Online Retailers – How To Prepare for GDPR Compliance

website GDPR compliant

With only a few days before the General Data Protection Regulation comes into effect, 25th May to be precise, in what is the biggest shakeup of personal data privacy rules since the birth of the internet, we’ve outlined a handy guideline along with some very important questions you need to ask you yourself to see if you’re prepared for GDPR compliance.

*Please note that GDPR covers your entire business, we recommend speaking to a legal expert to cover your company wide GDPR policy*

Does your website collect names and email addresses?

If so, then how is this information used? If you store this information and market to via newsletter, are you gaining consent first? With the new GDPR you have to gain clear consent beforehand, such as adding check-boxes on contact forms opting in for newsletters etc. These check-boxes have to be clear and opt-in (not opt-out). If you have a contact form but only deal with the information once, i.e. open the email, reply/respond then delete the contact form, you won’t need consent, but this should be explained in the privacy policy on your website.

Analyse your company’s use of data

Ask yourself some key questions in relation to your use of personal data

  • Do you collect data? if so, why?
  • How do you use this data?
  • Is it secure? Such as if you use a third party newsletter service (mailchimp) or store data in a spreadsheet on a computer, if on a computer who has access? is it encrypted? password protected? etc
  • Do you share the data with anyone? such as selling/sharing to other companies?

The answers to these questions above should also be included in your online privacy policy.

Analyse any forms on your website

Are the forms on your website, clear & for a sole purpose. For example a ‘Contact Us’ form which has copy stating fill in the form and we will contact you via phone/email. This form might ask for details such as name, email & contact number and a message/enquiry, this is clear that the user is submitting this form only in relation to you contacting them in regards to the enquiry, so you don’t need a checkbox to ask for consent to contact the. You can receive this type of information for the sole purpose of contacting the user in relation to their query, after this has been responded too, you must then delete the data.

You can be extra clear on the contact form and give the user options on how you should respond to the enquiry, such as contact me via: phone / email.

However, if you then copy this information to use it for any marketing purpose such as adding them to a newsletter, you need to update this form to ask for consent, which should be clearly labelled “Sign me up to the newsletter”, this should be an opt-in checkbox, not an opt-out. For each additional use of the data you should have a separate opt-in field. Such as one for newsletters, SMS, phone marketing etc.

Do you have a process to provide data to individuals who ask?

The GDPR provides users (data subjects) with the right to demand data controllers (the organizations holding the data) provide their data back to them, in machine readable form.  Are you ready to respond to requests, to collect together all data from all sources on the individuals, and deliver it back?

You should make a plan of action to provide this information is someone is to ask for it, to start with you will need to know where all the data is stored, such as on the website admin area (orders / customers), on third party services (mailchimp) and any offline services (spreadsheets, databases, written records etc) and plan how you can collate all this if a request is made.

Do you have a process to delete data if demanded?

Data subjects can demand that their data be deleted, do you have a process for this when asked?

How long is the data kept for?

You should clearly specify how long data is kept for, this should be covered in your privacy policy, such as we keep data for up-to 2 years, unless a request is made before this etc.

Existing Data?

You should look at any existing data, especially if you use this to market to, you need to store the consent (date/time/ip), in which you might need to gain/refresh consent; for example if you send out regular newsletters you might have to send a refresh/renew consent newsletter to keep receiving emails.

Site Tracking?

Do you use any tracking software on your website, such as Google Analytics? If so this should be mentioned in your Privacy Policy. Google Analytics is an anonymous tracking system, so only a mention is required in the privacy policy, but if you use other third party tracking software then you should check how these use the and track the data, ensuring no personal data is being used without consent.

Online Payments?

If you are an eCommerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.

If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.

Easy to withdraw permission or opt-out

If you use personal data for any reason, you need to provide an easy to withdraw permission (opt-out) method, for example for a newsletter, you should include a link at the footer to unsubscribe from the newsletter. Many third party newsletter providers include tools to cover this, but if you send out newsletters yourself via mailmerge / outlook etc, you need to provide this feature, or include information of how they can opt-out.

Unbundled opt-in

In the past, it has been common to bundle extra things into the sites T&C’s, for example, when an online order is placed, the terms and conditions need to be accepted, but within these terms you might have added a clause stating you agree to receive marketing communication via SMS / email / phone, or that their personal details can be passed onto third party companies.

With GDPR each additional clause that is related to personal data needs to be unbundled and instead of being contained within the terms and conditions, it should separate opt-ins.

Privacy Policy

You should ensure that your privacy policy contains the following:-

  • The purpose/reason(s) of the data processing
  • The name and contact details of the person responsible and the data protection officer
  • The legal basis for the data processing
  • The recipients of the data
  • The retention period of the data
  • If applicable, the extent to which you give your data to third parties (possibly in a third country or internationally).
  • The rights to information and/or deletion of data
  • The statement of the right to complain to the data protection supervisory authority
  • If necessary, the reference to Google Analytics

Please note these questions relate mainly to the online aspect, but GDPR should cover all your business practices (online & offline)