GDPR for eCommerce

What do I need to do for GDPR on my ecommerce site ?

As a business owner you are a data controller.  Your web developer, hoster and saas marketing tools ( mailchimp, salesforce etc. ) are data processors.  The data controller is ultimately responsible for the protection of personal data they store.  However if it is found that your data processor has been negligent then they are also responsible.

GDPR Deadline
0
0
0
0
Days
0
0
Hrs
0
0
Min
0
0
Sec

 

woocommerce gdpr plugin download opencart gdpr addon

( These plugins are sold via opencart.com and ecomextras.com, we don’t sell on other market places. )

All your data processors and sub processors must be GDPR compliant.

GDPR covers all and only personal data held in your organisation and with your 3rd party data processors.  

GDPR does not trump other laws. E.G. if you have to keep personal data to justify vat charges then this is needs to be kept for tax compliance. The rule in GB and Ireland is 7 years. Other countries may vary.

So what do I have to do ?

Appoint a staff member to look after Data Protection.  Get data protection training and a certification. Typically this is someone at Board Level as they will require indemnity insurance to cover the liability of this role. If you are a non-board member being asked to take up this role, make sure you are provided with personal indemnity insurance.  There are instances where Data Controllers can be held personally responsible for data breaches.

1. Update your privacy policy

  1. Include a GDPR compliance line
  2. Specify what information you collect and store from website visitors. ( e.g.  ip addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address and billing addresses )
  3. Specify how and where you process the personal information. ( accounting, marketing, UX research, sales reporting etc.)
  4. Specify who you has access to this personal data. (E.G. you, mailchimp, google, salesforce etc )
  5. Specify the contact details of the assigned Data Protection Officer in your organisation
  6. Specify how to lodge a data subject access request.
  7. Specify how long you hold personal information.
  8. Note : Using phrases like “we may use your information” is not compliant.

2. Remove all automatic opt-ins on your site. 

All check boxes must be empty in online forms. An empty box cannot imply acceptance. Agreeing to anything via a checkbox has to be explicit and recorded. We would recommend that when a customer agrees to the terms and conditions on a website that a copy of the terms they agreed to are stored with the customers data. This way you have an explicit record of what the customer agreed to.  Our ecommerce GDPR addons cover this.

3. Collect only information you require to run your business. 

“If you do not have the information you do not need to protect it”

Delete personal information you have on servers, excel sheets etc. that you no longer use.  This includes emails with attachments of files of personal information.

Only keep one version of personal information.  You may keep copies only for backup and restore purposes. Up to 4 backups is acceptable. If you keep  more it needs to be justified. The location of the backups needs to be recorded in your data audit.

Collecting extra information in case you may use it in the future is un-lawful.  Information you have about individuals that you have no use for must be deleted.

4. All data breaches need to be recorded and actioned with a preventative measure within 72 hours. 

Examples of data breaches.

  1. Personal information being passed or coming into the possession of an unauthorised data processor or subprocessor.
  2. Passing of personal data to into a non GDPR compliant country.
  3. Passing of personal data to a third party without the knowledge of the data subject.
  4. Personal information leaked as a result of a hack on a website.

5. Have a data breach process and plan in place.

“A data breach handled incorrectly can do untold damage to your brand. “

Have an action plan in place and run worst case scenarios to test your plan.

6. Have a process in place for when someone is looking for a copy of their data. ( Subject Data Access Requests ) 

“I have a request for all their personal data you hold on an individual to be exposed to them, what do I do ?”

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Do not create more personal data while performing the request
  4. Process the request
  5. Record it in you data audit log
  6. Do not reveal other peoples personal data. I.E. in ecommerce shipping names where the name is not the name of the requester.
  7. Do it within 20 days.

There is GDPR Compliance addon for Opencart that automates this process. It can be purchased here.

7. Right to be forgotten requests how to handle these

“Mr J Blog has asked to be forgotten in my organisation, what do I do ?”

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Do not create more personal data while performing the request
  4. Remove and or redact the personal information stored. Remove it from all systems and marketing suites.
  5. Record it in you data audit log
  6. Do it within 20 days.

8. Withdrawal of permission to process personal data after an ecommerce transaction

“Mr J Blog has asked that his data is not processed after his products are shipped, what do I do?”

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Flag the data in your databases as not to be used in marketing reports or data mining.
  4. Notify the Subject that you have received their request and flagged their data to be excluded from further data processing.
  5. Record it in you data audit log

9. Request for personal data in a portable transferable format.

“Mr J Blog has asked for a copy of his personal data as he needs it for some other service.”

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Send the personal data in a readable csv format
  4. Record it in you data audit log

 

10. Update your contracts, NDA’s and Privacy policies on your website.

All staff need to have signed NDA’s and data protection awareness training.  A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.

All customer contracts have to be updated with a GDPR clause.

11. Have a Data Breach Plan.

When a data breach occurs you must within 72 hours.

  1. Investigate the breach and locate its source
  2. Put in place actions to prevent it from happening again
  3. Report the scope of the breach to affected all data subject
  4. Notify the Data Commissioner of the breach including
    1. The scope of the breach
    2. Number of affected subjects
    3. The source of the breach
    4. The measures taken to prevent and stop the breach from happening again

Depending on the scale and type of breach the Data Commissioners office may stop you from processing data until they investigate the breach further.

This could prevent you from processing payments, issuing invoices and sales. Even if no fine is imposed, the disruption to your business.

This all seems like a lot of extra work for a business owner ?

It is a good opportunity to do a data cleanup and make sure all your sub contractors are bone-fides, and that you have valid contracts with your customers.

This only applies to big business, they will never check a small business ?  

Wrong !! The data protection commissioner’s  office may not audit you right now, but they can at any time in the future.  If and when you have a data breach you must report this to the data commissioners office. Failure to do so is unlawful. You may get sued for not protecting personal data correctly. If your processes are found to be defective then you are liable for large fines as well as the loss of reputation and loss of business.  ( “Google” “loyalty build” and see the effect of a data breach years after the event.  ).

 

What you can no longer do.

1. You cannot send unsolicited emails to anyone. No more purchased lists or merging lists from different companies into other lists.

2. You cannot Auto email from Abandoned shopping carts offering discounts unless the shopper has opted in for email the top of the checkout.

3. You cannot refuse to give customers their personal details on request.

4. You cannot send unsolicited text messages via mobile phone numbers.

 

In summary

This is a brief outline of GDPR from an ecommerce point of view. It is advisable to have 1 person in your organisation who is a Data Protection Certified.

Do a data audit. Record the location of all personal data stored in your company. Keep an updated list/record for inspection and audit. This will become the source of data requests in the future.

Make a data breach plan.

Do a data risk assessment.

Run a Data breach dry run.

Update your policies and contracts to include GDPR compliance

Have a system in place for processing individuals requests for information from your organisation

 

Opensource Ecommerce GDPR Addons.

woocommerce gdpr plugin download opencart gdpr addon

( These plugins are sold via opencart.com and ecomextras.com, we don’t sell on other market places. )

We have addons in development for woocommerce, magento, and prestashop that will look after Subject access requests automatically.

For advice on ecommerce GDPR please contact us on +35315242100 or sales@willowsconsulting.ie

We have used GDPR365 to complete our GDPR preparedness and we found it good.

GDPR 365

 

 

( this is an affiliate link )

Finally a word from the Irish Data Protection Commissioner who has Facebook , Google et al within their remit. This outlines their priorities in enforcement.

By | 2018-04-23T13:21:44+00:00 August 31st, 2017|e commerce|
Live Chat Support