GDPR: What Is It and How It May Impact Ecommerce Stores in EU and Outside
The EU General Data Protection Regulation (GDPR) law with complicated requirements, expensive implementation and huge fines for non-compliance have thrown many eCommerce businesses into panic since it was announced.
This new EU regulation will impact business not only in the EU but those outside too, if they process the EU residents’ personal data (collect emails, monitor site visitors behavior by IP, etc). And wherever your business is, the EU authorities will find the ways to punish you for non-GDPR-compliance.
Starting from May 25, 2018, the GDPR law may affect how the processors and controllers collect, use, store and maintain personal data of the EU citizens. However, many businesses are not ready yet.
Are you also among those who ignore the GDPR requirements?
Well, you may have strong reasons for it. But let’s take a closer look at this EU regulation to understand what it is, how it applies to eCommerce businesses and what changes you need to implement to avoid fines.
What is GDPR?
The aim of General Data Protection Regulation is to protect personal data of the EU citizens and make sure that online stores, cloud services and other companies with internet presence treat this data carefully and don’t abuse it. These organizations should process the data lawfully and use it only for the purposes it was collected for.
So, it’s not only about your online store security in general, but mainly about the ways you process your buyers’ data.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
According to the regulation, personal data processing in the online store can take place only if:
- a buyer gave an explicit consent to have his/her personal data processed and knows that the processor needs this data to sell a product or render a service to the buyer.
For example, the buyer’s credit card number is necessary to accept the payment, the buyer’s address – to ship the order correctly, cookie identifiers – to deliver more personalized experience, monitoring the buyer behavior – to offer more relevant products using the AI technologies, etc.
- the data processing is required by law.
Whom Does GDPR Affect?
Geographically this regulation applies to businesses both inside and outside the EU if they process personal data of the buyers “who are in Union” (as per Article 3).
It means, that while the EU citizens are not in Union, the GDPR doesn’t apply to the processing of their data. But while they are, every processor and controller from the EU, the USA, China or any other country should process their data in a GDPR-compliant manner.
Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of personal data processing of; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
eCommerce business owners can be both processors and controllers because no online order is possible without asking a customer at least for their name and contact info. The data they collect, store and use falls within the scope of the GDPR if it belongs to the buyers in the EU.
So, online merchants should follow the new rules unless they stop selling to the EU customers (e.g. restrict checkout for buyers from the EU) and don’t deal with their data at all. But it is hardly possible and may result in significant loss of revenue.
That said, online merchants should get prepared for the GDPR:
- at least if they monitor user behavior on their website and online users who are in the EU are among the visitors;
- and obviously if buyers in the EU can make an online purchase on their website.
GDPR Penalties and Fines
Supervisory authorities in each union state will control the GDPR application. Breakers of the regulation will face huge fines and strict penalties. The size of the fines will depend on each individual case and can be up to 4% of annual global turnover or €20 million.
The frequently asked question is “How will the Union punish countries outside the EU?”
The answer is in Article 50. They plan to develop international cooperation mechanisms with data protection supervisory authorities in other countries. So, they will punish non-compliant store owners with the help of the local authorities.
What’s New in GDPR for Your eCommerce Business?
You might have noticed that most powerful players like Google and Facebook have already implemented the GDPR-compliance into their processes and most likely you’ve started receiving the GDPR-compliance notices from the services you use for your business. Time to prepare your online store to May 25th, 2018, too.
The GDPR affects your whole eCommerce business, not only your website, as you’ll have to implement corresponding changes in any department that touches or uses customer data.
Any kind of your customers’ data processing requires their consent
It’s probably the most important change that comes with the GDPR. Before you start the processing of your buyers’ data you should first get their consent.
Hmm… sounds familiar and looks very similar to accepting terms and conditions.
Not really. If we look closer to Chapter 2 (Principles) of the GDPR we’ll see that:
1) Giving consent should be an active action
No more pre-ticked boxes or opt-ins. In order to complete a purchase or finish the registration on your eCommerce website, a customer should tick the checkbox first to confirm that he allows you to process his data. Make sure they can easily find the terms of their data processing (e.g. link next to the “I give my consent to processing of my personal data” checkbox). For children, you should have the consent of their parents.
Consent checkboxes should be on every page or popup where your buyer enters a new piece of personal data or if you’re asking the data you already have but for a different purpose.
2) Terms of data processing should be clear and easy to understand
Use simple language to explain to them how you’re going to use their data. Avoid legal and technical terms and long-reads.
