Volusion is committed to compliance with GDPR and works to ensure that all of our internal operations comply with these regulations. Every merchant is ultimately responsible for ensuring that their business complies with all laws and regulations for the jurisdictions in which they operate, as well as those in which their users reside.
As a merchant based outside of the EU, why should I be concerned?
GDPR will affect all EU-based merchants, as well as global merchants who market, sell to, or capture data associated with any individuals located within the EU. Since the majority of ecommerce sites can be accessed internationally, all ecommerce merchants should make themselves aware of their responsibilities under GDPR.
I use Volusion, so what do I need to do?
Below are some steps you can take to begin the journey to GDPR compliance:
1. Familiarize Yourself with GDPR
If you don’t yet have a working knowledge of its principles, start by understanding the basics through one of these links:
There is an open source (free) checklist you can use to evaluate your company's readiness for GDPR:
2. Take Stock of Your Data
Under the GDPR, every business is responsible for documenting:
- What personal data it collects. (Ex. customer name, address, email, payment info, etc.)
- A legitimate business reason to collect it. (Ex. "We are collecting your address in order to ship your products.")
- How the data is shared with third parties. (Ex. "Payment info is sent to our bank for transaction approval.")
Under GDPR, all businesses are required to transparently communicate the ways that personal data is being collected and used, and are expected to ask for consent in advance of collection. Because of these regulations, cookie policies will need to be documented and provided to visitors to your store.
Given the diversity of merchants, partners, and integrations that access the VOLT platform, it isn't possible to create a single list or policy that would be applicable for every merchant. You can see a list of the most common cookies used by Volusion merchants here.
5. Protect Your Consumers’ Personal Data
There are steps you'll need to address regarding the protection of your shoppers' data, particularly if you're processing customer data outside of the VOLT platform such as a brick and mortar store or by taking phone orders and entering data on workstations.
A key element you'll need to complete is the creation (or updating) of a data protection policy. This document will outline controls your company uses to ensure data remains secure while processed, transmitted, or stored. This policy should also outline the steps you'll take in the event that you suspect data has been compromised, which must include notifying your customers within 72 hours of becoming aware of a breach.
6. Beware of GDPR “Certifications”
At this time, there's no formal certification process for companies to receive an officially recognized GDPR compliant certification. Despite this, there are companies looking to take advantage of the anxiety around GDPR compliance and the upcoming deadline by offering such a certification. Please be careful when you see these types of claims. We encourage partnering with respected consulting and / or legal firms offering guidance and advice related to GDPR.
If you have additional questions about Volusion’s efforts surrounding GDPR, please send them to firstname.lastname@example.org.