If you sell to EU residents, this law applies to you — even if you aren’t in the EU. Fines for non-compliance will be substantial and can be levied on businesses both in and outside the EU.
What is the GDPR and how does this affect my business and website?
The GDPR is a new law that concerns itself with the handling of personal data of European Union (EU) residents. It takes effect on May 25, 2018.
Over two years in the making, the GDPR is intended to give EU residents more visibility and control over their personal data: how websites, including eCommerce websites, collect data; who they share it with; and what tracking technologies monitor them across the Internet. There is no doubt that other countries will follow suit so you might as well look at updating your Privacy Statement now to stay ahead of the game.
The new law requires stores to inform their customers about what information they collect, store, and share, and establishes specific rules about the kind of consent required before stores can collect personal data. That means that stores will be asking for consent more explicitly, and detailing their use of personal data more specifically in their privacy policies.
In addition to clearer notices and privacy policies, the GDPR also gives EU residents powerful new rights such as the Right of Access, Right to Rectification, and Right to Erasure.
That means that EU residents will be able to:
The GDPR also gives EU residents the right to find out if their personal data has been compromised. Stores will need to notify customers if their personal data is stolen in a breach, and do so in a timely manner.
GDPR isn’t about all information—the new rights for EU residents specifically apply to Personal Data.
Personal Data means anything that can identify a person, either on its own or combined with other data. Examples include a person’s:
Basically, if you can use a piece of data to identify an EU resident, or combine it with other data to identify them—that’s personal data.
We’ll unpack this over the remainder of this series, which will cover:
Start by “self-testing” your own store and noting of all the fields (required or optional)where customers are prompted to enter information or make selections. Note the obvious personal data like name and address, along with anything else you collect from them when they check out or become a registered user on your site.
Next, look at the less explicit tools, like cookies or analytics, that your site uses. Examine what plugins you have installed and review their privacy information.Does a plugin send data outside the country or perhaps the European Union? That’s another thing you’ll need to disclose to customers.
If a plugin doesn’t provide privacy information you can visit the developer’s website or contact them directly and ask them about what data their plugin collects from visitors to your site, if any, and what they do with it.
After you know what you’re collecting, you’ll need to note why you’re collecting it.
Explanations for much of the data you collect are simple: you need their address to ship them a product, or you need their email address to update them on their order status.
If you’re collecting any personal data that you don’t actually need to fulfill an order, you’ll want to explain why to your customer and give them a means to opt out of that sort of “processing” (see “Checkboxes aren’t the only way” below).
Here, a bit of sleuthing is involved — you’ll want to review how they data you collect is used. A few types of plugins are more likely to share data:
Essentially, if a plugin connects to an external service, they’re likely sharing some type of data with that service. You’ll want to review the privacy policies of these services to make sure they align with your privacy priorities.
There are lots of reasons to retain records, including if a charge is disputed by a customer, for tax audition, or for other legal concerns. While laws like the GDPR have “right to erasure,” you are not required erase records you need for these other aspects of your business.
In addition to knowing what you’re doing with personal data, customers need to know how they can update their data, including:
Checkboxes aren’t the only way
You probably know someone who’s requested their data from one of the big social media platforms. It can be staggering to see all the detail in one of these data “dumps”!
If your store collects data from EU residents, you can expect to start receiving “Right of Access” requests under the GDPR.
An EU resident has a right to a copy of all the data you’ve collected about him or her, ideally in an electronic format. This includes information like name, address, and phone number, along with less obvious things like shipment tracking numbers or VAT IDs. Thankfully, WordPress 4.9.6, WooCommerce 3.4, and many WooCommerce extensions automate the legwork Right of Access requests require — we’ll walk you through the process.
To start, do a few test orders with your store to understand what data you collect and develop a standard procedure for responding to requests. Your procedure should include:
Not sure you know all the places data might be stored? Do a test order at your store and use it to flesh out your procedure. You’ll be able to see what plugins are automatically providing data using the new WordPress export tool — and what plugins are conspicuously absent. Note all the plugins you don’t see in the export tool; you’ll have to get their data separately.
1. Confirm identity of the requester
Confirm the identity of the person making the request before you export their personal data. WordPress has a new page under Tools → Export Personal Data where you can send a confirmation request to the customer’s email address (or via their username, if they’re a registered user on your site).
