General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. This regulation harmonizes privacy and data protection laws within the European Economic Area (EEA) and expands on an individual's ability to access and control the personal data that you collect from them. The GDPR might apply to you if you are processing the personal data of people in the EEA even if your business is located outside of the EEA.
For details on the GDPR, see the following resources:
Shopify expects to be GDPR compliant when it takes effect on May 25, 2018. In the meantime, you can document your policies and procedures with respect to how you process data in accordance with the GDPR. Here are GPRD topics to think about and take action on separately.
Collecting personal data
Personal data can be a name, address, email address, social media account, or even a digital identifier such as an IP address or a cookie ID. The GDPR protects the fundamental rights of individuals within the EEA in relation to the processing of personal data. Consider the following questions:
- Are you collecting personal data from customers within the EEA?
- If your Shopify store uses third-party apps or themes, do they process personal data in accordance with the GDPR?
Appointing a Data Protection Officer
A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. You might want to think about whether you are required to appoint a DPO to advise on your compliance with the GDPR.
Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent. In particular, the GDPR says that consent must be "freely given, specific, informed and unambiguous." For example, if you are using online advertising or retargeting apps, then you might need a heightened form of consent. Consider the following questions:
- Do you need to obtain a more specific consent from customers because of the personal information that you or a third-party app process?
- Do you need to modify your processes to obtain affirmative, opt-in consent for processing personal data?
The GDPR includes specific parental-consent requirements when processing the personal data of users under the age of 16 (this age can be lower in certain countries). Think about the following questions:
- Are you required to obtain parental consent?
- Do you need to modify how you process customer data to either stop processing the data of those users under the age of 16 or obtain parental consent?
Processing GDPR data requests
The GDPR expands on an individual's right to access and control their personal data. You might need to update how you process customer data to respond to personal data requests protected under the GDPR.
Subject access requests and portability
The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data that is being processed by a company. The GDPR requires that you provide your customers with a copy of their personal data in a common, easily readable, portable format, so that they can use that data with a different service provider. Consider the following questions:
- What data would you need to provide in response to a subject access or portability request?
- In what format would you provide this data?
- Do you need to modify how you process customer information to provide this data?
The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data. You should consider whether you might be obligated to erase or restrict the processing of your customers' data in response to such a request.
Data breach notification
If you experience a data breach and the GDPR applies to you, you may be required to notify affected users or specific regulatory bodies. Wherever possible, you're required to provide notice as quickly as 72 hours after you detect the breach. Think about putting together a data breach response plan for your business so that you are prepared for such an incident.
The GDPR imposes certain requirements on a company that uses third-party vendors and service providers to process the personal data of its users. Consider reviewing the privacy practices of the vendors and service providers that you use to try to make sure that they adequately protects your customers’ personal data.