I Thought IKnew A Great Deal About GDPR …

Unbeknownst to me, my friend Paul O’Mahony ran a GDPR webinar this past Sunday, and I just got my hands on the recording.

The recording link below is not an affiliate link. It points to a BASIC explanation of what GDPR entails, with two case studies of the impact of GDPR on companies like yours.

I am not suggesting that you buy Paul’s training. I have not seen the training content nor can I vouch for the quality or completeness of it – although I can vouch for Paul’s honesty and integrity.

What I AM suggesting, though, is that you watch the video up to its 01:05:00 mark (after that, the sales pitch for the training begins).

Again, I remind you that GDPR is applicable to ANY company, no matter how small, that trades anywhere within the EU to EU nationals Yes, that means you, even if you are based in the US, Canada, Israel, China … and of course, if you live in the EU.

So, even after spending the last 3-4 months deeply embroiled in the GDPR compliance implementation for SL, after watching this video, I STILL managed to learn a few more things that I did not know:

– There is a MANDATORY requirement to register with the UK Information Commission office (or the equivalent in any EU member state). If you register before May 25, you pay the standard registration fee which is a flat £35/year. After the 25th, the registration fee will be based on the size/type of business and the fee can run into the 1,000’s of GBP

– Wait for this one … You have an obligation to vet your affiliates and make sure they are GDPR compliant!! For us, that means we will simply be shutting down our affiliate program. It is simply too risky/onerous to have affiliate deals as there is no way we can ascertain their level of compliance.

– And the next one is a pain in the neck, but luckily, we at SL are close to having this one nailed: You have an obligation to vet that your VAs are equally GDPR compliant.

And there are a few I’ll throw in for good measure, which isn’t discussed in the video below, but it’s just worth alerting you to it:

– If you are trading in the EU and are not located in the EU, you have an obligation to hire a data privacy representative to handle your interactions with the regulators

– If you have a significant volume of EU buyers, you may need to appoint a Data Protection Officer to keep you compliant. Because that person needs to be independent, The DPO cannot be you as the owner of the company. In our case at SL, that means we need to hire someone to perform that task.

Here is the video link.

https://go.leftclickrightclick.com/gdpr-made-easy-replay-1

The recording will expire in a bit more than a couple of days. Up until the 01:05:00, it is a public information service free of sales pitches.

Michel Gimena

 

Must Read: Do Not Ignore If You Sell In The EU

Sorry for the dramatic title. The following announcement is not only for SellerLegend’s GDPR compliance. it is as much for YOUR GDPR compliance.

Before you read what follows, please do not get irate with us and do not shoot the messenger. The regulations are what they are. We will not be drawn into defending or criticizing the regulations, there is simply not enough time left to lament. And the fines too gargantuan to ignore.

GDPR is a new legal requirement applicable to ALL businesses trading in the EU and handling personal data (we all do), no matter where you are located in the world. If you sell on Amazon in the EU, you are subjected to GDPR. There are no exceptions.

GDPR is a hefty piece of legislation, which requires you to produce at a minimum 13 different documents to explain and demonstrate how you manage your business in terms of data security. And data means every scrap of paper/handwritten lists/spreadsheets/pdfs/documents/system you use in your business to handle your buyers’ data.

An important part of GDPR is for you to have the adequate business processes to control the data you have entrusted to 3rd parties. That includes SellerLegend, as well as any other tool/system/company/assistance you use. For example, it applies to your VA’s as well.

During our own compliance review which has been ongoing for the past two months, we have identified we need to create 26 (out of about a potential 42) different documents to fully comply.

But documenting, while time-consuming and costly, is not the major task. Once documented, you need to implement and comply with what you have specified in the documents. And that is the true killer.

I cannot stress enough that *you* as an Amazon seller MUST comply with GDPR. It has nothing to do with SellerLegend. It has to do with your OWN business.

I am attaching a draft of our first public document, which is called the Data Processing Agreement. This is in addition and distinct to the TOS, Privacy policy, cookies policy etc. It is a binding, legal contract specifically between you and SellerLegend, which you will need to physically sign. It explains what our obligations are to:

1. Protect your data
2. Assist *you* in complying with GDPR
3. Allow *you* to communicate with the regulator when there is a security breach. (Yes, you are responsible for the regulatory communication if any of your processors is breached)

And oh, BTW, if you use multiple seller tools which handle personal data (most do), you need to sign one of those with EACH ONE of the tool providers. And if you use 3rd party processors (Mailchimp, Zendesk, Slack, Trello et al), you need one of those too.

Below is our first draft of the DPA, which we hope to implement on May 1st, about 25 days before the GDPR deadline. Please read it, it will reveal some of the obligations you must satisfy – although this will only reveal the top of the tip of the iceberg.
07.2_Supplier_Data_Processing_Agreement

RIP Daily Email Attachment

We regret that we have had to remove the daily email attachment.

During the data security risk assessment, which we are required to conduct to comply with the new EU Data Protection Regulations, we evaluated the delivery of the spreadsheet via email as too much of a security risk.

Because email is not a secure delivery method, there is a possibility that the spreadsheet could become infected with a virus in transit, after it has left the SL servers and before it reaches your computer.

We are sorry for the inconvenience.