You need to ensure that your Shopify store is GDPR compliant otherwise you might get into hot waters with regulators of this policy.
What is GDPR and how it affects shopify stores?
GDPR is short for General Data Protection Regulation. It was adopted in April 2016, GDPR creates regulations for how all European residents’ data must be managed. GDPR took effect in May 2018 and impacts the handling of data pertaining to everything from online activity to financial records to medical history.
In this evolving process, GDPR will revamp what it means to do online business in Europe, impacting how you engage with your customers/users, the tools you use on your website, and how you use these tools.
GDPR is NOT a technical document. In fact, ecommerce is only mentioned once in GDPR. And that too is in a footnote. And they write it as “electronic commerce.” GDPR is less of a digital rulebook than a clear statement on fundamental rights: “The data processing of personal information should be designed to serve humankind.”
But, there is more to it than what meets the eye. There’s plenty for online store owners to be aware of. So let’s get started with understanding GDPR and how you can make your store GDPR compliant.
What you need to comply with it?
GDPR consists of 88 pages and it’s more than 50,000 words, and the writing is completely boring, more boring than the Windows Terms & Conditions. If you are not interested in reading the GDPR, we understand.
But the rules included in the GDPR are applicable to all online stores selling to customers in Europe. So even if you don’t want to read GDPR, there are still some things you should keep in mind about GDPR compliance.
Always Ask for Consent
Don’t assume what your users want. If you want your users to do something, opt-in, subscribe, etc, you need to get their clear consent for it.
Only Collect The Date That You Require
GDPR emphasizes user’s data protection. So, it’s a great idea to keep your hands off the data that you don’t need to be o the safe side.
Make Everything Straightforward and Clear
Regulators enforcing GDPR love online transparency. You need to be as clear as possible on your website. If you have a subscribe button then make sure there’s a clearly visible unsubscribe button as well.
Don’t be Shady
If you are a company with a small number of employees then GDPR compliance pretty much comes down to not being shady. Keep everything transparent and clear to avoid any trouble with the GDPR law.
Free GDPR Template
If you want to create your own set of privacy policies that are in compliance with the GDPR then here’s what you need.
This is where you put a brief introduction and include:
- Why the privacy matters to you
- All the information included in the privacy notice (summary)
- What kind of services the privacy notice applies to (ie. your website, software/application, purchases, subscriptions, etc)
Who we are?
Include the name and contact details of your data controller. Normally this will be you or your business. Wherever applicable, you should also provide the identity and contact details of the representative of the controller or the data protection officer.
What information do we collect?
Here you need to specify the types of data and information you collect on your website, eg name, address, email, etc. You should include specific details on:
- How you are collecting the data (ie. when a user signs up, places an order or uses your services, submits a contact form, opts in for a newsletter, etc)
- What type of specific data you are collecting through each data collection method.
- If you are collecting data from third party sources, you must specify categories of data collected and the source.
- If you are processing sensitive personal information or financial data, and how you handle this type of information.
You may also want to include relevant definitions in relation to personal information and sensitive personal data.
How do we use personal information?
Provide in detail information regarding all the business-related purposes for which you will use the user’s data. For example, this could include things like:
- Personalisation of website content, business information, or improving user experience
- Setting up account and administration
- Sending marketing and events communication
Polls and surveys
- Internal R&D purposes
- Providing services and goods
- Legal obligations (to prevent fraud)
- Internal audit requirements
Do note that this list is not exhaustive. You may have to include all extra purposes for which you use personal data.
What legal basis do we have for processing your personal data?
Include the relevant data processing conditions that are contained within the GDPR. There are six possible legal conditions:
- legal obligation
- vital interests
- public task
- legitimate interests
Provide your users with very detailed information on all grounds that apply to your data processing, and why it does. If you are relying on consent, explain to your users how they can withdraw and manage their consent for your website. If you are relying on legitimate interests, clearly explain what it means.
If you are processing special category personal information, you have to satisfy at least one of the above-mentioned six data processing conditions, as well as any other additional requirements for data processing under the GDPR.
When do we share personal data?
Explain that you will treat all the personal data with complete confidentiality and describe any circumstances under which you might disclose or share it. ie, when it’s necessary to provide your services or run your business operations. You should also provide details regarding:
- how will you share their data
- what kind of safeguards you will have in place to protect the data
- what kind of third-parties you may share their data with and why
Where do we store and process personal data?
If you are transferring the data outside the European Economic Area, outline all the steps you will take to provide a secure level of data privacy protection.
How do we secure personal data?
Explain how you are keeping the data secure and what type of technologies and security measures you take to protect the personal information. For example, these measures may include:
- to protect all the data against any accidental loss
- to prevent any type of unauthorised access, destruction, use, or disclosure
- to ensure business continuity and recovery from any disaster
- to limit all the access to personal data
- to carry out privacy impact assessment in accordance with your business policies and local law
- to extensively train your staff and contractors on importance of data security
- to manage any risks associated with third-parties, through use of extensive contracts and regular security reviews
Do note that this list of measures is also not exhaustive. You should include all the mechanisms and measures you rely on to protect personal information.
How long do we keep your personal data for?
Give your users the specific length for which you will keep their information. The GDPR requires you to only keep data as reasonably necessary and no longer than that. Include specific details of your data retention timings.
If you are unable state a specific time period, you need to set a criteria you will use to understand how long to retain the data for.
You should also mention how securely you dispose of the data after you no longer require it.
Your rights in relation to personal data
- access to personal data
- deletion of data/correction
- withdrawal of their consent
- portability of data
- processing restrictions and objection
- lodging any type of complaint
You should also clearly explain how users can legally exercise their rights, and how you are planning to respond to their requests. Clearly state if any relevant exemptions may apply and setup identity verifications procedures you must be relying on.
Also provide the details of the circumstances where the rights of the data subject may be limited, For example, if you are asked to delete personal data which you are actually required to keep by the law.
How to contact us?
Explain to the individuals how they can get in touch with you if they have any questions about your privacy policies, usage of their personal data, or if they want to lodge a complaint. Describe all the different ways in which they can get in touch with you – ie. online, by email, or postal mail.
Linking to other websites/third party content
If you are linking to external sites and resources from your own website, be clear about whether this constitutes endorsement, and whether you take any responsibility for the content on any linked third-party website.
Example emails and policy pages from big stores
Check out this email by ASOS that’s asking for re opt-in. So customers who still want to receive their emails can opt-in manually.
Here’s a very confident email by Little Green Sheep that asks the users for permission.
So, what does GDPR mean for your online business? Well, in short, as long as you are not being sneaky and indulging in any shady practices, you are clear.
Also, let us know what you think about GDPR and data protection laws. Comment below.
Don’t forget to subscribe to our newsletter for weekly ecommerce updates!