GDPR and your online business
The EU GDPR and the UK GDPR affect any business that processes or stores data of an individual resident of a member country of the European Economic Area and the UK respectively.
The guidance below lists some of the ways in which your business might be affected by the GDPR. It is not an exhaustive list and should not be considered as one. It does not constitute legal advice. All businesses are advised to contact a legal professional to seek guidance and assistance in relation to their obligations under the GDPR.
The GDPR affects different businesses in different ways. No one business is the same.
For further guidance we'd recommend consulting the following external guidance:
• The European Union has published information about the GDPR on a website available at https://gdpr.eu/.
• The Information Commissioner's Office (the UK body responsible for Data Protection) has guidance available on their website.
Collection of personal data
The GDPR applies to personal data which covers a range of data points.
For example, names, addresses, email addresses, social media account details, telephone or fax numbers, date of birth, social security/national insurance number.
Personal data can also include a digital identifier where it can be linked to an individual such as an IP address, a cookie ID or a customer reference.
The EU GDPR and UK GDPR protect the rights of individuals within the EU and the UK in relation to the processing of personal data, which includes the collection and storage of that data.
The guidance we publish only relates to the collection, storage and processing of personal data in so far as it is done specifically on the ShopWired platform. It does not cover you if your website uses any third-party apps or any externally designed/coded themes or externally provided tools (such as Google Analytics).
Privacy policy
Most online businesses are familiar with providing a Privacy Policy or notice on their website which covers collection and storage of personal information.
The GDPR includes specific information that must be provided to individuals whose data you are processing.
You should ensure your privacy policy includes all of the information that you are required to provide under the GDPR.
A Data Protection Officer (DPO)
All businesses are advised to appoint a DPO to oversee how the business collects, stores and processes personal data.
The GDPR includes specific tasks that a DPO needs to conduct, or oversee, such as conducting a Data Protection Impact Assessment (DPIA) whenever your organisation changes the way that it collects and processes personal data.
Whilst it might not always be a requirement for you to appoint a DPO, our recommendation is that you should appoint one anyway (even if this is yourself).
Obtaining customer consent
The GDPR places specific obligations on businesses surrounding obtaining consent from users to collect and store their personal data.
It also has specific requirements about how that consent is obtained.
Consent has to be freely given, specific, informed and unambiguous.
Individuals have to actively give consent, i.e. not opting out is not sufficient. Customers need to be given detailed information about the ways in which you will use their information.
You might like to consider the following questions about your processing of your customers data. Other questions might be pertinent to your business too.
• Are you providing your customers with enough information about the way in which you collect, store and use their data?
• Are your customers actively giving you consent to collect, store and use their data?
• Are you recording the fact that customers have given active consent?
If you process the data of residents that are under 16 years of age (younger for certain countries) you may need to obtain parental consent.
Our advice would be to ensure that you obtain parental consent when collecting, storing or using the data of any resident of the EU and UK who is under 18 years of age.
Data requests
The GDPR expands on previously existing legislation that covers an individual's right to access and control the personal data that you have about them.
You should review your own internal policies about how you respond to requests from individuals in relation to data you have about them.
In certain circumstances, individuals can request a copy of their data. Where requested, the data that you provide to your customers must be in an easily readable and portable format, so they can use that data with a different service provider.
Within the ShopWired platform, you can download the data that exists for any of your customers from the ‘Your Customers’ page.
If you hold other data about the customer away from the ShopWired platform, you need to consider how the data can be joined together to present to the customer in a portable format if they make a request for it.
Data erasure
The GDPR gives individuals the right to ask that any personal data you hold about them be permanently and irrecoverably erased. This right only applies in certain circumstances explained in more detail here.
Within the ShopWired platform you can delete data about individuals by deleting orders and customers from your account. If you want to keep a record of an order but need to delete the personal data of the individual you can also choose to anonymise the order which permanently removes all of the personal information about the customer from the order.
If you collect personal data on other systems you need to consider how you permanently erase that data on request.
Data breach
The GDPR places a duty on all organisations to report certain types of data breaches to the relevant supervisory authority.
In certain circumstances, the organisation will also have a duty to report the breach to the individual(s) affected.
A breach is more than just the loss of data, it also includes destruction, alteration, unauthorised access or disclosure of personal data.
If there is a breach of personal data on our platform we will notify the relevant regulatory authority within the regulatory requirement of 72 hours after we first become aware of it.
If the data of your customers is, or might have been, affected, we will notify you within 48 hours. You then also have a legal requirement to report the breach. We will provide you with the necessary details in order for you to report the breach within your own 72 hour time limit.
The GDPR allows for organisations to provide information to the supervisory authority in stages, where necessary (a full investigation of the breach can take some time). As we make our own updates we will notify you.
More information about data breaches, and your obligations, can be found here.
You should familiarise yourself with these requirements, and implement a process for dealing with a data breach that originates from our platform and also from any of your other systems on which you store or process personal data.