Protecting Your Customers’ Private Information

As an Amazon FBA seller, it’s important to follow GDPR compliance in the US. Follow our checklist to make sure your business is compliant. 

As an Amazon FBA seller, you’ve likely got your hands full with growing your business. Whether it’s advertising, managing customer support, or handling shipping and returns, it may seem that there is not enough time in the day.  You may also be considering selling your Amazon FBA. But first, you’ll want to make sure you’ve got all your bases covered, especially with protecting customer information. 

If you’re based in the United States, staying up to date with European data privacy laws is probably not high up on your to-do list. However, if you sell services or products within the European Union, it should be. 

Did you know that you may be legally obligated to comply with the European Union’s General Data Protection Regulation (GDPR)? If that’s news to you, don’t worry. This checklist will tell you what the data protection law entails and what GDPR compliance in the U.S. looks like.  

GDPR Requirements for U.S. Companies

In our digital age, consumers are becoming increasingly more aware of and informed about their personal information and data security. And understandably so. A single data breach could result in private customer data falling into the hands of data brokers and hacker forums. 

For Europeans, data privacy is considered a fundamental human right.   

As such, the GDPR is an update to the EU’s previous Data Protection Directive of 1995. Implemented in 2018, the EU GDPR was modernized to add further protections and regulations surrounding EU personal citizens’ data. Specifically, how it can be properly gathered, stored, and shared.  

Naturally, many American sellers assume that GDPR doesn’t apply if they don’t operate within the European Union. They are mistaken. The GDPR applies to all companies that offer goods and services to customers from the European Union and process EU personal data of citizens, regardless of where a company’s data is processed or controlled.  

But what’s considered personal data? 

GDPR Article 4 defines it as such: 

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Potential Fines

Lack of GDPR compliance could result in steep penalties as well as reputational harm.  But how much? The EU separates fines into two categories:

Tier 1 – Less severe infringements could result in penalties as high as €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. This is usually given for violations to one of three articles of governing, including: controllers and processors, certification bodies and monitoring bodies.

Tier 2 – More severe infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. This is usually given for violations to four articles of governing, including: the basic principles of processing, the conditions for consent, the data subjects’ rights and the transfer of data to an international organization or recipient in a third country

This image has an empty alt attribute; its file name is pexels-andrea-piacquadio-3771129.jpg

There are several criteria that the EU authority will use to determine whether a violation has occurred and to gauge the severity. Examples include gravity and nature of the infringement, whether it was intentional or negligence, whether the seller took actions to mitigate damages and the precautionary measures in place, or lack thereof. Additionally, any history of previous infringements, whether the seller cooperated what type of personal data was involved and whether the seller notified the victims and reported the infringement.

Steps You Can Take to be in Compliance with GDPR

So, what do you need to do to comply with GDPR? Follow these steps:

Step 1: Perform an assessment – Your first task is to conduct an internal audit of your business to see what personal data you process and whether that data includes the personal information of EU citizens. If that’s the case and the data processing activity is related to the sale of your goods or services, you’ll be expected to be GDPR compliant. 

Step 2: Understand your data collection – To comply with regulations, you need full visibility and control over your data. This means identifying data sources, types of data you collect and reasons for collection. In addition, knowing how it is stored and processed, who accesses it and how and when it will be deleted.

After you have conducted this self-assessment, confirm that your data usage complies with one of the six allowable reasons:

1. Explicit consent of the subject

2. Protecting the individual’s vital interest 

3. For tasks that have been done in the public interest

4. Contractual necessity

5. Compliance with a data controller’s legal obligations

6. The legitimate interest of the data controller

This image has an empty alt attribute; its file name is privecstasy-CXlqHmQy3MY-unsplash-1-1-1024x691.jpg

Step 3: Update your privacy policy – You might be wondering, how to write a privacy policy and why it’s important? The data protection law requires that AWS sellers practice transparency and consent when it comes to customer data. Consumers need to know why you’re collecting the data, how it’s handled and secured, and who can access it. They also must be given easy access to retrieve the data, amend it, or request that you stop collecting it. 

Step 4: Appoint a data protection officer (potentially) – You may be required to appoint a DPO who is tasked with managing the data’s security. This depends on whether or not large-scale personal data processing is a core activity of the business or entails the processing of special “data categories.”  

Step 5: Appoint an EU rep – Similarly, non-EU organizations are expected to appoint a representative in one of the EU countries they operate out of. Currently, Amazon operates in the following EU nations: France, Germany, Italy, Netherlands, Spain, and Sweden.

Step 6: Prepare for the worst – Should a data breach occur, you need to know what to do. That includes notifying impacted consumers and relevant authorities of any event within 72 hours, taking mitigation actions to reduce the impact of the breach and complying with authorities in their review of the incident.

Data Privacy is the Future

No matter where you sell your products, championing data compliance must be a company-wide ethos. As digitalism becomes even more interwoven throughout the inner workings of society, practicing data protection will go from a best practice to a matter of necessity. Even more so, in the event of a sale, having GDPR compliance will surely enhance your business for potential buyers.

As such, if you plan to operate in Europe, your company will need to comply with GDPR requirements for United States companies. If you start now and treat it as more than simply a box to tick off, you’ll position your business to grow at home and abroad successfully. 

Ruben Amar

Ruben is the co-founder and co-CEO of Forum Brands, leading its Mergers & Acquisitions team. He is on a mission to identify and build the next generation of world-class consumer brands through technology and strategic deal making.

Leave a Reply

Your email address will not be published. Required fields are marked *