The essential things you should let them know are:
- why you collect their personal data (email – to notify them about their order status, physical address – to ship their order, etc);
- what data you’re going to store and how long (email address and order history – for your accounting, etc);
- whom you transfer the data and for what purposes (e.g. you can transfer billing address to the payment processor as they may require it to process the payment);
- your company contact information (because you’re the data processing controller) and your data protection officer contact information if you’ve appointed one.
If one piece of data is to be used for multiple purposes (e.g. email – both for order fulfillment and sending promotional materials), make sure you tell your buyers about it, too.
You can no longer force your store visitors to provide you with any personal data in exchange for rendering a service, i.e. it shouldn’t be conditional. A good example of conditional data collection is asking for emails in exchange to downloading an eBook with the purpose to use these emails for your marketing campaigns. In fact, you can still do it, but should clearly state why you are collecting the email and allow them to refuse its processing but still get the service.
Finally, don’t forget to remind them that they can withdraw their consent at any time.
3) Your eCommerce website visitors should have a choice about consenting and the easy way to withdraw their consent
Keep it easy for your buyers to cancel their permission for the processing of their data (e.g. a link in their personal account in your store, easy way to contact you and request the withdrawal).
For example, if you need their email not only for fulfilling their order but also for sending them your newsletters, make sure they can easily adjust their preferences to choose for what purposes you can use their email.
Keep the record of how and when you’ve got the buyers consent as well as the request to the consent withdrawal. You’ll need this information for audits related to your buyer’s data processing.
Of course, if a buyer withdraws his consent, this action relates only to the future processing, not the data already processed.
Buyers should be able to access their data and restrict its processing
- According to the GDPR rules your buyers and other website visitors have the right to obtain confirmation as to whether or not you process their personal data.
- On top of that, if you do, they have the right to request what data you process, for what purposes and who can access it. You should provide them with a detailed report and also include in it the information that you’ve gathered about them yourself from different sources. As for the data they personally gave you, they can request a report in a structured, commonly used and machine-readable format to be able to pass this file to other controllers.
- If a buyer finds out that you’ve got inaccurate data about him, you should correct it upon his/her request.
Reports and rectifications are to be provided without undue delay and hindrance from you as a controller.
- The data subject can restrict the data processing. The restriction means that you can keep storing the info, but no more than that. You can’t use it. The reasons may be different – from the data inaccuracy to unlawful ways of processing. In any case, you should inform the 3rd parties to whom you transferred your buyer’s data about the restriction.
Buyers have the right to be forgotten
This right means that you should remove any personal data concerning them without undue delay upon their request if:
- you no longer need this data for the purposes you collected or otherwise processed it;
- or the data subject withdraws consent and there is no legal ground for the processing.
If you have legal ground for keeping some of the buyer’s data, you can still keep it, but only the data you really need and only for particular purposes. For example, you’re allowed to store your buyers’ orders history (including the relevant data), at least because it’s the proof of the service or product delivered to them.
If you’ve transferred the customer data to 3rd parties, you should inform them, that they can no longer process your buyers’ data.
In case of data breach, notify a supervisory authority and affected customers
Under the GDPR, after a controller reveals a data breach, he has 72 hours to inform the supervisory authority about it (Article 33). The notification should describe the nature of the breach, affected customers and the volume of affected data, consequences and taken measures, etc. If a controller can’t get all the information at once to send it to the authority, he can do it in phases, providing the newly revealed information concerning the breach as soon as possible.
If the data breach is likely to impact customers data, a controller should inform the affected customers without undue delay, describing the breach in clear and plain language.
You don’t have to send notifications to the supervisory authority or to your buyers if the breach is not likely to result in any risk to your buyers’ rights and freedoms.
You should keep records of data processing activities
According to the GDPR, your records of the processing activities should include the following information:
- name and contact details of the controller (joint controller, the controller’s representative and the data protection officer, if any);
- what data you’ve processed and for what purposes;
- whom you’ve transferred or disclosed your buyers’ data (together with the documentation of suitable safeguards);
- time limits for the data erasure (if possible);
- security measures you’ve taken to protect the data (if possible).
Certification and Data Protection Officer
While the certification is voluntary, appointing a Data Protection Officer can be mandatory depending on certain circumstances. According to the regulation, you’ll have to appoint a DPO if your business implies the personal data processing on a large scale. Small businesses most likely don’t have to appoint a DPO at all.
