What is GDPR and why do you need to be compliant?
In May of 2018, the EU put a new privacy regulation into action that affects websites around the globe. Known as GDPR, the General Data Protection Regulation is over 200 pages long and can get even American-based website owners into trouble if they don’t comply.
The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located.
Basically, even if you’re outside of the European Union, if you have website traffic coming from the EU, you fall under this new regulation, and could be fined handsomely for not complying with it. That’s right: if you fail to comply, you could be charged 4% of your business’ earnings, or €20 million, whichever is greater.
The biggest issue for the average site owner is consent. In accordance with GDPR, you must obtain explicit consent from EU citizens before collecting or processing any of their personal information. This, of course, causes a problem since most Shopify store owners use Google Analytics to track user ID / hashed personal data, IP addresses, cookies, and other behavioral profiling event data. And, if you don’t have consent, you cannot share any of that information with any of your Remarketing / Advertising (Google Adwords) accounts. Or, if you do, you’ll be fined.
The next important issue is personal data management. Each customer whether he has an account in your store or not needs to be able to access, update, delete or download any personal data collected by your store. Even if you don’t give a login option to customers you still need to give this option to the customers you have received orders.
Helpful definitions for GDPR terms used in this document:
Data Controller (Controller): A legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.
Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
Customer Data: Data produced and stored in the day-to-day operations of running your business.
What is the GDPR?
The GDPR gives rights to people to manage personal data collected by an organization. These rights can be exercised through a Data Subject Request (DSR). The organization is required to provide timely information regarding DSRs and data breaches and perform Data Protection Impact Assessments (DPIAs).
Several points should be considered when implementing or assessing GDPR requirements:
Assessing the data security of your organization.
Who is your data controller?
What data security processes may you have to perform?
Use Pandectes GDPR Compliance to assess your risk
Customer Data Request (DSR)
The GDPR grants individuals (or data subjects) certain rights in connection with the processing of their personal data, including the right to correct inaccurate data, erase data, receive their data, and fulfill a request to transmit their data to another controller. The controller is responsible for providing a timely, GDPR consistent reply. For details, refer to Customer Data Requests.
Updated on: 20/02/2024