If you sell to EU residents, this law applies to you — even if you aren’t in the EU. Fines for non-compliance will be substantial and can be levied on businesses both in and outside the EU.
What is the GDPR and how does this affect my business and website?
The GDPR is a new law that concerns itself with the handling of personal data of European Union (EU) residents. It takes effect on May 25, 2018.
Over two years in the making, the GDPR is intended to give EU residents more visibility and control over their personal data: how websites, including eCommerce websites, collect data; who they share it with; and what tracking technologies monitor them across the Internet. There is no doubt that other countries will follow suit so you might as well look at updating your Privacy Statement now to stay ahead of the game.
What new privacy-related rights does the GDPR gives EU residents?
The new law requires stores to inform their customers about what information they collect, store, and share, and establishes specific rules about the kind of consent required before stores can collect personal data. That means that stores will be asking for consent more explicitly, and detailing their use of personal data more specifically in their privacy policies.
In addition to clearer notices and privacy policies, the GDPR also gives EU residents powerful new rights such as the Right of Access, Right to Rectification, and Right to Erasure.
That means that EU residents will be able to:
- Demand a copy of all the data you have about them.
- Demand any errors in the data be corrected.
- Request the removal of all personal data.
The GDPR also gives EU residents the right to find out if their personal data has been compromised. Stores will need to notify customers if their personal data is stolen in a breach, and do so in a timely manner.
What’s Personal Data, Exactly?
GDPR isn’t about all information—the new rights for EU residents specifically apply to Personal Data.
Personal Data means anything that can identify a person, either on its own or combined with other data. Examples include a person’s:
- Name
- Physical address or email address
- Phone number
- Last four credit card digits
- Shipping tracking numbers ( these are unique to an order, and thus to a person)
- IP address
Basically, if you can use a piece of data to identify an EU resident, or combine it with other data to identify them—that’s personal data.
What Should I Be Doing Right Now?
We’ll unpack this over the remainder of this series, which will cover:
- Why you need to put someone in charge of privacy. You’ll want to designate someone to lead this effort. If you’re a one-person shop, that’ll be you or that can be WebsiteToGo.
- What constitutes a GDPR-acceptable Privacy Policy. You need to disclose how and why you collect personal data, how long it is retained, and who it is shared with. With WordPress and WooCommerce, you also need to consider how plugins and services your store uses affect customer privacy.
- How to respond to Right of Access and Right to Erasure requests. There are some helpful new personal data export tools coming to WordPress and WooCommerce.
- What to do in case of a security breach. No one wants this to happen, but preparing for this worst case scenario is part of your privacy responsibility under the GDPR.
- Decide how customers should make privacy-specific requests. This be via a contact form on your site or through a special email address (e.g., [email protected]).
- Update your privacy policy with how you use and store data, and why. The GDPR requires you to disclose data information. Can you collect less personal data? How long does your business need to retain records for state/provincial/federal taxes? When and how do you backup, and ultimately destroy, customer and order records? For WordPress and WooCommerce, this includes reviewing the data practices of plugins and services your store relies on. All this information should be published as your Privacy Policy.
- Keep attuned to future changes in privacy laws that might affect your business.
How to Update to Your Privacy Policy
In addition to being a GDPR requirement, a well-written, easily understood privacy policy can help close sales with increasingly privacy-conscious consumers. Pulling together a privacy policy for your WooCommerce store involves a bit of research, a bit of writing, and a commitment to revisit the policy from time to time.
Starting with WordPress 4.9.6, you’ll be able to create or designate a page on your site as your store’s privacy policy. If you don’t already have WordPress running, if you are on Joomla or another CMS, talk to us about getting your site converted to WordPress or about how we can help create your privacy policy enabling you to be compliant. If you are already on WordPress, you’ll find this new feature in WP Admin > Settings > Privacy:
1. What data does this store collect about me?
Start by “self-testing” your own store and noting of all the fields (required or optional)where customers are prompted to enter information or make selections. Note the obvious personal data like name and address, along with anything else you collect from them when they check out or become a registered user on your site.
