General Data Protection Regulation (GDPR) came into effect on May 24th 2018. This means that if you are collecting personal data via your website, then you’re expected to comply.
There are some very specific penalties for non-compliance and many small business owners were slow in paying attention to this very significant shift on the new regulation for the collection and storage of personal data in the EU. But even if you are behind the curve with GDPR, there is no time like now to get your house in order.
So if you have a blog or online shop, what is expected? Well, depending on the data you are collecting and the way you are collecting it, specific requirements have been outlined for business owners. Here are five points to consider when you start your GDPR compliance journey. Please note, is not legal advice!
1. Register with ICO
There has been much debate on the need to register with the Information Commissioners Office (ICO), but the new regulation is very specific on the need to register. The annual registration fee is £35 (small and medium businesses). If you are unsure if this applies to you, registration self-assessment can be found here.
For online stores, you can grab free templates from Shopify and the good news is that you don’t need to be a Shopify customer to use.
3. Review your data collection points
If you are collecting data via contact forms, your WooCommerce store or third-party applications like MailChimp, then you must have a clear and unambiguous opt-in process.
When reviewing or creating your policy, remember to consider all data collection points and reasoning, including shipping addresses and other personal information like date-of-birth or gender. If you can’t justify collection reasons, then stop gathering this data in your forms.
If you have a database of existing customers or contacts and you can verify your relationship with these contacts i.e they have purchased from you before 24th May 2018, it’s not likely you’ll need to ask people to resubscribe to your list. But if your data is years old and you’ve made little to no contact with these people, then you should either ask them to either renew or dump that data.
4. Have a process for data storage and data breach
GDPR has introduced the right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.
- Sign up to receive email updates
- Terms and Conditions of sale
- Statement on why data is being collected
If you are collecting emails on those people who have ‘abandoned cart’ to send reminder emails etc, then you are not longer allowed to keep this data without the person’s consent – so rework those cart processes now. For WordPress websites, you can do this by using a plugin like Cookie Notice.
If the data stored is breached, GDPR stipulates that you must tell the Data Commission officer in the country where the breach occurred with 72 hrs.
GDPR stipulates that you need to protect your data and website against unauthorised access. Securing your site with an encrypted connection using HTTPS protocol is a good first step, but don’t forget to check the level of security on where your data is also being held.