GDPR Readiness Guide For Auctioneers

GDPR Readiness Guide For Auctioneers


On May 25, 2018, one of the largest, most comprehensive data privacy laws to date will be in full force.


The General Data Protection Regulation is a new data privacy law that impacts all those who hope to do business by offering goods or services to the citizens of the EU. Conducting your business online means there is the likelihood that you have international bidders or spectators in your auctions. Thus, auctioneers should take precaution and be sure they are GDPR compliant. The set of laws are strict, and the fines are hefty. As such, we put together an introductory guide to help auctioneers understand GDPR and become GDPR compliant.


GDPR In A Nutshell

As the name infers, General Data Protection Regulation was passed with the intention to protect consumers’ data by enforcing companies’ ethical data collection. Specifically, it gives European citizens the right to review, modify, delete, or restrict the way their data is processed. GDPR defines personal data as “any information relating to an identified or identifiable natural person.” These are broad terms, so it’s best to be prepared. An identifiable natural person is an individual that can be identified, directly or indirectly by reference to an identifier. Identifiers can include names, identification numbers, location data, and online identifiers.


An infographic with an explanation of what personal data isWhat is personal data under the GDPR – infographic by Jessica Lam of – read full article



Why should I care about GDPR?



As an auctioneer, you do business with all sorts of people from all over. This begs the question – Do you know who’s on your mailing lists, your online auctions, or your website? This is such an important question. If you are uncertain, it’s time to take the steps to become GDPR compliant. Infringements can lead to fines of up to 20 million euros ($23. 6 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater. Needless to say, It’s better to be safe than sorry. Here are some common auctioneer practices that could potentially violate the law.


  • Compiling information belonging to buyers, sellers, clerks, and spectators.
    If you’re auctioning online, it’s safe to say you have a database that contains the names of these individuals along with their addresses, emails, and credit card information. Yes, even usernames and paddle numbers count as unique identifiers.


  • Marketing efforts, such as email blasts, analytics, and chat services.
    Marketing emails are important tools for any business whether or not they are conducted online. You may have obtained these email addresses with the consent of your customers. However, that means nothing under the law unless confirmed consent is acquired. Your website may also collect analytics, and although they may never sign a form containing their personal information, you could be collecting such things as IP, user device, etc. via cookies. This also applies to any information obtained by built-in chat services.


  • No Privacy Policy or an overly complicated Privacy Policy
    Your site-wide terms and conditions may cover all bases concerning your auctions, but it may not be clear on how it collects personal data and what is done with it. A well-drafted privacy policy should be included. These should as clear and concise as possible. Muddied privacy policies will not protect you from the law.



How you can become GDPR compliant


There is no one size fits all privacy policy for auction houses. Different websites and services collect different information to do their business. However, we can give a checklist of what an auction house should clarify to users in general.


The information the auction house collects and how that information is collected

This is where you should break down the information collected from every part of your site. All of it. Notify those who visit your site why you’ve collected that data. This can mean tracking data used for analytics, cookies that allow the site to remember your users, and personally identifiable information collected when users register for billing purposes. If you share this information in any way with any third party companies such as a shipping company or an e-mail delivery service that sends out your auction house’s e-mails or e-newsletters, specify that as well. Try to convey all this in terms that an average user would understand.


Their rights concerning collected data

Under the GDPR, users should be in full control of their data. If at any point they wish to review, edit, or redact their information, they need the ability to do so. Most importantly, they must be made aware of this upon the initial data collection.


The site’s email policy

When a user enters their email address anywhere on the site, they must be notified how that will be used. After registration, it is likely that the auction house will be sending them transactional emails. In addition, the auction house may be sending them alerts of upcoming auctions, auction closings, or auction extensions. This must be specified. It is also necessary to allow them the option to opt-out of such emails.


Necessary data for your auction software functionality

If any data is a necessary part of your auction software functionality, let your bidders know. Again, tell them exactly what data is used for what purpose. If they can’t agree, they can’t participate. Thus, agreeing to your privacy policy needs to be the very first thing users do when visiting your site.



Even if in the past, your users have agreed to hand out their information, you must gather their consent once more. Users must be aware of and agree to an updated privacy policy. No exceptions.



The Takeaway


In its most simple terms, this is a dawn of a new era in data protection laws. And, daunting as it may seem, many more laws like this will surely follow. As such, we hope you’ve found this a helpful resource to begin preparing for GDPR and those laws to follow. 

Disclaimer: This guide is intended to provide friendly and helpful advice and is not a definitive statement of the law.

Leave a Reply