How does the GDPR affect you?
The General Data Protection Regulation (GDPR) affects any Shopify merchants based in Europe or that serve European customers. The following regulators within the European Union have provided specific guidance on the GDPR:
- ICO - Guide to data protection
- Data Protection Commissioner - GDPR
- CNIL - Règlement européen: se préparer en 6 étapes
We want to put you in a position to prepare for the GDPR, so we have prepared a detailed GDPR guide identifying some topics with questions that you should be asking yourself in advance of May 25, 2018.
Collecting personal data
Personal data can be a name, address, email address, social media account, or even a digital identifier such as an IP address or a cookie ID. The GDPR protects the fundamental rights of individuals within the European Union in relation to the processing of personal data. Think about the following questions:
- Are you collecting personal data from customers in Europe?
- If your store uses third-party apps or themes, then do they collect and process data in accordance with the GDPR?
Appointing a Data Protection Officer
A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. Consider whether you are required to appoint a DPO to advise on your compliance with the GDPR.
Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent. In particular, the GDPR says that consent must be "freely given, specific, informed and unambiguous." For example, if you are using online advertising or retargeting apps, then you might need a heightened form of consent. Consider the following questions:
- Do you need to get a more specific consent from customers because of the personal information that you or a third-party app processes?
- Do you need to change your processes to get affirmative, opt-in consent for processing personal data?
The GDPR includes specific parental-consent requirements for processing the personal data of users under the age of 16 (this age can be lower in certain countries). Consider whether you need to change how you process customer data to either stop processing the data of those users under the age of 16 or get parental consent?
Processing GDPR data requests
The GDPR expands on an individual's right to access and control their personal data. You might need to update how you process customer data to respond to personal data requests protected under the GDPR.
Subject access requests and portability
The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data that is being processed by a company. The GDPR requires that you provide your customers with a copy of their personal data in a common, easily readable, portable format, so that they can use that data with a different service provider. Consider the following questions:
- What data would you need to provide in response to a subject access or portability request?
- In what format would you provide this data?
- Do you need to change how you process customer information to provide this data?
The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data. You should consider whether you might be obligated to erase or restrict the processing of your customers' data in response to such a request.
Data breach notification
If you experience a data breach and the GDPR applies to you, you might be required to notify affected users or specific regulatory bodies. Where applicable, you're required to provide notice as quickly as 72 hours after you detect the breach. Think about putting together a data breach response plan for your business so that you are prepared for such an incident.
The GDPR imposes certain requirements on a company that uses third-party vendors and service providers to process the personal data of its users. Consider reviewing the privacy practices of the vendors and service providers that you use, including Shopify, to try to make sure that they adequately protect your customers’ personal data.