Next, look at the less explicit tools, like cookies or analytics, that your site uses. Examine what plugins you have installed and review their privacy information.Does a plugin send data outside the country or perhaps the European Union? That’s another thing you’ll need to disclose to customers.
Take advantage of the new tools in WordPress to see privacy updates from active plugins: starting with WordPress 4.9.6, plugins can register privacy information with WordPress itself, and you’ll see that information a special box near the editor when you are editing your privacy policy page in wp-admin. WordPress itself will also provide information on the information it collects from visitors to your site, like comments and cookies.
The new privacy information box makes it possible to copy and paste privacy information from WordPress and plugins directly into your privacy policy, where you can edit it to the particulars of your store. However, since much depends on the specific settings you use and how plugins interact with one another, you’ll want to review and edit that text to make sure it’s right for your store.
If a plugin doesn’t provide privacy information you can visit the developer’s website or contact them directly and ask them about what data their plugin collects from visitors to your site, if any, and what they do with it.
2. What does this store do with my data and why?
After you know what you’re collecting, you’ll need to note why you’re collecting it.
Explanations for much of the data you collect are simple: you need their address to ship them a product, or you need their email address to update them on their order status.
If you’re collecting any personal data that you don’t actually need to fulfill an order, you’ll want to explain why to your customer and give them a means to opt out of that sort of “processing” (see “Checkboxes aren’t the only way” below).
3. Who does this store share my data with?
Here, a bit of sleuthing is involved — you’ll want to review how they data you collect is used. A few types of plugins are more likely to share data:
- Payment gateways often share data with the payment provider to process the payment.
- Shipping extensions often share data with shipping providers to calculate shipping rates or print shipping labels.
- Marketing and analytics extensions often share data to add customers to lists or analyze their behavior.
Essentially, if a plugin connects to an external service, they’re likely sharing some type of data with that service. You’ll want to review the privacy policies of these services to make sure they align with your privacy priorities.
4. How long does this store keep my data?
There are lots of reasons to retain records, including if a charge is disputed by a customer, for tax audition, or for other legal concerns. While laws like the GDPR have “right to erasure,” you are not required erase records you need for these other aspects of your business.
That said, your privacy policy, alongside your terms and conditions page, should make it clear to customers how long you retain their personal data and why.
5. How can I access, update, or delete the collected data?
In addition to knowing what you’re doing with personal data, customers need to know how they can update their data, including:
- Getting a copy of their data
- Updating their data
- Deleting their data
Your privacy policy should give customers clear instructions on how to reach you or your designated privacy person with these of requests. If you allow your customers to edit some of their own information, for example under My Account, you can mention that here as well.
Checkboxes aren’t the only way
Under the GDPR, there are multiple legal approaches to handling personal data. Your privacy policy should state under which basis you are doing each kind of processing of personal data. The ones most applicable to eCommerce sites include:
- Consent: The user explicitly gives their consent to a specific kind of processing of their personal data (e.g., consent to participate in market research performed by a third party).
- Contractual necessity: The processing of the personal data is required to fulfill a contract (e.g., ship their order).
- Compliance with legal obligations: The processing of the personal data is required for legal reasons (e.g., a VAT Tax ID).
- Legitimate interests: The processing of the personal data is a legitimate, expected behavior of a business (e.g., follow up emails after they’ve placed their order with other products they may be interested in).
Take building your privacy policy one step at a time
That’s a long list, we know! Tackle it step-by-step, and don’t worry about creating a perfect privacy policy on day one. Keeping your privacy policy fresh and up-to-date, especially as you add plugins — or plugins add features — will be a ongoing activity just like any other business maintenance you do.
The GDPR: Right of Access Requests
You probably know someone who’s requested their data from one of the big social media platforms. It can be staggering to see all the detail in one of these data “dumps”!
