The new policy places strict requirements on organisations that handle the personal data of EU residents and extends new rights to EU residents over their data.
But while organisations around the world have been given a two-year transition period to make their business GDPR-compliant, recent research suggests most businesses outside the EU are nowhere near ready.
Only 18 per cent are prepared
A February report from global professional services firm EY revealed that a mere 18 per cent of Australian firms have a plan in place to comply with the new legislation.
Still, that is slightly better than the 13 per cent of firms in the Americas and 12 per cent of firms in Asia-Pacific that said the same. In comparison, 60 per cent of European firms said they have a plan in place to comply with the new legislation.
The implications of this lack of preparedness are significant, since non-compliant firms face penalties of up to 4 per cent of their worldwide turnover, or €20 million ($31.7 million), whichever is higher.
According to Deakin University lecturer in the faculty of business and law, Claudio Bozzi, compliance is not just a question of changing consent forms online or posting new privacy policies, it requires a complete revamp of the way organisations collect, store and utilise customer data.
“It’s probably surprising how many retailers will be impacted, and the compliance effort is going to be more burdensome than they might realise,” he said.
How Redbubble became GDPR-ready
Redbubble’s in-house lawyer Paul Gordon has been leading the compliance initiative for the online art marketplace for the past 12 months.
He said he has spent a significant amount of time working with every functional team across the business to become GDPR-ready.
“Our in-house team has also worked extensively with Redbubble’s EU external legal advisers through this compliance initiative,” Gordon told Inside Retail.
One of the most basic changes Redbubble has made relates to the level of detail it provides about the collection and use of customer data on each of its local language sites.
But the e-commerce company has also worked with its technology partners, many of which are based in the US, to ensure it meets the new requirements around the transfer of customer data outside the EU, including verifying ‘Privacy Shield’ certification for relevant suppliers.
While only a portion of Redbubble’s customers fall within the jurisdiction of the GDPR, the company has chosen to apply the principles of the legislation across the entire business.
“Like many other businesses we see the GDPR as the new global standard in privacy regulation,” Gordon said.