GDPR Compliance: Are You Ready?
by John Saunders •
GDPR GDPR GDPR GDPR GDPR. What the hell is going on and why does it feel like internetapocolypto?
The European Union General Data Protection Regulation (GDPR) becomes fully enforceable on May 25, 2018. As of now, the expected rate of companies missing the deadline is well over 50%. The problem is that many companies have no idea what it means or what the rules entail, but the fines are insurmountable for most.
The core of the issue lies within the information companies collect from their customers, users, clients, vendors–pretty much anybody they may interact with. While GDPR does not fault businesses for unknown security breaches, they will be enforcing the effort businesses need to take to prevent or relieve any damage done.
I would like to break down some of the most important parts of GDPR preparations. Here they are:
Update Your Privacy Policy.
A single employee can do this. Your website’s privacy policy needs to be an ongoing protection, noting to users what data you collect, what you do with that data, how long the data is stored for, and who you share with. Another huge matter is allowing users to edit, delete, or update their data.
WooCommerce maps out the following main compliances:
- Consent: The user explicitly gives their consent to a specific kind of processing of their personal data (e.g., consent to participate in market research performed by a third party).
- Contractual necessity: The processing of the personal data is required to fulfill a contract (e.g., ship their order).
- Compliance with legal obligations: The processing of the personal data is required for legal reasons (e.g., a VAT Tax ID).
- Legitimate interests: The processing of the personal data is a legitimate, expected behavior of a business (e.g., follow up emails after they’ve placed their order with other products they may be interested in).
Put Someone in Charge of Privacy, Company-Wide.
One of the things that GDPR will be looking for (or at least expecting) is that there is someone in charge of protecting privacy, or a DPO (data protection officer). This means designating someone to manage security breaches, privacy policy updates, and so on.
Handle Right of Access Requests.
If your store collects data from EU residents, you can expect to start receiving “Right of Access” requests under the GDPR.
An EU resident has a right to a copy of all the data you’ve collected about him or her. This includes information like name, address, and phone number, along with less obvious things like shipment tracking numbers or VAT IDs. Thankfully, WordPress 4.9.6, WooCommerce 3.4, and many WooCommerce extensions automate the legwork Right of Access requests require — we’ll walk you through the process.
- How you will confirm the person’s identity: You don’t want to send personal data to anyone but an authorized person!
- Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data. Make a list of all sources of personal data connected to your store.
Handle Right to Erasure Requests.
Users WILL request to have their data deleted, or erased. For businesses, store owners who collect data from EU residents can expect to receive “Right to Erasure” requests under the GDPR. As with Right of Access requests, the data a person can expect to be erased includes the obvious — name, address, phone number — and the less obvious, like tracking numbers and VAT IDs.
When you’re ready to fulfill a Right to Erasure request, the good news is that — as with Right to Access requests — WordPress 4.9.6 and WooCommerce 3.4 have tools to help. IF not on WordPress, it is suggested to follow a similar tech approach.
When a request is received:
- How you will confirm the person’s identity: Only an authorized person can request erasure.
- Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data.
Security Breaches and What To Do With Them.
Your DPO needs to be prepared for data breaches and how to handle them. GDPR requires:
- Protecting personal data by employing techniques such as access restrictions, encryption, pseudonymization, backups, data minimization, and regular testing of all these techniques.
- Notifying the appropriate supervisory authority no more than 72 hours after of becoming aware of a breach of users’ personal data, including the number of users whose data was exposed, the nature of the breach, and what actions are being taken to mitigate its effects.
- Communicating this information to the impacted users, especially if the data breach exposed any of their unencrypted personal data.
- Considering the needs of any law enforcement investigations before publicly announcing the breach.
You can also create a checklist, like the one below, of what to do when you have a breach:
- Changing all passwords.
- Creating a fresh backup.
- Identifying the hack and removing their code and means of access.
- Contacting any supervisory authority required, especially in the EU.
- Contacting impacted customers.
- Looking at preventative measures that will prevent the hack from happening again, and taking action.
Wrapping Up.
Don’t worry if you don’t hit the deadline with everything in its final place. Preparing is the first step (and biggest one) to being compliant. Keeping this all top of mind is a huge factor in GDPR, and taking the above steps to ensure you’re ready could save your business from massive fines and penalties.
Source: WooCommerce and the GDPR