If your store collects data from EU residents, you can expect to start receiving “Right of Access” requests under the GDPR.
An EU resident has a right to a copy of all the data you’ve collected about him or her, ideally in an electronic format. This includes information like name, address, and phone number, along with less obvious things like shipment tracking numbers or VAT IDs. Thankfully, WordPress 4.9.6, WooCommerce 3.4, and many WooCommerce extensions automate the legwork Right of Access requests require — we’ll walk you through the process.
Before You Get Your First Request
To start, do a few test orders with your store to understand what data you collect and develop a standard procedure for responding to requests. Your procedure should include:
- How you will confirm the person’s identity: You don’t want to send personal data to anyone but an authorized person!
- Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data. Make a list of all sources of personal data connected to your store.
Not sure you know all the places data might be stored? Do a test order at your store and use it to flesh out your procedure. You’ll be able to see what plugins are automatically providing data using the new WordPress export tool — and what plugins are conspicuously absent. Note all the plugins you don’t see in the export tool; you’ll have to get their data separately.
When The First Request Comes In
1. Confirm identity of the requester
Confirm the identity of the person making the request before you export their personal data. WordPress has a new page under Tools → Export Personal Data where you can send a confirmation request to the customer’s email address (or via their username, if they’re a registered user on your site).
To send the request, type their email address in the box provided and hit “Send Request.” They’ll receive an email with a confirmation link, which they’ll use to confirm the request.
While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.” Once they click the link, the status switches to “Confirmed”.
2. Export data
WordPress, WooCommerce, and many extensions work together to assemble an “export” file containing a person’s personal data. You can either send the customer a link to the file— it’s good for three days — or download their file yourself. The latter is useful if you need to combine the export file with sources of data from other plugins to get a complete picture.
After you’ve downloaded or emailed the file, the request will be marked “Completed.” You can leave the completed request alone or use bulk actions to remove it, depending on how you want to log compliance with the law.
Curious to know what a download might look like? Voila:
What About Repeated or Nuisance Requests?
If you find yourself facing multiple requests from the same customer, you are permitted under the law to assess a reasonable fee. That’s something else you should consider as you draw your “right to access” procedures together.
We’ve covered the importance of putting someone in charge of privacy, how to build a policy, and how to prepare for Right of Access request.
The GDPR: Right to Erasure Requests
Sometimes. a customer wants to remove their digital footprint from the Internet. Maybe they were the victim of identity theft, suffered online harassment, or just want reduce their online presence. Whatever the reason, store owners who collect data from EU residents can expect to receive “Right to Erasure” requests under the GDPR.
As with Right of Access requests, the data a person can expect to be erased includes the obvious — name, address, phone number — and the less obvious, like tracking numbers and VAT IDs.
One significant difference is that Right to Erasure requests are more like a right to requesterasure. As a business owner, you probably need to keep some data for a limited time to comply with contractual obligations and protect yourself, like keeping tracking IDs to defend against shipping disputes or keeping VAT information for tax audits. Before you get your first request, it’s important to know what personal customer data you need to store, and to include this in your privacy policy and terms and conditions.
When you’re ready to fulfill a Right to Erasure request, the good news is that — as with Right to Access requests — WordPress 4.9.6 and WooCommerce 3.4 have tools to help.
Before You Get Your First Request
Here, you’ll also want to start with test orders to understand what data you collect, and develop a standard procedure for responding to requests. Your procedure should include:
- How you will confirm the person’s identity: Only an authorized person can request erasure.
- Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data.
Not sure you know all the places data might be stored? This is where a test order is handy; you’ll be able to see what plugins are automatically providing data using the new WordPress export tool. Note all the plugins you don’t see in the export tool; you’ll have to erase data from these plugins separately.
In WooCommerce, new settings help you control and limit automatic erasure of customers’ personal data. You can find them under WooCommerce → Settings → Accounts and Privacy. Here, you can control:
- How long inactive accounts are preserved.
