The General Data Protection Regulation (GDPR) is a European privacy law that took effect on May 25, 2018.
GDPR applies not just to European companies. The new regulation applies to every company that can potentially process EU nationals’ data, which means that every company in the world regardless of its location is subject to GDPR. No matter where your company stores or processes personal data it must comply with GDPR guidelines.
GDPR grants people more extensive control over their personal data. Specifically, the new law gives people the right to access, correct, delete, and restrict the processing of consumer data, and it also sets strict guidelines for user consent.
If you collect or store any information that can be linked to an individual, that counts as personal data. You can read the full text of the GDPR to learn more.
Some businesses may need more preparation than others to comply with the GDPR. This guide provides a general overview of GDPR compliance and outlines the most common requirements.
How to prepare for GDPR
Your website collects and processes personal data in a compliant manner. However, it is your responsibility to comply with GDPR requirements when you collect and process personal data from your EU customers.
What is personal data
Personal data is defined as any information that can be used to directly or indirectly identify a person. This includes a name, a photo, an email address, an IP address, bank details, posts on social networking websites, medical information, and even random codes that are assigned to users to gather analytics, conduct A/B tests, and more.
GDPR significantly broadens the definition of personal data to include any information that can be connected with a known person. Examples include browser history and social media activity. It also makes special provisions for information related to an individual's physical and mental health, such as genetic and biometric data.
Why user consent is important
Can I have your consent?
The cornerstone of the GDPR is consent. You needed consent before GDPR, but it was so much simpler to obtain it. Now, in the context of the new regulations, obtaining consent is no longer a sure thing. GDPR clearly states that unless a legitimate interest is involved, getting clients to say yes needs to be done in an explicit manner, using plain language, clearing up the reasons for which consent is requested. The user needs to know exactly what his/her personal data is going to be used for and by whom.
Applying the strictest of interpretations, using personal data of an EU citizen, requires that such consent be freely given, specific, informed and unambiguous. It requires a positive indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
Having legitimate interest is not equal to having consent, as the data gained cannot be used for other purposes than those implied.
Once consent is obtained, you need to record and safeguard it, and to be prepared to hand it over when requested as such.
The Sitebuilder helps you collect the user's consent, developing a new consent request form, adding clear consent request boxes on forms, reminding you about the consequences of pre-ticked boxes, and encouraging you to update your terms and conditions.
Provide customers with the right to access their data
This means you must provide your customers with a copy of their personal data in an easily readable and portable format. You can access the customers' personal data right in your Control Panel. You should also take into consideration any third party services you use who may have access to your customers’ personal data.
Provide customers with the right to delete, edit, restrict certain data uses
Basic requests (e.g., a customer asks you to delete their order) can be quickly managed inside your control panel. Again, remember any third party services who may have access to this data.
We recommend storing data digitally. Encrypted data protected with a password of the minimum recommended strength – or protected by means of a password generator – offer a secure option compared to printed invoices.
Data breach notifications
Your online store acts as a Data Processor while our merchants (you) act as Data Controllers. If your website is experiencing a data breach of any kind, you might be required to notify affected customers. Under the GDPR, a notification must be sent within 72 hours from the time you become aware of the breach. Data processors are also required to notify users as well as the Data controllers, immediately after becoming aware of a data breach.
Changes to your team
Under the new legislation, you need to appoint a Data Protection Officer (DPO). This is a requirement if you intend to process personal data on a regular basis. The DPO will be the central person advising the company on compliance with GDPR and will also act as the primary contact for Supervisory Authorities
Train your team. Giving those with access to data adequate training on the context and implications of GDPR should help avoid a potential breach, so don't skip this point. Data protection may be a rather dull and dry topic, but taking just a small amount of time to ensure employees are informed will be time well spent.
Some highlights to remember:
- Sites need SSL certificates (read here about the difference between HTTP:// and HTTPS://)
- There needs to be a way for subscribers or clients to have their data removed.
- The subscriber must also be able to request their data
- Clear consent must be given if they sign up for a free download that they also consent to be added to the general mailing list.