To send the request, type their email address in the box provided and hit “Send Request.” They’ll receive an email with a confirmation link, which they’ll use to confirm the request.
While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.” Once they click the link, the status switches to “Confirmed”.
2. Export data
WordPress, WooCommerce, and many extensions work together to assemble an “export” file containing a person’s personal data. You can either send the customer a link to the file— it’s good for three days — or download their file yourself. The latter is useful if you need to combine the export file with sources of data from other plugins to get a complete picture.
After you’ve downloaded or emailed the file, the request will be marked “Completed.” You can leave the completed request alone or use bulk actions to remove it, depending on how you want to log compliance with the law.
Curious to know what a download might look like? Voila:
What About Repeated or Nuisance Requests?
If you find yourself facing multiple requests from the same customer, you are permitted under the law to assess a reasonable fee. That’s something else you should consider as you draw your “right to access” procedures together.
We’ve covered the importance of putting someone in charge of privacy, how to build a policy, and how to prepare for Right of Access request.
Sometimes. a customer wants to remove their digital footprint from the Internet. Maybe they were the victim of identity theft, suffered online harassment, or just want reduce their online presence. Whatever the reason, store owners who collect data from EU residents can expect to receive “Right to Erasure” requests under the GDPR.
As with Right of Access requests, the data a person can expect to be erased includes the obvious — name, address, phone number — and the less obvious, like tracking numbers and VAT IDs.
When you’re ready to fulfill a Right to Erasure request, the good news is that — as with Right to Access requests — WordPress 4.9.6 and WooCommerce 3.4 have tools to help.
Before You Get Your First Request
Here, you’ll also want to start with test orders to understand what data you collect, and develop a standard procedure for responding to requests. Your procedure should include:
Not sure you know all the places data might be stored? This is where a test order is handy; you’ll be able to see what plugins are automatically providing data using the new WordPress export tool. Note all the plugins you don’t see in the export tool; you’ll have to erase data from these plugins separately.
In WooCommerce, new settings help you control and limit automatic erasure of customers’ personal data. You can find them under WooCommerce → Settings → Accounts and Privacy. Here, you can control:
You can also control some Right to Erasure-related settings, like:
As with Right of Access requests, start by confirming the identity of the person making the request before you touch their personal data.
A new WordPress page under Tools → Erase Personal Data lets you send a confirmation request to the customer’s email (or via their username). Type their email address in the box provided and hit “Send Request”.
While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.”
After they click the link, you’ll see that status switch to “Confirmed”.
Once their identity is confirmed, click the Erase Personal Data button, and the software will start scrubbing away. WordPress, WooCommerce, and many extensions work together to erase a person’s personal data. If a plugin needs to retain a bit of personal data for whatever reason, it will be displayed to you at the end of the erasure process.
If the person has a user account on your site, the request will also include a link to start the “Delete User” process — the same one that is in WordPress core already. Hold off on this at first; you might want to preserve their account depending on whether any plugins you use return a message about items “retained” during the erasure process.
Again, don’t forget that this only covers plugins that hook into the new WordPress personal data erasure tool — you may need to manually remove personal data collected by other plugins or services to be in full compliance with the Right to Erasure request.
Google blacklists around 10,000 websites every day for malware, removing them from search results — and more importantly, malware can infiltrate customer data and expose your customers (and you!) to fraud and identity theft. Security breaches are a serious business.
To raise the bar on how companies respond to security issues, the GDPR introduces new rules governing what merchants must do when an EU resident’s data is exposed in a breach.
One of the continuing responsibilities of your “designated Data Protection Officer” is to ensure that your site is as secure as possible, which includes:
You need plan outlining what do if you do get hacked. At minimum, your checklist should include:
You might need professional help for some of these, particularly finding and removing the hack, might require professional help — decide who you’ll call in advance, so you’re not scrambling. If you have a big customer database, having a contact plan is a also good idea that will save you some stress.
Hopefully, your store will never be breached! These steps should help reduce your risk , or the severity of any breach that does happen. In the worst-case scenario, a solid plan in place for dealing with the breach and informing your customers will reduce the fallout for everyone involved.
The GDPR is only the latest law designed to shift the balance of power back to consumers — it builds on older laws like the UK’s DPA. And it won’t be the last; store owners can expect updates to the GDPR, and similar laws will be enacted in other countries. Keeping abreast of these laws and which ones apply to you is an ongoing responsibility.