I absolutely agree with you that all the above said looks complicated and a bit scary. However, there are at least two advantages of becoming compliant: more trust from buyers and a good chance to put your customers’ personal data in order.
Indeed, it’s time to audit the data you process. Ask yourself:
- Do you really need all the data you collect or your customers can skip a couple of steps when, for example, completing an order?
- Do you need to store it?
- Are you sure you store it securely?
- How accurate is the data?
- Do you really need that 3rd party service that processes your customers’ data?
… and other important questions related to the data processing.
I’m sure you don’t have clear-cut answers to all of them. And you won’t, unless you audit the data you collect and process.
To Sum up
This article contains the most significant GDPR points to give you a better understanding of what the GDPR is. But every business is unique. So, before you start any changes in your online store, we advise that you should contact competent authorities. They can help with the audit and will also provide you with the list of the necessary changes that your business needs.
As for X-Cart 4 and X-Cart 5 eCommerce platforms, they are GDPR-friendly.
By default both keep and process only the information you need for your eCommerce website business processes (one of the main GDPR principles).
Both have a button in customers’ area that allows deleting customers profiles (the right to be forgotten). Profile deletion removes the data stored in the profile and communication with the store owner and sellers. If anonymous customers want to remove their personal data, they can request it using a Contact us form on your website.
To help you implement other changes required by the regulation easier, we’ve created special addons for the platforms. Here are the changes that the GDPR addons make in your online store:
GDPR-friendly addon for X-Cart Classic
1) Additional checkboxes “I give my consent to the processing of “my personal data” to the registration and checkout pages.
To the difference with the default X-Cart behavior the checkboxes related to customers consent and terms and conditions are not pre-ticked. If you need the Terms & Conditions checkbox pre-ticked, you can enable it in on the addon settings page.
Note: The addon is fully compatible with the default X-Cart templates. If you customized the registration or checkout pages, the changes by the module may not apply and you’ll need to edit your template manually.
2) Additional Privacy statement static page and opening the information in the popup
Clicking on the Terms & Conditions and Privacy statement links on checkout or registration page will open popups with the corresponding information. So, your customers won’t need to go to a different page to check the terms.
You can edit the Terms & Conditions and Privacy statement pages content in your X-Cart back-end. If you keep the default content, don’t forget to replace the values highlighted in yellow with your company information.
3) Profile deletion notification
X-Cart will send this notification to the Users department email address if your registered customer decides to delete his/her profile. There is a special button for it in their profile in customer area.
4) Records of processing activities
The addon settings page has a tab “Records of processing activities”. Here you’ll find the information of the addons that have access to your customers’ personal data and have processed the data. You’ll need this report for the data audit.
If any of your 3rd party addons or custom features also process your customers’ personal data, you should add the information about them into the table manually.
5) The cookie notice appears only when an online user comes to your store for the first time. You might already have this feature in your store as it comes with another addon – the EU Cookie Law. If you use the GEO IP addon, you can configure the notice to appear only for customers from the EU.
The GDPR-friendly addon is based on the EU cookie law addon which used to be available as core functionality. The GDPR addon replaces it.
We’ve released the installation packages for all versions of the 4.7.x branch, for v4.6.6 and v4.5.5. The packages for other versions of 4.6.x and 4.5.x branches will require adaptation.
Owners of X-Cart based stores of older versions should install the feature using the ‘gdpr dev pack’. It includes both the EU Cookie Law and GDPR-friendly addons and requires adaptation to all versions.
GDPR addon for X-Cart 5
1) Customer consent checkbox
The checkboxes on checkout page, on the registration page and on the contact us page are not pre-ticked. Registered customers will need to tick the checkbox only once and anonymous users will have to confirm their consent every time they place an order.
2) Privacy statement static page
The Privacy statement static page appears in your static pages list in the back-end. You can’t remove it unless you disable the addon. If you keep the default text for your Privacy statement page and popup, make sure you replace the values in yellow with the corresponding information about your company.
3) The cookie popup
The addon settings allow disabling the cookie popup at all or showing it only for customers from particular countries only. You’ll need the Geolocation addon for it.
4) GDPR activities
The addon tracks all the activities related to the processing of your customers’ personal data and keeps their record in your store back-end -> Store setup – > GDPR activities. The list of the activities contains the information about the addons, users, payment and shipping methods which have access and have used the personal data.
GDPR for X-Cart 5 is compatible with 5.3.4 branch. However, to avoid any possible issues, we recommend you to upgrade your store to v184.108.40.206.