As of the 25th of May the GDPR will be enforced by European law. This means that many stores will require extra measures. In short, it will mean that you’ll need to inform the customer about what personal data you are collecting, regardless of whether you are actually using it. If you want to gather data for let’s say advertising purposes you will from now on need to ask the customer for permission to do so.
For webshops, in particular, you’ll need to remember the following; a customer should be able to place an order without giving you permission to store or use their data for anything but to deliver their order.
To fully grasp the whole picture here’s a short list of things you can do;
Please note that we are here to give you some useful tips. Make sure to also consult your legal advisor.
Data processing agreement
You’ll need this agreement with all parties with who you share or that have insights into the data of your customers. This includes, for example, Google Analytics, MailChimp, Hotjar, your hosting company and developers. Most of the times this agreement is already in place, but be sure to double check this.
Insight into gathered data
Be prepared that you are required to give users insights into the gathered data about them. They’ll have the right to see it, alter it and even get it removed (right to be forgotten).
The first step you should take is to find out what information you are gathering. Who controls that information? Can I delete it myself or do I depend on someone else to do that for me? If you depend on someone else, how are they going to edit or delete it if necessary?
Talk about it, know it and make action plans for it. Don’t wait until the first user knocks on your door.
Protect your user’s data
You are required to protect your user’s data at any cost or you’ll risk a fine. The first step you can take is getting an SSL-certificate.
Also, find what kind of server your webshop or site is running on. Is it managed by experienced people? Or is it a server spun up and maintained once a year?
If you don’t have a cookie notice, it will be a good idea to anonymize your analytics data.
And if you have a cookie notice, let the users know what and why you are tracking them. Make it short and give people an option to opt-out of it (again you can anonymize it).
If you gather emails for lists you are required to let users know how you acquired their email. Also when a user submits her email, you are required to let them know exactly how you are planning on using their email.
Note that you are also required to know this information about current emails addresses in your lists. If you can’t trace this back a commonly used method is to resend a confirmation email to all the emails from those lists, asking them to re-signup for the list.
You may think that you’ll lose many emails, but if you look at it from another perspective; you will get rid off all those emails that were never opening your emails anyway an thus distorting your analytics.
I hope this helps you and again, make sure to consult your legal advisor on this as well. If you have any questions about GDPR, feel free to contact us anytime.