Whilst setting up your online shop, you may have heard GDPR mentioned in various places, but what does it mean? In this post, I’ll be explaining GDPR in plain English and the very basics of what you need to know to trade online.
What is GDPR?
The General Data Protection Regulation (GDPR) was introduced to enforce data privacy laws across Europe. It protects all EU citizens from privacy and data breaches and gives individuals greater control of their data. It came into effect on 25th May 2018 and applies to any organisation processing personal data of EU citizens.
What is this data that needs protecting?
The data in question is any information that could potentially identify someone. This would mean the names, addresses and telephone numbers, but would also include things like emails and IP addresses too.
What does it mean?
Once you break down the legal jargon, in it’s most basic sense, it means companies can’t do things with your data without your permission. Examples would include:
- Selling any part of your contact details like your phone number or email address to marketing companies;
- Using your email address to sign you up to email newsletters;
- Making unsolicited phone calls to you;
- Sending you junk mail through the post.
Because we now have GDPR, any companies wishing to use our details as individuals need to ask for our consent to do so, and as an individual, you are well within your rights to ask companies to send you a copy of any details they hold for you.
How is consent achieved?
This depends on the purpose of the company and what they plan to use your data for. Whatever that purpose is, the company in question must:
- Clearly define what data they need and why (for example, a company which sends you email newsletters would not necessarily need to know your phone number, so you can question why they need that);
- Record when your consent was given – they would need to keep accurate records which are kept confidential and confirm when you gave your consent, what kind of consent you gave, and in terms of personal data, what you give them permission to use.
What are my individual rights?
As an individual, GDPR has defined your rights as an EU citizen to include:
- The right to be forgotten – if requested, you must remove personal data held on that individual. This means that if you were a member of a forum and you wished to close down your account, for example, the owners of the forum would need to remove all of your data (such as your name, profile image and email address) if you requested them to.
- Right to object – an individual can request that you do not use their data in specific ways. If you gave some of your data to a company, such as purchasing something online where you would give your details to complete your order, that company would not be allowed to give you a call at a later date to try and sell you an additional product or service, unless you had given them consent to do so.
- Right to rectification – any incorrect data must be correct if the individual in question asks. If a company has spelt your name wrongly or you have changed your address, the company must amend their details for you if you request it.
- Right of access – an individual has the right to know what data a company holds on them and how it is used. You can contact any company to find out what data they have listed for you, why they need it and how they use it.
How does this apply to me as an online shop owner?
As an online shop owner, you are a company and you will indeed have access to people’s data as they submit it to complete orders with you. It’s your legal responsibility to research the GDPR legislation and to take steps to ensure that you adhere to it in the operation of your business.
What do I need to do?
Firstly you need to research exactly what you need to implement, as the steps may vary slightly according to what you sell and the purposes of your business. However, for the vast majority of online shops, you will minimally need to create:
- Procedures – You will need to write up and implement procedures which ensure the protection of your customer’s personal data. If your business makes regular sales calls to customers with the purposes of selling them additional products and services, you will need to obtain your customers’ consent to do this, and record it accurately. Your procedures need to be available to your staff and reviewed regularly, whilst your customers’ data needs to be securely stored and not accessible to anyone who doesn’t need it as part of their role.
What if I use email marketing on my online shop?
If you have an email marketing platform on your online shop where customers can give their consent to receive regular email newsletters from you, you need to ensure that whatever platform you’re using has the ability to record the customer’s consent. The majority should do this as standard, but if your current system does not, it’s up to you to create a manual record of customer’s consent.
Do I need cookie banners on my online shop?
There’s a lot of confusion around this subject, and in short, the answer is no – if you own an online shop, you don’t need to have a cookie banner or pop-up. This is because an online shop is where items or services are purchased, and it’s purpose and definition are obvious enough for people to understand that they will need to submit their details at the checkout in order to complete the transaction and receive what they’ve bought.
Other websites, such as blogs and news sites, for example, require cookie banners because although visitors to them are there to simply read different articles, many of those kinds of sites track their traffic for advertising and audience analysis. A cookie banner would, therefore, be required as personal data would be taken to monitor the traffic, but that is not the purpose of the site or something a visitor would be aware of just by visiting and reading blog posts. The cookie banner requests for that consent to be given.
What can I not do?
- You can’t offer promotions and discounts – basically, ‘salesy’ text in any automated emails the customer may receive during purchasing an item from your shop;
- You cannot contact the customer after they have purchased something from you to sell them anything additional unless they have expressed and provided consent that they’re happy for you to do so;
- You can’t leave customer’s personal data unsecured – it should only be visible to those members of your staff that need it and otherwise kept safely and ideally, password-protected;
- You can’t upload people’s email addresses onto an email marketing platform unless you have their express permission to do so stored somewhere.
- You can’t afford to ignore GDPR! To do so is against the law and there are hefty sentences for those who do not adhere. You can find out about businesses and individuals who have been fined by clicking here – it’s a good read and provides plenty of examples of what not to do.
Now obviously I’m not a legal professional, so you will need to research more on the subject to ensure that you adhere. If you have a simple online shop integrated with an email marketing, you’ll find your providers will have steps and features integrated into their platforms to help you adhere to GDPR regulations, so it’s worth looking those up and checking that both you and they are adhering to the legislation.
If you have any further questions, you’ll find the full GDPR legislation is available online (but is a very heavy read), but the EU’s GDPR portal and the Information Commissioner’s website are a lot more reader-friendly as the legal jargon has been minimalised. With these resources, some research and the implementation of the correct procedures, and your online shop should be GDPR compliant in no time.