On May 25th, 2018 the European General Data Protection Regulations come into effect. This is a new set of regulations that apply to data usage and storage of information on users located in European nations. You may be thinking that if you are not based in Europe that you are not impacted by these regulations. That may not be the case. If your website just displays information to visitors and does nothing else then you are probably fine, however, if you run an online shop for example and some of your customers are based in Europe, then these regulations apply to you. In fact, if you gather and store any kind of information about individuals from European nations, then you need to think about GDPR.
Where to Start With GDPR.
So what does this mean for you and your business? Well thankfully Australian online privacy laws are quite extensive, so provided you have been in compliance with Australian law, then you may not need to do much. However, we are not lawyers and can not give professional advice on exactly what you need to do. What we can do is provide you with some resources and give you a few pointers.
- The EUGDPR portal is a good place to start.
- The Guide to the General Data Protection Regulation also has a lot of detailed information.
- We think the GDPR: 12 Steps to take now guide is perhaps a little easier to digest
- A good ice-breaker might be this infographic.
A Brief Summary of the Impact on Your Business
If you are not capturing and storing any personal information about your site visitors then there is no impact or action required.
For other businesses, the impact will vary. Below is a guide to how we think it will impact Unbranded Space subscribers, however, we remind you that we are not lawyers and this is purely a non legal opinion.
Some aspects of the GDPR that we think will have the greatest impact to Unbranded Space subscribers will be to :
- Ensure that your website tells individuals what information you will be storing about them and how you use it and/or share it with (something you should already be doing)
- Ensure that individuals Opt-In before you begin storing information about them.
- Ensuring that individuals can access the information you store about them and can take that data elsewhere (Data Portability)
- Provide individuals with the ability to change incorrect information or request that it be changed ?
- Providing individuals with the ability to remove their personal data or request that it be removed.
We suggest performing an information audit. List every piece of information that you store about an individual, then create a series of checks. Ask yourself.
- Did we tell the individual that we would be storing their personal information and what we do with the information?
- Did the individual Consent (opt-in) to having us store the data?
- Can the individual access this information and download/export it?
- Can the individual change or request the changing of this information ?
- Can the individual remove or request removal of this information ?
There is one final consideration and that is that the GDPR should not override other laws. So Say for example that you are required to keep a record of information for local taxation purposes, then that should override the individual’s ability to delete the information. However in this instance, you should only keep a record of the minimum information required to comply with local taxation laws, and other information should still be editable / removable.
A Practical Example
Let’s look at a WooCommerce store – one of the most common examples of a web application that stores user information.
Information that WooCommerce Collects
Provided you are not using any special plugins, then the following information is stored by WooCommerce:
- Customers Name
- Customers Email
- Customers Postal Address
- Customers Billing Address
- Customers Orders
- Payment Details
NOTE: Through other plugins, it is possible to share this information with other parties ie. Facebook. This is too much to go into in detail here, but if you are sharing data with a third party then the GDPR applies to you and you need to take special care to ensure you are acting appropriately.
Basically, WooCommerce stores the above information to ensure a sale can be processed. There are 2 ways in which WooCommerce can allow checkout.
- Allow guest checkout – the customer only enters information for the sale, but the customer’s name, email, address and possibly payment details are permanently stored.
- A Customer creates an account and enters their email, name, address & payment details. This information can be used for future sales.
So lets take the information that WooCommerce stores and apply our checks…
How do we tell the customer that we are collecting this information ?
It should be clearly stated in your privacy / terms & conditions documents which should be viewable on your website.
Does the customer opt-in to have this data stored ?
If we look at the 2 methods of checking out, then the guest method is problematic. You may need to revise how you tell customers that you will be storing their information in your database. Even the “Create an Account?” option is a cause for concern as a default installation of WooCommerce provides no statement of consent at checkout / sign-up..
ACTION: We think there should be a link to your privacy / Terms & Conditions along with a statement of consent at checkout.
Can the individual access information that you store ?
If the individual is using guest checkout, then there is no way for them to access the information that you store, other than to request it from you. We think this is a problem that will need to be addressed.
When an individual creates an account, they can access all of the information that is stored about them.