- How long pending, failed, or cancelled orders are preserved.
- How long completed orders are preserved.
You can also control some Right to Erasure-related settings, like:
- Whether personal data in orders should be removed.
- Whether access to downloads should be rescinded.
When That First Request Comes In
As with Right of Access requests, start by confirming the identity of the person making the request before you touch their personal data.
A new WordPress page under Tools → Erase Personal Data lets you send a confirmation request to the customer’s email (or via their username). Type their email address in the box provided and hit “Send Request”.
While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.”
After they click the link, you’ll see that status switch to “Confirmed”.
Once their identity is confirmed, click the Erase Personal Data button, and the software will start scrubbing away. WordPress, WooCommerce, and many extensions work together to erase a person’s personal data. If a plugin needs to retain a bit of personal data for whatever reason, it will be displayed to you at the end of the erasure process.
If the person has a user account on your site, the request will also include a link to start the “Delete User” process — the same one that is in WordPress core already. Hold off on this at first; you might want to preserve their account depending on whether any plugins you use return a message about items “retained” during the erasure process.
Again, don’t forget that this only covers plugins that hook into the new WordPress personal data erasure tool — you may need to manually remove personal data collected by other plugins or services to be in full compliance with the Right to Erasure request.
The GDPR: Security Breaches
Google blacklists around 10,000 websites every day for malware, removing them from search results — and more importantly, malware can infiltrate customer data and expose your customers (and you!) to fraud and identity theft. Security breaches are a serious business.
To raise the bar on how companies respond to security issues, the GDPR introduces new rules governing what merchants must do when an EU resident’s data is exposed in a breach.
One of the continuing responsibilities of your “designated Data Protection Officer” is to ensure that your site is as secure as possible, which includes:
- Ensuring that your site is always using the latest version of WordPress.
- Ensuring that your site is always using the latest versions of WooCommerce and any other plugins.
- Deactivating and removing unneeded plugins or themes.
- Making regular, secure backups of your website data, especially WooCommerce data.
- Exporting and archiving completed orders to secure storage. The less data stored on your website, the less exposure you have — and the fewer customers you need to notify in the event of a breach.
- Requiring strong, unique passwords on all WordPress accounts.
- Limiting the number of people with access to wp-admin.
- Making sure each employee has a separate login. No shared accounts!
- Removing accounts immediately when employees or contractors leave your company.
Create a Security Breach Checklist
You need plan outlining what do if you do get hacked. At minimum, your checklist should include:
- Changing all passwords.
- Creating a fresh backup.
- Identifying the hack and removing their code and means of access.
- Contacting any supervisory authority required, especially in the EU.
- Contacting impacted customers.
- Looking at preventative measures that will prevent the hack from happening again, and taking action.
You might need professional help for some of these, particularly finding and removing the hack, might require professional help — decide who you’ll call in advance, so you’re not scrambling. If you have a big customer database, having a contact plan is a also good idea that will save you some stress.
Prevention is The Best Medicine
Hopefully, your store will never be breached! These steps should help reduce your risk , or the severity of any breach that does happen. In the worst-case scenario, a solid plan in place for dealing with the breach and informing your customers will reduce the fallout for everyone involved.
The GDPR: Ongoing Compliance
The GDPR is only the latest law designed to shift the balance of power back to consumers — it builds on older laws like the UK’s DPA. And it won’t be the last; store owners can expect updates to the GDPR, and similar laws will be enacted in other countries. Keeping abreast of these laws and which ones apply to you is an ongoing responsibility.
Whoever is charged with keeping an eye on privacy matters for you will need to make sure your store’s privacy policy stays fresh, especially as you add, update, or remove plugins and third-party services. Plugins will also update their privacy declarations, as they evolve to use personal data in new ways. Stores will need to keep on top of requests and security and data retention on an ongoing basis. Data security is as much a part of day-to-day work as tracking inventory and sales.
