GDPR or General Data Protection Regulation is an updated version of the 1995 Data Protection Directive. With the advance of the different ways we go on the internet, a more defined law was in demand. The GDPR is drawn to protect the rights of all the European Union citizens from companies who collect data, irrespective of location. GDPR wants companies to think before asking – Why I need the information, what will I do with it, how will I use the information, who will see the iniformation and where will it be stored. The law comes into effect on 25th May, 2018. Before this, you must GDPR prepare your online business.
DISCLAIMER: Keep in mind this is just Web 2 Market’s current understanding, which will evolve as the practical aspects get worked out. We recommend you make a ‘good faith effort’ to comply. This is not legal advice and we aren’t lawyers. If you have legal questions, please consult a lawyer.
What are the fines if you don’t GDPR prepare your business?
The GDPR is strict if you don’t comply. If you don’t comply with the GDPR rules, you will have to pay €20 million or 4% of the total global sales, whichever is the highest.
GDPR prepare your online business before May 25th, 2018.
What companies should comply?
The GDPR affects only the European Union countries and protects data of the EU citizens. The law however makes no allowance for companies based on location.
Some company scenarios?
I am a US business owner? Should I also GDPR prepare?
My server is in the UK and we are now not in the Brexit. Do I still need to prepare for GDPR?
I live in Australia and my Magento store is also there. Most of my customers are from Australia. Will GDPR affect me?
My business in Singapore and I only get UK citizens as customers. Do I need to be concerned about GDPR?
As the conditions of the EU are vague, our best recommendation is that you comply, irrespective of location, services or products you sell, and also size of your business. Additionally a GDPR complied notification on your site will allay any fears your shoppers might have about data misuse.
Can I use a plugin or ask our developer to block users from the EU?
Although the concept is good, it won’t work with GDPR. Under the law all the EU citizens are protected, even those residing outside the EU countries. This means, an EU citizen living in the UK can shop on your site. The plugin parameters or the script coded by the developer can wrongly think he/she is a UK national.
It has been brought to our notice that if the EU citizen is in the US, then the data laws of the US will be upheld, while a US citizen in a EU country will have to follow the GDRP laws. However we are not certain if this same is applicable for other countries. [W2M strongly urges all readers to take advice from a legal adviser for clarity.]
Data you should GDPR prepare
- Emails
- Phone Numbers
- Names
- Credit Card details
- Bank details
- Cookies
- Gravatar pics
- Uploaded personal photos
- IP Address
- Social Media posts
- Login Forms
- Subscription Lists
- Registration Forms
- APIs
- Apps
- Contact us Form
Additional information covered under the GDPR:
- Mental Condition
- Gender
- Age
- Marital Status
- Biometric information
- Ethnicity
- Location using Geo targeting
- Religion
- Political Views
- Company working for
- Current Salary
Understanding the GDPR law?
Right of Consent
You must now clearly state your purpose of collecting the information from the user. The details have to be in depth and easy to understand by a five year. You also need to say how you will be using the information, who will have access to the information and where it will be store. You also need to guarantee that you will take the utmost care in securing the data.
Right of Intent
You also have to declare how long you will be keeping the data. This is very important as it informs the user you will not hold hostage their information forever. Once the purpose is done, you will erase the data permanently.
Right to be Forgotten
Users can also now request that their data is deleted forever. You also need to get this done in a timely manner, else you could be sued for damages.
Right to Edit
Sometimes a user can enter a data wrong, like in an application form. You must allow the users to edit their form, in the present and also any time in the future.
Right to Oppose
Users also have the right to oppose how you will use their information. If you get such a request, you should cease and desist immediately.
Right to Move Data as Required
And finally, another good one is the right to move data. If a user requests their personal information to be moved to another person, location, service or company, you have to do it, as soon as possible.
Other important facts about GDPR:
The common practice now is to have an already checked box in forms. Usually the user is automatically enrolled in some subscription plan. However, there have been times when the user doesn’t want to be enrolled in any such plans, but didn’t see the checked box in time.
The GDPR demands that you can no longer “Opt in” users. Your boxes should be unchecked. And it is the user’s choice whether they want to subscribe or not.
This is seen as a positive move by most people as it will minimize spam mails.
Another very important thing that the GDPR says is how you should handle the situation when there is a data breach. Within 72 hours you have to inform all the people of the data theft. And to see how seriously GDPR takes this, there is no provision for business hours or holidays.
How to GDPR prepare?
Privacy Policy
The first thing you need to do is update your privacy policy. Include details as to why, how, who and where the information is used. Use the convenient Privacy Policy Page Generator.
Also add privacy notes in text areas, informing the user why that particular data is needed and how you will use it. For example in the email field, you need to have a comment box that says the email will never be used unsolicited services. And furthermore, the email is safe from hackers. Learn more in GDPR: How to write a Privacy Notice – Best Practices.
Terms and Conditions
Another area that you will have to change is the terms and conditions page. Again say how you will handle the personal information collected. What third-party programs or services you plan to share the information with and so on. Terms and Conditions Generator will be useful.
Cookies
Users have to give their consent before cookies can be saved. But again like the previously stated, the cookie notice also has to be meaningful and in depth. Clear reasons you are using the cookie must be given. Check out GDPR and cookies | What do I need to know? | Is my use of cookies compliant?
Consent
You also need to send an email to all your existing customers informing them of the GDPR law. And also ask them to give their consent again to comply with the law.
Also from time to time you will have to renew the consent given by the people. This is to ensure they still don’t object to the saving of the personal information.
If personal information is used for marketing, case studies, historical research and statistics, consent is required. And also need to make your programs GDPR compliant like Google Analytics and Mail Chimp.
Record Keeping
You also need to deal with the GDPR as you do the IRS (Income tax department). You need to keep record of all the user consents. And show them when there is a data audit.
More information:
Check out the European Union GDPR official site if you need more help. There are also a lot of other legal terms you need to understand. Like the difference between controller and processor. And which one do you come under. Also what is a Data Protection Officer and if you need one for your business. And of course understand what data audits entail.
In conclusion, GDPR prepare your Magento business before the deadline of 25th of May, 2018.