**Disclaimer. This post is not legal advice. I am not a lawyer and recommend you seek your own legal advice.**
So what is the GDPR and why should you even care? The General Data Protection Regulation (GDPR) is a regulation in EU Law on data protection and privacy. Although you may not be based in the EU the GDPR laws can affect your business if your website is accessible to EU residents – even if you aren’t directly targeting them. After a 2 year transition period the law becomes enforceable on the 25th May 2018 and failure to comply can result in hefty fines of up to $20M or 4% of your yearly global revenue – OUCH!
So what does it all mean and how can you comply?
The GDPR law is designed to protect the privacy of EU residents by controlling how businesses collect and use their personal data.
What is personal data?
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
So the GDPR relates to you if you take online orders, collect email addresses via your website or simply have the Facebook pixel installed (hopefully you do!)
The new rules come down to three main points consent, access and the ability to erase.
Consent & Transparency
You must have explicit consent to collect data from any European citizen. This means if you are collecting someone’s email address to send them a coupon code or for an order you must have their consent to do so and also provide full and transparent information about what you will use the email address for. For instance if you have been collecting emails for a 10% off voucher but then add that person into your mailing list which you email with your newsletter every week this will no longer be OK, unless you make it clear when they provide their email that they will be added to your mailing list and will receive the weekly newsletter. This is good practice already but now enforceable by law.
This also applies to any data you collect when someone makes a purchase. Just because they gave you their email to make a purchase does not mean you can add them to your mailing list, unless they specifically gave you permission to do so. Check with your email provider and website platform, many have been busy making changes to ensure they are GDPR compliant.
Perhaps the hardest part to comply with is if your website is using cookies – for instance if you have the Facebook pixel installed! Something that all eCommerce businesses should have. Below we will look at how to comply with a Facebook pixel in more detail.
The next main change and perhaps one of the hardest to comply with is that all EU residents are to have access to any data you have on file about them. You must provide, upon request, an overview of the categories of data that are being processed as well as a copy of the actual data. You must also advise how you acquired the data, how you process the data and who you share the data with. If you run a drop shipping website for instance you are sharing the data with the company you pass the order on to. If you use an email marketing tool such as Mailchimp or ConvertKit you are also sharing the data with them.
Ability to Erase
As well as having access to the personal data you have stores, all European citizens must be able to have their personal data erased completely. You must be able to show how you are erasing the data.
So how do you even start to comply?
2 – Dumb it down
Clearly outline when collecting someone’s data (such as personal details for an order or an email for an opt in) what you will use the data for. If you are going to use it for any other purposes let them know such as “we will also add you to our mailing list and send you a weekly newsletter full of great offers, you can unsubscribe at any time”. A pre-ticked checkbox opting in for your promotional material is not considered consent by the GDPR they must have to tick the box themselves. You also can’t have a box and say “tick if you don’t wish to receive promotional materials”.
3 – Check your plugins
If you are using any plugins or apps on your website you need to ensure they are all GDPR compliant as well as they may be collecting data from your website visitors. It is your responsibility as the site owner to check this so if they are not compliant, find a replacement that is.
4 – Have a data breach plan
If you have a data breach such as your website being hacked and data being accessed or data being passed onto a third party without the person’s prior knowledge you now have 72 hours to act. This includes finding the source of the breach, advising everyone affected, putting in place measures to stop it happening again and reporting the breach to the Data Commissioner. Be proactive and test your data breach plan as if the worst had happened.
5 – Audit your data
Check your data and make sure you don’t have any data that has been unlawfully acquired such as purchasing email lists. If you do it’s time to delete them.
6 – Update Abandoned Shopping Cart emails
If you are automatically sending emails to a customer when they abandon their shopping cart, this is not compliant with the GDPR unless they opt in to receive these emails in the shopping cart. Without prior consent you can no longer send these emails automatically (at least to people in the EU for now).
7 – Facebook Pixel
The only way to be truly GDPR compliant with a Facebook pixel is to have a landing page fire before someone enters your website that does not have a pixel installed. This would need to be for any page they are accessing not just your home page – remember not everyone enters your site via your home page. The landing page would need to explain that your site collects cookies and uses them for Facebook advertising purposes (and whatever else you use them for such as Google Ads). It would then only re-direct to the page they linked to after they accepted they would be pixeled.
I think this may start to be the norm in EU countries but it seems like just an extra step slowing things down online, can you imagine this coming up every time you visit a new website? For me I won’t be going to this extent but do plan on giving people a way to “opt out” of being pixeled.
What if you’re not based in the EU?
Even if your business or your website are not based in the EU you still need to comply if even just 1 EU citizen accesses your website. So your options are to stop selling to the EU and block all EU website traffic to your website or to comply.
When making this decision keep in mind EU may have been the first but given the recent Cambridge Analytica / Facebook scandal and the worldwide attention it received I don’t think they will be the last. Many organisations are implementing worldwide changes to meet the GDPR in preparation for impending changes from other regions in the world. Let’s face it although it may be a pain to get your website ready for the GDPR at the end of the day wouldn’t it be nice to have more control over our data online?
Tools to help
Even though this has been pending for 2 years it seems that people have only started taking it seriously recently as the May 25 deadline looms. To help you comply many companies have put together plugins to help. I am sure there will be more to come but here are some I have found which may assist you:
- All in One GDPR Plugin for WordPress. I like the look of this as a complete dashboard for GDPR – integrates with Mailchimp
- WordPress “Delete Me” plugin designed to help people delete their user profile from your website
- Shopify “EU Cookie Complier” app designed to display a cookie banner on your Shopify store
- Shopify “UWP Access – Simplify GDPR” app designed to help custom requests to access data
- How Shopify are preparing for the GDPR
- European Commission’s info on the GDPR
- ConvertKit and the GDPR
- Mailchimp and the GDPR
- WooCommerce and the GDPR
How is your business preparing for the GDPR? Let me know in the comments below.