ACTION : If you are concerned about GDPR compliance, then you may want to consider temporarily disabling guest checkout. WooCommerce will be looking at ways of establishing GDPR compliance. You may also wish to seek legal advice.
Can the individual download / export the information that you store ?
At the moment this is not a feature available in WooCommerce. We expect that it will be available soon, however, it’s up to WooCommerce as to whether or not this is implemented in time. This doesn’t relieve you of your responsibility to comply with the GDPR.
There may be plugins available that allow you to export user data – even for guest transactions. You must also have a method of ensuring that data requests are from the correct individual. If you are storing credit card details then this is potentially a very risky area.
It may be rare / possibly never that you will receive a request from an individual for their information, however, you must be prepared for the possibility.
ACTION: Detail a process for obtaining data in your privacy / terms documents.
Use a payment gateway such as Stripe where the gateway handles credit card information.
While waiting for WooCommerce to catch up you may wish to research a plugin, or talk to us about other possibilities.
Can the individual change or request the changing of this information ?
If the user has created an account then all information can be modified by the user.
If the user has checked out as a guest, then they cannot modify the information. It is worth considering here what practical purpose would there be in a guest user wanting to change information after a sale has been made. Taken purely at face value, this would be flagged as a compliance concern, however, a sale is a legal transaction and we would think that this information should be unmodifiable for the sake of keeping legal records and resolving transaction dispute resolutions.
We think this is probably fine, however, if concerned you may want to consider disabling guest checkout until such time as the GDPR has come into effect. WooCommerce will likely be looking at ways of establishing GDPR compliance. You may also wish to seek legal advice.
Can the individual remove or request removal of this information ?
While it is possible for a user to delete their account, this does not delete their order details from the database. Generally you want to keep this information incase their is a return / refund, or transaction dispute. You may also want to keep the information for warranty purposes.A business also needs to be able to keep a record of their sales which is essentially a legal transaction, however in most cases a business does not need to be able to link a sale to an individual for any legal / taxation purposes.
So an individual still should be able to request that their information be removed / deleted, however you may need to make them aware of any ramifications of such an action. With downloadable products for example, if the individual removes their account, and you delete their data, then it will no longer be possible for them to download the product they have purchased.
You may wish to seek legal advice or talk to the ATO on exactly what information you are required to keep for recording of sales.
So we can see that WooCommerce is partially compliant, but there are some areas of concern particularly if you are using guest checkout. WooCommerce may release updates that address the above areas of concern, but time is running out, so you may wish to have a contingency plan in place. Ultimately the onus is on you – not WooCommerce – to be compliant.
The above only relates to the store part of your business. You need to also consider what other tools you use to gather an individual’s information eg. An Email campaign manager such as MailChimp. You should run a similar checklist for all information gathering tools you use.
Is GDPR Compliance Really Necessary?
So What if you only operate within Australia or interact with a small number of people in Europe?
If you are operating completely outside of Europe, then you do not have to comply. However, it is probably a good time to start thinking about the issues that the GDPR raise because there is a strong chance that other parts of the world will adopt similar regulations. It’s also a good time to review your current privacy policies to ensure that you are compliant with local Australian Privacy Laws. You don’t need to panic and have the luxury of waiting a little while as a lot of teething issues are sorted out. Should a time come when you must comply with similar regulations to GDPR, then a lot of the mechanisms will be in place that will hopefully make compliance a little simpler.
If you do gather data from European nations, then you may be wondering if it is worth bothering with compliance if only a small number of individuals are based in Europe. Do you just stop dealing with European nations until compliance becomes simpler? We recommend that you don’t take this approach and perhaps a better way of looking at GDPR is as an opportunity. If you are GDPR compliant, then you can promote this on your website and potentially improve your sales from European countries.
We have only covered a part of the GDPR – the information of greatest pertinence to most Unbranded Space customers. There are other aspects such as developing policies for data breaches and more. We would again remind you that we are not lawyers and all of the above needs to be considered an opinion piece and not legally binding information. You may need to obtain proper legal advice.
With the above said we are happy to help if we can. We may be able to assist in sourcing plugins or make modifications to help implement any GDPR compliance mechanisms into your website. Please Contact Us if we can help.