General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) takes effect on May 25, 2018. This article describes how to Get Ready for the GDPR, what you need to do about this new European law, and explores the ins and outs of the law and how it applies to you, an eCommerce store owner. The guidelines are there to inform and equip customers to adjust to GDPR irrespective of whether you’ve had an online store for a long time or in the early stages.

What is the GDPR, exactly?

The GDPR is a new law taking effect on May 25, 2018 that concerns itself with the handling of personal data of European Union (EU) residents. Over two years in the making, the GDPR is intended to give EU residents more visibility and control over their personal data: how websites, including eCommerce websites, collect data; who they share it with; and what tracking technologies monitor them across the Internet.

If you sell to EU residents, this law applies to you — even if you aren’t in the EU. Fines for non-compliance will be substantial and can be levied on businesses both in and outside the EU.

What new privacy-related rights does the GDPR gives EU residents?

The new law requires stores to inform their customers about what information they collect, store, and share, and establishes specific rules about the kind of consent required before stores can collect personal data. That means that stores will be asking for consent more explicitly, and detailing their use of personal data more specifically in their privacy policies.

In addition to clearer notices and privacy policies, the GDPR also gives EU residents powerful new rights such as the Right of Access, Right to Rectification, and Right to Erasure.

That means that EU residents will be able to:

  • Demand a copy of all the data you have about them.
  • Demand any errors in the data be corrected.
  • Request the removal of all personal data.

The GDPR also gives EU residents the right to find out if their personal data has been compromised. Stores will need to notify customers if their personal data is stolen in a breach, and do so in a timely manner.

What’s Personal Data, Exactly?

GDPR isn’t about all information—the new rights for EU residents specifically apply to Personal Data. Personal Data means anything that can identify a person, either on its own or combined with other data. Examples include a person’s:

  • Name
  • Physical address or email address
  • Phone number
  • Last four credit card digits
  • Shipping tracking numbers ( these are unique to an order, and thus to a person)
  • IP address

Basically, if you can use a piece of data to identify an EU resident, or combine it with other data to identify them—that’s personal data.

What Should We Be Doing Right Now?

Put Someone in Charge of Data

A Data Protection Officer is a formal role required by the GDPR. If you’re a one-person shop this falls to you, so you’ll need to set aside some time to stay on top of compliance. Whether it is you or one of your employees, you must designate someone to take charge of your business’ data protection strategy and compliance, and:

  • Decide how customers should make privacy-specific requests. This be via a contact form on your site or through a special email address (e.g.,
  • Update your privacy policy with how you use and store data, and why. The GDPR requires you to disclose data information.
    • Can you collect less personal data?
    • How long does your business need to retain records for state/provincial/federal taxes?
    • When and how do you backup, and ultimately destroy, customer and order records?
    • This includes reviewing the data practices of 3rd party services and plug-in solutions the store relies on.
  • Prepare for and respond to right to erasure / of access requests. Customers can request that you delete their data, and you’re required to comply.
  • Prepare for and respond to security breaches. The GDPR requires you to disclose breaches to your customers promptly.
  • Keep attuned to future changes in privacy laws that might affect your business.

How to Update to Your Privacy Policy

In addition to being a GDPR requirement, a well-written, easily understood privacy policy can help close sales with increasingly privacy-conscious consumers. Pulling together a privacy policy for your store involves a bit of research, a bit of writing, and a commitment to revisit the policy from time to time.

We highly recommend you get legal advice on changes to your existing privacy policy. Your privacy policy should be easy to find and edit as a page/article on your website. Before you make a change, we recommend, copying or making a backup of your old policy as a reference.

1. What data does this store collect about me?

Start by “self-testing” your own store and noting of all the fields (required or optional) where customers are prompted to enter information or make selections. Note the obvious personal data like name and address, along with anything else you collect from them when they check out or become a registered user on your site.

Next, look at the less explicit tools, like cookies or analytics, that your site uses. Examine what 3rd parties you partner with and review their privacy information. Do they send data outside the country or perhaps the European Union?  That’s another thing you’ll need to disclose to customers.

