What do I need to do for GDPR on my ecommerce site ?
As a business owner you are a data controller. Your web developer, hoster and saas marketing tools ( mailchimp, salesforce etc. ) are data processors. The data controller is ultimately responsible for the protection of personal data they store. However if it is found that your data processor has been negligent then they are also responsible.
All your data processors and sub processors have to be GDPR compliant.
GDPR covers all personal data held in your organisation and with your 3rd party processors.
GDPR does not trump other laws. E.G. if you have to keep personal data to justify vat charges then this is needs to be kept for tax compliance.
So what do I have to do ?
Appoint a staff member to look after Data Protection. Get data protection training and a certification. Typically this is someone at Board Level as they will require indemnity insurance to cover the liability of this role.
- Include a GDPR compliance line
- Specify what information you collect and store from website visitors. ( e.g. ip addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address and billing addresses )
- Specify who you has access to this personal data. (E.G. you, mailchimp, google, salesforce etc )
- Specify the contact details of the assigned Data Protection Officer in your organisation
- Specify how to lodge a data subject access request.
- Specify how long you hold personal information.
2. Remove all automatic opt-ins on your site.
All checkboxes must be empty in online forms. An empty box cannot imply acceptance.
3. Collect only information you require to run your business.
“If you do not have the information you do not need to protect it”
Delete personal information you have on servers, excel sheets etc. that you no longer use. This includes emails with attachments of files of personal information.
Only keep one version of personal information. You may keep copies only for backup and restore purposes. Up to 4 backups is acceptable. If you keep more it needs to be justified. The location of the backups needs to be recorded in your data audit.
Collecting extra information in case you may use it in the future is un-lawful. Information you have about individuals that you have no use for must be deleted.
4. All data breaches need to be recorded and actioned with a preventative measure.
Examples of data breaches.
- Personal information being passed or coming into the possession of an unauthorised data processor or subprocessor.
- Passing of personal data to into a non GDPR compliant country.
- Passing of personal data to a third party without the knowledge of the data subject.
- Personal information leaked as a result of a hack on a website.
5. Have a data breach process and plan in place.
“A data breach handled incorrectly can do untold damage to your brand. “
Have an action plan in place and run worst case scenarios to test your plan.
6. Have a process in place for when someone is looking for a copy of their data. ( Subject Data Access Requests )
“I have a request for all their personal data you hold on an individual to be exposed to them, what do I do ?”
- Verify their identity
- Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
- Do not create more personal data while performing the request
- Process the request
- Record it in you data audit log
- Do it within 20 days.
7. Update your contracts, NDA’s and Privacy policies on your website.
All staff need to have signed NDA’s and data protection awareness training. A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.
All customer contracts have to be updated with a GDPR clause.
This all seems like a lot of extra work for a business owner ?
It is a good opportunity to do a data cleanup and make sure all your sub contractors are bone fides, and that you have valid contracts with your customers.
This only applies to big business, they will never check a small business ?
Wrong !! The data protection commissioner’s office may not audit you right now, but they can at any time in the future. If and when you have a data breach you must report this to the data commissioners office. Failure to do so is unlawful. You may get sued for not protecting personal data correctly. If your processes are found to be defective then you are liable for large fines as well as the loss of reputation and loss of business. ( “Google” “loyalty build” and see the effect of a data breach years after the event. ).
What you can no longer do.
1. You cannot send unsolicited emails to anyone. No more purchased lists or merging lists from different companies into other lists.
2. You cannot Auto email from Abandoned shopping carts offering discounts unless the shopper has opted in for email the top of the checkout.
3. You cannot refuse to give customers their personal details on request.
4. You cannot send unsolicited text messages via mobile phone numbers.
This is a brief outline of GDPR from an ecommerce point of view. It is advisable to have 1 person in your organisation who is a Data Protection Certified.
Do a data audit. Record the location of all personal data stored in your company. Keep an updated list/record for inspection and audit. This will become the source of data requests in the future.
Make a data breach plan.
Do a data risk assessment.
Run a Data breach dry run.
Update your policies and contracts to include GDPR compliance
Have a system in place for processing individuals requests for information from your organisation
Opensource Ecommerce GDPR Addons.
We have a set of addons for opencart, woocommerce, magento, and prestashop that will look after Subject access requests automatically. We will be releasing these in q1 2018.
For advice on ecommerce GDPR pleas contact us on +35315242100 or email@example.com