What is GDPR?
One of the most radical changes affecting the online businesses in 2018 will be the European Union General Data Protection Regulation (GDPR). This new and unified approach to personal data protection gives EU citizens a lot more control over their personal data.
Perhaps the biggest change in the GDPR is redefining what personal data is and how it should be handled. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person.
This far-reaching definition includes:
A person’s name
A person’s photo
An email address
A mailing address
Bank details
Medical information
Users IP address
And more.
The GDPR was first adopted on 27th April 2016. Now, it becomes enforceable on 25th May 2018 after a two-year transition period given to businesses to adopting with the changes.
The essence of the GDPR concerns the following three areas:
i) Get consent: the user must agree to get marketing campaigns from you.
ii) Provide adequate protection: you must protect the user’s personal data adequately.
iii) Delete, correct, or restrict when asked: If the user requests you delete, correct, or restrict the personal data you have, you must comply.
How to prepare your store for GDPR:
First of all, this article does not constitute legal advice and you should seek professional legal advice where appropriate. The purpose of this guide is to give you some idea of what you can immediately do to comply with GDPR for your online store.
Here are some measures you should take:
1) Get active consent from the user for sending promotion emails:
As a store owner, you should have been collecting user emails at different places in your store. At those places, you need to take active consent from the users to send promotional emails.
For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.
i) On the register/sign-up page:
As mentioned earlier, if you intend to send promotional emails (which you should do) to one who registers on your store, you should take the consent first.
Here are some examples of what you can do on your registration page.
On OTTO’s registration page they have a checkbox to opt for promotional emails.
ii) On the checkout page:
On the customer information page, below the input box for email, there’s a default checkbox for opting in newsletters and offers. You should keep that unchecked by default to comply with the active consent policy of GDPR.
iii) If you are collecting email id at any other place on your store:
If you are collecting email id anywhere on your website and send emails more than what the user signs up for, then to comply with GDPR, you need to take consent for the additional emails.
For example, OTTO has an opt-in for the newsletter in its footer. Here they have clearly mentioned the followings:
i) All the emails the user may receive.
ii) From whom (the company name) they will receive it
iii) How the user can revoke the consent.
iv) Get consent from the existing contacts in your list:
Now that you’ve updated your forms to comply with GDPR, you’ll be able to collect consent from new contacts. But, you still need your existing contacts to opt-in to your marketing permissions. The best way to do this is to send a campaign to each list affected by the GDPR.
v) Respect the consent:
It’s not only about having the option to get the consent, you actually need to respect it. Make sure your list is tagged properly so that you can easily create segments depending upon the consent and send emails accordingly.
Major email service providers like MailChimp and Omnisend has already started adopting the changes and has build system in accordance with GDPR.
2) Get consent for storing data using cookies:
As an online store owner, it’s most probable that you are using cookies on your store. Cookies are mainly used to store user’s data for different purposes like personalized shopping experience or retargeting users on different channels like Facebook or youtube.
The EU directive for using cookies was adopted by all EU countries in May 2011. The Directive gave individuals rights to refuse the use of cookies that reduce their online privacy.
If you are not taking the consent yet, it’s time to set this up.
Compliance with the cookie law comes down to three basic steps:
i) Work out what are the cookies your site uses with a cookie audit.
ii) Tell your visitors what data you collect with cookies and how do you use them to improve their shopping experience. Create a cookie policy and use the link of the policy while taking consent from the user. You can include the cookie policy in your privacy policy as well.
Sainbury’s cookie policy is a good example in which all the necessary details have been clearly explained:
iii) Take consent from the EU users for using cookies. There are plenty of apps like EU Cookie Bar by Booster Apps which you can use to set this up very easily.
3) GDPR compliant privacy policy:
The main focus of the General Data Protection Regulation (GDPR) is the protection of personal data and digital privacy.
Because of this, your Privacy Policy is going to be an important part of your GDPR compliance plan.
Here’ a GDPR compliant privacy policy generator which you can use to create your new privacy policy.
To conclude:
The whole world including you and me is concerned about the privacy of our personal data. With GDPR, EU is the first to take the initiative for safeguarding it’s resident’s interest. There’s no doubt that more countries will follow the path and bring their own regulation in line with GDPR.
It’s time to you prepare your store for GDPR now. In long run it will be beneficial to your business in many ways.
If you have any question regarding the GDPR compliance for online store, please comment below.