2. What does this store do with my data and why?

After you know what you’re collecting, you’ll need to note why you’re collecting it. Explanations for much of the data you collect are simple: you need their address to ship them a product, or you need their email address to update them on their order status.

If you’re collecting any personal data that you don’t actually need to fulfil an order, you’ll want to explain why to your customer and give them a means to opt out of that sort of “processing” (see “Checkboxes aren’t the only way” below).

3. Who does this store share my data with?

You’ll want to review how the data you collect is used. A few types of organisations are more likely to share data:

  • Payment gateways often share data with the payment provider to process the payment.
  • Shipping extensions often share data with shipping providers to calculate shipping rates or print shipping labels.
  • Marketing and analytics extensions often share data to add customers to lists or analyze their behavior.

Essentially, if a piece of software connects to an external service, they’re likely sharing some type of data with that service. You’ll want to review the privacy policies of these services to make sure they align with your privacy priorities.

4. How long does this store keep my data?

There are lots of reasons to retain records, including if a charge is disputed by a customer, for tax audition, or for other legal concerns. While laws like the GDPR have “right to erasure,” you are not required erase records you need for these other aspects of your business. That said, your privacy policy, alongside your terms and conditions page, should make it clear to customers how long you retain their personal data and why.

5. How can I access, update, or delete the collected data?

In addition to knowing what you’re doing with personal data, customers need to know how they can update their data, including:

  • Getting a copy of their data
  • Updating their data
  • Deleting their data

Your privacy policy should give customers clear instructions on how to reach you or your designated privacy person with these of requests. If you allow your customers to edit some of their own information, for example under My Account, you can mention that here as well.

Checkboxes aren’t the only way

Under the GDPR, there are multiple legal approaches to handling personal data. Your privacy policy should state under which basis you are doing each kind of processing of personal data. The ones most applicable to eCommerce sites include:

  • Consent: The user explicitly gives their consent to a specific kind of processing of their personal data (e.g., consent to participate in market research performed by a third party).
  • Contractual necessity: The processing of the personal data is required to fulfill a contract (e.g., ship their order).
  • Compliance with legal obligations: The processing of the personal data is required for legal reasons (e.g., a VAT Tax ID).
  • Legitimate interests: The processing of the personal data is a legitimate, expected behavior of a business (e.g., follow up emails after they’ve placed their order with other products they may be interested in).

Take building your privacy policy one step at a time

Tackle it step-by-step, and don’t worry about creating a perfect privacy policy on day one.

Keeping your privacy policy fresh and up-to-date, especially as you add 3rd party solution providers will be a ongoing activity just like any other business maintenance you do.

Before You Get Your First Request

To start, do a few test orders with your store to understand what data you collect and develop a standard procedure for responding to requests. Your procedure should include:

  • How you will confirm the person’s identity: You don’t want to send personal data to anyone but an authorized person!
  • Where you will obtain the data? Some data will be available in orders, forms customers have filled in. Some 3rd party solution providers store data separately, and you might have other online systems separate from your eCommerce store where you input data. Make a list of all sources of personal data connected to your store.

When The First Request Comes In

  1. Confirm identity of the requester: Before you export their personal data, confirm the identity of the person making the request.
  2. Export data

What About Repeated or Nuisance Requests?

If you find yourself facing multiple requests from the same customer, you are permitted under the law to assess a reasonable fee. That’s something else you should consider as you draw your “right to access” procedures together.

“Right to Erasure” requests

Sometimes. a customer wants to remove their digital footprint from the Internet. Maybe they were the victim of identity theft, suffered online harassment, or just want reduce their online presence. Whatever the reason, store owners who collect data from EU residents can expect to receive “Right to Erasure” requests under the GDPR.

As with Right of Access requests, the data a person can expect to be erased includes the obvious — name, address, phone number — and the less obvious, like tracking numbers and VAT IDs.

