General Data Protection Regulation (GDPR) came into effect on May 24th 2018.  This means that if you are collecting personal data via your website, then you’re expected to comply.

There are some very specific penalties for non-compliance and many small business owners were slow in paying attention to this very significant shift on the new regulation for the collection and storage of personal data in the EU. But even if you are behind the curve with GDPR, there is no time like now to get your house in order.

So if you have a blog or online shop, what is expected? Well, depending on the data you are collecting and the way you are collecting it, specific requirements have been outlined for business owners. Here are five points to consider when you start your GDPR compliance journey. Please note, is not legal advice!

1. Register with ICO

There has been much debate on the need to register with the Information Commissioners Office (ICO), but the new regulation is very specific on the need to register.  The annual registration fee is £35 (small and medium businesses). If you are unsure if this applies to you, registration self-assessment can be found here.

2.Privacy Policy

A privacy policy is a statement showing how you collect, manage and use customer and visitor data.  Ideally this statement should be clearly displayed on all forms of communication, including email signatures where possible.

For online stores, you can grab free templates from Shopify and the good news is that you don’t need to be a Shopify customer to use.

Terms Feed has some great tips for creating a privacy policy for bloggers and if you are using Google Adsense or other third-party tools for advertising, another option is SerpRank’s free policy generator.

3. Review your data collection points

If you are collecting data via contact forms, your WooCommerce store or third-party applications like MailChimp, then you must have a clear and unambiguous opt-in process.

When reviewing or creating your policy, remember to consider all data collection points and reasoning, including shipping addresses and other personal information like date-of-birth or gender. If you can’t justify collection reasons, then stop gathering this data in your forms.

If you have a database of existing customers or contacts and you can verify your relationship with these contacts i.e they have purchased from you before 24th May 2018, it’s not likely you’ll need to  ask people to resubscribe to your list. But if your data is years old and you’ve made little to no contact with these people, then you should either ask them to either renew or dump that data.

4. Have a process for data storage and data breach

GDPR has introduced the right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.

Therefore you’ll need to have a process to respond when data erasure requests are made.  If you have a WordPress site, the good news is that the latest releases or WooCommerce and WordPress now comes with GDPR enhancement tools including adding consent to visitor comments, a data export and erasure feature and a privacy policy generator tool.

If you have an online store, you won’t need an opt-in process to collect personal data for the transaction to occur, like a persons shipping address. However, GDPR does specify that you’ll need to remove personal information after a reasonable period. This is your own judgement as to what is ‘reasonable’ –  but you should have a process ie. 30 or 60 days and state this in your privacy policy.

If are transferring your customers to a marketing database, then you’ll need to add an opt-in form to your checkout. Only when the customer has opted-in can you continue to market to them. You’ll also need to be transparent on how you are using personal information in your privacy policy. For example, our client The Comic Art Website recently reworked their check-out page by adding:

• Sign up to receive email updates
• Terms and Conditions of sale
• Statement on why data is being collected

If you are collecting emails on those people who have ‘abandoned cart’ to send reminder emails etc, then you are not longer allowed to keep this data without the person’s consent – so rework those cart processes now. For WordPress websites, you can do this by using a plugin like Cookie Notice.

If the data stored is breached, GDPR stipulates that you must tell the Data Commission officer in the country where the breach occurred with 72 hrs.

5. Security

GDPR stipulates that you need to protect your data and website against unauthorised access. Securing your site with an encrypted connection using HTTPS protocol is a good first step, but don’t forget to check the level of security on where your data is also being held.

There is no doubt that GDPR is a headache for small business owners, but it’s a necessary evil. A good first step is developing or reviewing your privacy policy and noting all the areas which are currently non-compliant, then step-by-step addressing each point. It will take a bit of time and effort, but it’ll be worth it in the long-term.  If you need assistance with any of the points above, please contact hello@insideleft.ie