that it applies to all companies regardless of their location. If a company has data of only one EU citizen residing within the EU, it may still be sued. And the fines may be astronomical, up to €20 million ($24 million) or 4% of your annual revenue.

Image source: dmnews

GDPR Cost for the Fortune 500 Companies

Ernst & Young estimated that the world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with GDPR. For example, Facebook had appointed a team of 60 specialists to work on GDPR compliance, across 18 months, and had to move 1.5 billion users from Ireland to the USA.

Nevertheless, on May 26, Facebook, Instagram, WhatsApp, and Google were hit with $8.8 billion in GDPR lawsuits, from four European countries simultaneously.

Los Angeles Times and Chicago Tribune could not ready themselves for the big date and started temporarily blocking EU citizens instead. This induced the fear that the internet would be split, with the EU left isolated from the rest of the world. However, the EU has about 500 million potential users, and it will be hard to ignore such a lucrative market in the long run.

Taking Care of User Data

So what has a B2B company to do to become GDPR compliant and how much will it cost?

Image source: petri

GDPR rules cover any data that can be considered personal: addresses, credit card numbers, travel records, religion, web search history, ID codes, biometric data, and more.

Corporations with more than 250 employees will have to appoint a DPO – Data Protection Officer. That person will be responsible for any data breaches that may appear in the future as well as for GDPR audits. The latter will become part of life for larger corporations; some will be able to organize audits in house, the others will have to pay for such audits to the third parties.

The first step in GDPR compliance will be to take stock of all user data in the company: where it is located, who has access to it, who takes care of it, and so on. The highest fine under GDPR is when you knew there was a data breach but did not react in time. For larger organizations, there is a 72 hours period to inform the regulators, anything longer than that will be punished.

Security specialists from ecommerce development company Iflexion recommend businesses to deploy software that signals immediately after a data breach took place. The software should be able to document what happened so that it is possible to assess the level of damage.

New Rules about Consent

B2B ecommerce businesses should identify all personal data that is stored within the company and evaluate consent given for every piece of this data for each particular purpose.

For example, if a customer’s representative gave their email address to download a white paper from your website, under GDPR that does not mean that you can send them emails about your products. If you want to do so, you will have to ask for consent explicitly.

The Right to Object

If a user wants a company to stop using their data, the company has to comply. This is called the right to object, and the customer should be informed about it at the first point of contact.

This is especially relevant to direct marketing. If a user tells you they do not want to receive email from you anymore, don’t send them another email asking them to reconsider – this would be a violation of GDPR.

Changes in the Front End

Cookies are also treated as personal data, so a company has to ask for the visitor’s permission to use them on the site. An inquiry for such a permission should include a link to the company’s privacy policy so that the user can know how their data will be used.

Privacy policies have to be rewritten to explain new rules and capabilities. From what we have seen so far, privacy policy documents only became more difficult to read as the companies rushed their content in order to be compliant before May 25.

In the opt-in box, the consent to become a member of an emailing list, now may not be checked in advance. The checkbox has to be empty so that the user clicks on it out of their own will. You will also have to enhance the database with several new columns: the type of consent asked for, the time when the user gave the consent and so on. It is crucial that you be able to document user consent in case of audits and/or lawsuits that may come later.

GDPR Is a Way of Life Now

The days of the wild, wild internet are ending and GDPR is here to stay. It is still almost free to send thousands of emails but the cost of sending it to one wrong person now may be unbearably high. Document everything, audit your company as if it were audited by a regulator and keep on selling in spite of all.


Please enter your comment!
Please enter your name here