What Every Retailer Should Know About GDPR – and How Nosto is Preparing for It

Disclaimer: The content in this post is not – and should not be interpreted as – legal advice. For detailed information regarding the technicalities of GDPR, please seek legal counsel.


If you’re a business serving clients within the European Union (and worldwide), you’ve likely (or absolutely, we hope…) heard of the General Data Protection Regulation going into effect on May 25th, 2018. This law will essentially change the way businesses can collect and process any personal data – and one wrong move can land you in pretty deep water with the legal powers-that-be….

To help you stay on the shores of GDPR compliance, we’ve put together a rundown of what you should know (and what you’ve likely asked yourself) regarding GDPR – as well as the tools we at Nosto have put in place to help ensure our clients abide by GDPR regulations.


First off, what is the GDPR?

The EU General Data Protection Regulation (GDPR, for short) is European data protection regulation that applies to and affects all business offering goods/services within the EU. The GDPR essentially reshapes the way organizations across the EU approach data protection – strengthening data protection for all individuals who interact with these businesses.


If the GDPR is a EU regulation, does it apply to non-EU companies as well?

The short answer: it could. While the GDPR is a regulation binding and applicable across the European Union, it has implications and requirements for non-EU businesses processing EU resident’s data. If an online retailer located outside of the EU processes the data of a EU resident, that data must be processed and stored according to regulation in resident’s home country, and not only following regulations in your businesses location. This is why we are applying changes throughout our customer base, regardless of businesses location: so that all Nosto merchants regardless of their location can be GDPR compliant.


One thing to note: An EU regulation is not the same as a U.S. law.

When a regulation is passed in the EU (which can take years of preparation), on the day it is in effect it is legally bindable and applicable without need for member states to pass a local legislature. While member states cannot have conflicting regulation, they can pass a stricter legislation than the regulation requires – as long as it doesn’t conflict with the regulation itself. For example: according to GDPR a user must give clear consent and opt-in for direct email marketing. In Germany, the same rule applies, but businesses are also required to apply double opt-in methodology for direct email marketing.


How is Nosto preparing for GDPR?

From numerous iterations to our infrastructure, processes and updates to our DPA, our team has been hard at work to ensure Nosto is a GDPR compliant technology – which, as a result, will make it easier for our clients to remain GDPR compliant.

Here’s a quick video from our Product Manager, Lari, discussing the measures and tools we’re deploying across our site to make GDPR easier for you:

The Journey to GDPR: A  Nosto retrospect from our Product Manager

It’s been both emotional and technical rollercoaster. We’ve sweared, we’ve tackled tons of technical issues, we’ve broken a sweat while writing documentation, we’ve laughed about mistakes made (before jumping back into them to fix them), and have probably consumed an Olympic swimming pool’s capacity of coffee throughout the entire process.

All in all, it’s been awesome in the sense that it was a true team effort. Since the new regulation touches the whole product, our teams across dev and other areas of the organization put their heads together to make sure no stone went unturned: from translations to fixing how we store and process the data to providing input for our own legal team.


Are there clear winners in GDPR?

In this context, a ‘clear winner’ is a consumer who now has better control of their data, at least in theory. The previous regulation in the EU goes back a long way, so it really was time to change this – even though marketeers might perceive it as draconian by its nature.

Yes, the new regulation makes some things harder (especially for marketing), but transparency goes a long way in building good principles from which to base your business on.

One of our CSMs actually put this very well in a panel discussion:

If you do this thing right (be transparent and open how do you use their data), it’s going to make your relationship with customers honest, meaningful and stronger.

On a funnier note, I guess many law offices and data privacy consultants are having a field day, so they’re also winning pretty hard.


…what about losers?

‘Losing’ is a bit of a harsh expression, but I’m sure many retail businesses are spending a lot of time and money on the topic (which means resources taken from growing your business). The same applies to us as a technology serving ecommerce industry. It was an interesting reality check for us, and even though the changes we needed to make weren’t really difficult by nature, we still spent a fair share of time making those changes instead of building something new. Were we losing? I’d say no.  But would I personally rather work on building something more innovative than, say, describing our data retention policy, absolutely!
Is there something particularly concerning about GDPR?

Also, while the regulation and some topics surrounding it are deliberately very broad, describing how to acquire a user’s consent in the context of ecommerce is somewhat bleak. Ecommerce businesses have processed, and will continue to process, personal data for different purposes even after GDPR goes into effect. And while communicating a legitimate reason for data processing is comprehensible, how to properly communicate this – and how to acquire consent – is not. Perhaps it will be a new version of a cookie banner, but so far this is quite speculative. While the new regulation is on point when it comes to consumer rights, industry guidelines could have been provided more clearly.


Any practical tips for retailers still figuring out GDPR?

Fun fact: GDPR goes into effect on May 25th, which also happens to be Towel Day (celebrating Douglas Adams, author of The Hitchhiker’s Guide to The Galaxy). In his book, Adams describes a hitchhiker’s towel as a representation of preparedness. So I leave you with one important tip: always carry your GDPR towel with you – know where your data is and who processes it.

Want more information about GDPR?

Visit Nosto’s Data Privacy page where you’ll find plenty of info on the privacy control tools we’ve deployed, as well as additional resources all about GDPR.

New research: Festive Shoppers 5x as Likely to Click on Retailers’ Product Recommendations and 81% More Likely to Click on Personalized Content This Year

Shoppers browse 22% more pages per visit, lingering 10% longer on each page as retailers’ product discovery campaigns contribute to a 4.10% hike in average...

Watch a 4 minute demo
Let us demonstrate why over 2,600 leading retailers worldwide have chosen Nosto’s AI-based personalization platform.