The most important and sweeping change in digital privacy regulation in the world will come into effect on May 25th of this year in the EU. The EU General Data Protection Regulation (GDPR for short) is transforming the way we treat digital data and affecting practically any website or organization that collects, stores and uses customer data. This includes a majority of eCommerce stores, as GDPR applies not only to European organizations but to any that provide services to EU citizens (or “data subjects” in the language of the regulation) as well. Furthermore, penalties for non-compliance can be quite severe, ranging from 4% of annual global turnover to up to €20 million! But what exactly do you need to do to stay compliant? If that’s a question you’re still grappling with, then this GDPR eCommerce Checklist is for you.
What’s the Scope of GDPR?
Compliance to the GDPR isn’t as elusive or difficult as you may initially think. To that end, we’ve compiled a series of steps that any eCommerce store owners or marketers should take to ensure they are complying with the new GDPR regulations in advance of the May 25th deadline and avoid any crippling fines.
Definition of Personal Data
But first, it’s important to lay out the scope of the GDPR and some definitions so that the purpose of the GDPR eCommerce checklist items below make more sense. The new definition of personal data is vitally important, as it encompasses not only obvious things as personal photos and bank information but also anything that might be able to lead to the identification of a data subject. This broadly applies even to such information as user’s email, IP addresses or a website-unique shopper code.
Consent is Key
A key aspect of the GDPR for eCommerce owners is that of customer consent. The regulation stipulates that all individuals must be presented an unambiguous and easy to understand form in which they can give or withdraw their consent for the processing of any personal data. Sensitive data strictly requires an “opt-in” while non-sensitive data can be processed under “unambiguous consent”. Most importantly, withdrawing consent must be presented as an option at any time as clearly as that of giving consent. This might be contained in a clearly marked and intelligible text field, signup forms, or more creatively in an automated chat box.
Rights of Customers
Yes, you heard right! Customers now have way more control or rights to their personal data than before. Before jumping into our GDPR eCommerce checklist, let’s take a look at some of the newfound rights of customers within the EU. This may help you understand the purpose towards which your store modifications should be oriented. These rights are summarized briefly below:
- Breach Notification – Data breaches that potentially expose personal data must be reported to the individuals immediately and to the relevant regional DPAs within 72 hours of discovering the breach if the business located in an EU member state.
- Right to Access – Data subjects can request and obtain confirmation and electronic copies of any personal data currently being processed, along with the location of the data and the purpose of its collection and storage. For eCommerce owners, this means that you are required to offer EU data subjects a list of any software tools that accessed or processed their data through your website.
- Right to be Forgotten – This means that a data controller must fulfill a data subject’s requests to erase and stop all processing of his or her data. This can come about due to the withdrawing of consent in addition to a change in the relevance of data stored compared with the original purpose for its collection.
- Data Portability – This GDPR rule right might be the most interesting in the list, as data portability requires that data controllers provide the data subject with all personal data relating to them in “commonly used and machine-readable format” upon request.
- Privacy by Design – This overarching rule requires that data controllers proactively implement measures for compliance with GDPR from the earliest stages of design and testing. Furthermore, data controllers are only permitted to collect and hold data that is necessary for the operation of the provided service.
eCommerce store owners using a platform such as Shopify still have a responsibility to comply with GDPR regulations if you have visitors or customers from the EU. If that’s the case, you must incorporate methods for gaining and modifying consent, stopping the processing of personal data and outright deleting it if requested by the data subject.
And with that out of the way, let’s move on to the GDPR eCommerce checklist.
The GDPR eCommerce Checklist: 9 Steps to Secure Your Store and Avoid Penalties
☑️ 1. Perform an informational audit of all the personal data that your shop currently store and how it is used. This should be completed before the GDPR comes into effect on May 25th so that you are prepared to handle any immediate customer requests for data.
☑️ 3. Set the default option of all newsletter opt-in forms to unchecked/off. This is essential to avoid complaints of misleading or unclear methods of obtaining consent. Nothing short of an explicit opt-in is permissible, so default or hidden email opt-ins should be considered a thing of the past. Any marketing automation services must also be modified to clearly state the ways in which future communication will occur and gain explicit customer consent.
☑️ 4. Attach explanations of why and how users’ personal data is collected at the point of collection, however, the data collection may take place. Remember, the GDPR applies not only to data the users explicitly entered into your site but even simply their logged IP address upon browsing. Such explanations can take the form of pop-ups at the time immediately prior to data collection to ensure that you have proper consent and that customers know their data rights every step of the way.
☑️ 5. Make a complete list of all third party software providers you use on your eCommerce platform. Even if they are expected to assume a majority of the required actions for compliance with GDPR, you are ultimately responsible for how they handle sensitive personal information collected on your website and so have an obligation to supervise and ensure that the services running on your site are in compliance with the GDPR as well. Also be sure to find out their level of data security and their policies regarding data breaches. Compliance with GDPR can be ensured through special clauses in contracts with such third-party software providers to limit your own liability as a store owner.
☑️ 6. Assign a Data Protection Officer (DPO) or dedicate a staff role to GDPR compliance. While it is only mandatory to appoint a DPO if your business’ “core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses“. Even if you don’t satisfy those criteria, it is highly recommended to assign the equivalent of a DPO anyway to ensure that data protection policies are secured and actively being monitored and that any customer requests for any of the aforementioned GDPR rights can be handled in a timely manner.
☑️ 7. Create a system to check user age and require parental consent. According to the GDPR, parental consent is required to process the personal data of anyone under the age of 16, although EU member states have the autonomy to lower this age to a minimum of 13 years old. As a result, it is essential to put systems in place that can confirm the age and location of individual customers, but also remember to inform them of the reason for the collection and storage of this information and any ways in which it might be used in the future.
☑️ 8. Refine or create a procedure to handle data breaches. Since it is now required to report the breach to potentially affected data subjects immediately and to the relevant regional DPA within 72 if your shop is located in the EU. You should draw a clear response timeline for the minutes and hours immediately following the discovery of a data breach and have a clear method already in place for communicating the breach to any affected customers.
☑️ 9. Finally, now is the time to design and implement data protection awareness training for staff. It is essential to fully familiarize all staff and business partners with the requirements of the GDPR and integrate thorough and complete systems of compliance, like those mentioned in the above points, to avoid the heavy potential fines of 4% of annual global turnover or penalties varying with the severity of noncompliance of up to €20 million.
Get Started Now on Your GDPR eCommerce Checklist Items
We hope this GDPR eCommerce checklist is useful for you in understanding the scope of the GDPR and visualizing ways in which you can modify your eCommerce store before the May 25th compliance deadline. For further details about the new regulation and compliance requirements, we recommend visiting the official website of the EU GDPR or the UK’s Information Commissioner’s Office (ICO).
Disclaimer: This GDPR eCommerce checklist is for informational purposes only. ContactPigeon, marketing automation platform for eCommerce, does not claim to be involved in rendering legal advice and recommend consulting with a legal professional to discuss any matters of legal compliance.