Getting your business prepared for the GDPR is no small task, and it doesn’t end when the law takes effect on May 25th.
Put Someone in Charge of Data
A Data Protection Officer is a formal role required by the GDPR. If you’re a one-person shop this falls to you, so you’ll need to set aside some time to stay on top of compliance. Whether it is you or one of your employees, you must designate someone to take charge of your business’ data protection strategy and compliance, and:
- Decide how customers should make privacy-specific requests. This be via a contact form on your site or through a special email address (e.g., firstname.lastname@example.org).
- Prepare for and respond to right to erasure / of access requests. Customers can request that you delete their data, and you’re required to comply.
- Prepare for and respond to security breaches. The GDPR requires you to disclose breaches to your customers promptly.
- Keep attuned to future changes in privacy laws that might affect your business.
1. What data does this store collect about me?
Start by “self-testing” your own store and noting of all the fields (required or optional) where customers are prompted to enter information or make selections. Note the obvious personal data like name and address, along with anything else you collect from them when they check out or become a registered user on your site.
Next, look at the less explicit tools, like cookies or analytics, that your site uses. Examine what plugins you have installed and review their privacy information.Does a plugin send data outside the country or perhaps the European Union? That’s another thing you’ll need to disclose to customers.
If a plugin doesn’t provide privacy information you can visit the developer’s website or contact them directly and ask them about what data their plugin collects from visitors to your site, if any, and what they do with it.
2. What does this store do with my data and why?
After you know what you’re collecting, you’ll need to note why you’re collecting it.
Explanations for much of the data you collect are simple: you need their address to ship them a product, or you need their email address to update them on their order status.
If you’re collecting any personal data that you don’t actually need to fulfill an order, you’ll want to explain why to your customer and give them a means to opt out of that sort of “processing” (see “Checkboxes aren’t the only way” below).
3. Who does this store share my data with?
Here, a bit of sleuthing is involved — you’ll want to review how they data you collect is used. A few types of plugins are more likely to share data:
- Payment gateways often share data with the payment provider to process the payment.
- Shipping extensions often share data with shipping providers to calculate shipping rates or print shipping labels.
- Marketing and analytics extensions often share data to add customers to lists or analyze their behavior.
Essentially, if a plugin connects to an external service, they’re likely sharing some type of data with that service. You’ll want to review the privacy policies of these services to make sure they align with your privacy priorities.
4. How long does this store keep my data?
There are lots of reasons to retain records, including if a charge is disputed by a customer, for tax audition, or for other legal concerns. While laws like the GDPR have “right to erasure,” you are not required erase records you need for these other aspects of your business.
5. How can I access, update, or delete the collected data?
In addition to knowing what you’re doing with personal data, customers need to know how they can update their data, including:
- Getting a copy of their data
- Updating their data
- Deleting their data
Checkboxes aren’t the only way
- Consent: The user explicitly gives their consent to a specific kind of processing of their personal data (e.g., consent to participate in market research performed by a third party).
- Contractual necessity: The processing of the personal data is required to fulfill a contract (e.g., ship their order).
- Compliance with legal obligations: The processing of the personal data is required for legal reasons (e.g., a VAT Tax ID).
- Legitimate interests: The processing of the personal data is a legitimate, expected behavior of a business (e.g., follow up emails after they’ve placed their order with other products they may be interested in).
Next up? The long and short of Right of Access requests.