What Every Retailer Should Know About GDPR – and How Nosto is Preparing for It

What Every Retailer Should Know About GDPR – and How Nosto is Preparing for It

Disclaimer: The content in this post is not – and should not be interpreted as – legal advice. For detailed information regarding the technicalities of GDPR, please seek legal counsel.

If you’re a business serving clients within the European Union (and worldwide), you’ve likely (or absolutely, we hope…) heard of the General Data Protection Regulation going into effect on May 25th, 2018. This law will essentially change the way businesses can collect and process any personal data – and one wrong move can land you in pretty deep water with the legal powers-that-be….

To help you stay on the shores of GDPR compliance, we’ve put together a rundown of what you should know (and what you’ve likely asked yourself) regarding GDPR – as well as the tools we at Nosto have put in place to help ensure our clients abide by GDPR regulations.

First off, what is the GDPR?

The EU General Data Protection Regulation (GDPR, for short) is European data protection regulation that applies to and affects all business offering goods/services within the EU. The GDPR essentially reshapes the way organizations across the EU approach data protection – strengthening data protection for all individuals who interact with these businesses.

If the GDPR is a EU regulation, does it apply to non-EU companies as well?

The short answer: it could. While the GDPR is a regulation binding and applicable across the European Union, it has implications and requirements for non-EU businesses processing EU resident’s data. If an online retailer located outside of the EU processes the data of a EU resident, that data must be processed and stored according to regulation in resident’s home country, and not only following regulations in your businesses location. This is why we are applying changes throughout our customer base, regardless of businesses location: so that all Nosto merchants regardless of their location can be GDPR compliant.

One thing to note: An EU regulation is not the same as a U.S. law.

When a regulation is passed in the EU (which can take years of preparation), on the day it is in effect it is legally bindable and applicable without need for member states to pass a local legislature. While member states cannot have conflicting regulation, they can pass a stricter legislation than the regulation requires – as long as it doesn’t conflict with the regulation itself. For example: according to GDPR a user must give clear consent and opt-in for direct email marketing. In Germany, the same rule applies, but businesses are also required to apply double opt-in methodology for direct email marketing.

How is Nosto preparing for GDPR?

From numerous iterations to our infrastructure, processes and updates to our DPA, our team has been hard at work to ensure Nosto is a GDPR compliant technology – which, as a result, will make it easier for our clients to remain GDPR compliant.

Here’s a quick video from our Product Manager, Lari, discussing the measures and tools we’re deploying across our site to make GDPR easier for you:

The Journey to GDPR: A  Nosto retrospect from our Product Manager

It’s been both emotional and technical rollercoaster. We’ve sweared, we’ve tackled tons of technical issues, we’ve broken a sweat while writing documentation, we’ve laughed about mistakes made (before jumping back into them to fix them), and have probably consumed an Olympic swimming pool’s capacity of coffee throughout the entire process.

All in all, it’s been awesome in the sense that it was a true team effort. Since the new regulation touches the whole product, our teams across dev and other areas of the organization put their heads together to make sure no stone went unturned: from translations to fixing how we store and process the data to providing input for our own legal team.

Are there clear winners in GDPR?

In this context, a ‘clear winner’ is a consumer who now has better control of their data, at least in theory. The previous regulation in the EU goes back a long way, so it really was time to change this – even though marketeers might perceive it as draconian by its nature.

Yes, the new regulation makes some things harder (especially for marketing), but transparency goes a long way in building good principles from which to base your business on.

One of our CSMs actually put this very well in a panel discussion:

If you do this thing right (be transparent and open how do you use their data), it’s going to make your relationship with customers honest, meaningful and stronger.

On a funnier note, I guess many law offices and data privacy consultants are having a field day, so they’re also winning pretty hard.

…what about losers?

‘Losing’ is a bit of a harsh expression, but I’m sure many retail businesses are spending a lot of time and money on the topic (which means resources taken from growing your business). The same applies to us as a technology serving ecommerce industry. It was an interesting reality check for us, and even though the changes we needed to make weren’t really difficult by nature, we still spent a fair share of time making those changes instead of building something new. Were we losing? I’d say no.  But would I personally rather work on building something more innovative than, say, describing our data retention policy, absolutely!
Is there something particularly concerning about GDPR?

Also, while the regulation and some topics surrounding it are deliberately very broad, describing how to acquire a user’s consent in the context of ecommerce is somewhat bleak. Ecommerce businesses have processed, and will continue to process, personal data for different purposes even after GDPR goes into effect. And while communicating a legitimate reason for data processing is comprehensible, how to properly communicate this – and how to acquire consent – is not. Perhaps it will be a new version of a cookie banner, but so far this is quite speculative. While the new regulation is on point when it comes to consumer rights, industry guidelines could have been provided more clearly.

Any practical tips for retailers still figuring out GDPR?

Fun fact: GDPR goes into effect on May 25th, which also happens to be Towel Day (celebrating Douglas Adams, author of The Hitchhiker’s Guide to The Galaxy). In his book, Adams describes a hitchhiker’s towel as a representation of preparedness. So I leave you with one important tip: always carry your GDPR towel with you – know where your data is and who processes it.


Want more information about GDPR?

Visit Nosto’s Data Privacy page where you’ll find plenty of info on the privacy control tools we’ve deployed, as well as additional resources all about GDPR.

Explore more articles

Ecommerce Personalization Statistics: The Data Points You Need to Know in 2024
Ecommerce Ecommerce Personalization Statistics: The Data Points You Need to Know in 2024

What is ecommerce personalization? Ecommerce personalization is where online stores customize the shopping experience for individual users based on their behavior, preferences, and other personal data. The goal is to create a more engaging and relevant shopping experience that increases customer satisfaction, sales, and loyalty. Some key ways of using ecommerce personalization are through: 1. […]

Read more
Nosto’s Future of Work Policy: Providing flexible working options for all employees
Other Nosto’s Future of Work Policy: Providing flexible working options for all employees

At the start of the pandemic, Nosto – like many companies – quickly switched to a fully work-from-home arrangement, and soon witnessed the benefits and challenges that came with this. Better work-life balance was accompanied with feelings of isolation. Time saved from commuting came with decreased quality of coworker relationships.  As we began to think […]

Read more
Nosto named in Most Loved Workplaces for LGBTQ+ 2024 and Newsweek’s list of the top 100 global Most Loved Workplaces for 2024
News & Press Nosto named in Most Loved Workplaces for LGBTQ+ 2024 and Newsweek’s list of the top 100 global Most Loved Workplaces for 2024

Leading Commerce Experience Platform (CXP) selected due to openness and transparency, systemic collaboration, and respect for diversity New York, March 19, 2024—Nosto, the leading Commerce Experience Platform (CXP), today announced that it has been ranked in Newsweek’s Top 100 Global Most Loved Workplaces® list, as well as being certified as one of the world’s Most […]

Read more
Site search analytics: key metrics to follow for driving business growth
Ecommerce Site search analytics: key metrics to follow for driving business growth

Site search data is certainly one of the most unexploited gold mines of online retailers. It holds precious insights on how users search on a store, which devices they use, what queries drive revenue, which ones return zero results, and more. However, according to Nosto’s ecommerce search research, only 17% of brands are actively tracking […]

Read more