One significant difference is that Right to Erasure requests are more like a right to request erasure. As a business owner, you probably need to keep some data for a limited time to comply with contractual obligations and protect yourself, like keeping tracking IDs to defend against shipping disputes or keeping tax information for audits.

You will want to define some of the following

  • How long guest/inactive accounts are kept.
  • How long draft or cancelled orders are preserved.
  • How long Shipped orders are preserved.

You may also need to set and manage some Right to Erasure-related settings, like:

  • Whether personal data in orders should be removed.
  • Whether access to downloads should be rescinded

GDPR Security Breaches

Google blacklists around 10,000 websites every day for malware, removing them from search results — and more importantly, malware can infiltrate customer data and expose your customers (and you!) to fraud and identity theft. Security breaches are a serious business.

To raise the bar on how companies respond to security issues, the GDPR introduces new rules governing what merchants must do when an EU resident’s data is exposed in a breach.

One of the continuing responsibilities of your “designated Data Protection Officer” is to ensure that your site is as secure as possible, which includes:

  • Ensuring that your site is always using the latest version .
  • Ensuring that your site is always using the latest versions of any 3rd party solutions.
  • Deactivating and removing unneeded components or third parties.
  • Making regular, secure backups of your website data: all our clients’ sites are backed up daily.
  • Exporting and archiving completed orders to secure storage. The less data stored on your website, the less exposure you have — and the fewer customers you need to notify in the event of a breach.
  • Requiring strong, unique passwords on all accounts.
  • Limiting the number of people with access to admin.
  • Making sure each employee has a separate login. No shared accounts!
  • Removing accounts immediately when employees or contractors leave your company.

What changed with the GDPR with regard to security breaches?

In addition to designating a Data Protection Officer, the GDPR requirements also include:

  • Protecting personal data by employing techniques such as access restrictions, encryption, pseudonymization, backups, data minimization, and regular testing of all these techniques.
  • Notifying the appropriate supervisory authority no more than 72 hours after of becoming aware of a breach of users’ personal data, including the number of users whose data was exposed, the nature of the breach, and what actions are being taken to mitigate its effects.
  • Communicating this information to the impacted users, especially if the data breach exposed any of their unencrypted personal data.
  • Considering the needs of any law enforcement investigations before publicly announcing the breach.

As always, we recommend consulting an lawyer/attorney for the specifics around your business and the types of personal data processing on which your site depends.

Create a Security Breach Checklist

You need plan outlining what do if you do get hacked –– this guide lays out the key actions in more detail. Take a look and see what steps apply to you, then turn it into a checklist. At minimum, your checklist should include:

  • Changing all passwords.
  • Creating a fresh backup.
  • Identifying the hack and removing their code and means of access.
  • Contacting any supervisory authority required, especially in the EU.
  • Contacting impacted customers.
  • Looking at preventative measures that will prevent the hack from happening again, and taking action.

You might need specialist professional help for some of these, particularly finding and removing the hack, might require professional help — decide who you’ll call in advance, so you’re not scrambling. If you have a big customer database, having a contact plan is a also good idea that will save you some stress.

Prevention is The Best Medicine

Hopefully, your store will never be breached! These steps should help reduce your risk , or the severity of any breach that does happen. In the worst-case scenario, a solid plan in place for dealing with the breach and informing your customers will reduce the fallout for everyone involved.

Privacy isn’t a one time effort. It’s part of the ongoing maintenance for your business.

The GDPR is only the latest law designed to shift the balance of power back to consumers — it builds on older laws like the UK’s DPA. And it won’t be the last; store owners can expect updates to the GDPR, and similar laws will be enacted in other countries. Keeping abreast of these laws and which ones apply to you is an ongoing responsibility.

Whoever is charged with keeping an eye on privacy matters for you will need to make sure your store’s privacy policy stays fresh, especially as you add, update, or remove third-party services. Third parties will also update their privacy declarations, as they evolve to use personal data in new ways. You will need to keep on top of requests and security and data retention on an ongoing basis. Data security is as much a part of day-to-day work as tracking inventory and sales.