The General Data Protection Regulations (GDPR) comes into force on 25th May 2018, and represents a tectonic shift in the rules about how personal data is gathered, processed and used by businesses in the UK, the EU, and ultimately across the globe.
It’s a complex topic, and one we’re being asked about by clients. While we are not data legislation specialists, we are able to support Shopify Merchants with any updates they need to make to their websites in order to meet compliance requirements.
Need to make changes to your Shopify Store? Get in touch to discuss your requirements.
We’ve provided links to some useful information sources throughout this article. For the specific details of the steps your business needs to take, we recommend you consult a data protection specialist who can consult with you on your legal requirements and the steps you need to take to ensure compliance with legislation.
One of the best places to start, from a UK perspective, is the ICO (Information Commissioner’s Office), which is currently working with the EU lawmakers to refine the final version of the GDPR before it comes into force.
What is GDPR?
GDPR provides data subjects - the person about whom the data relates - greater protection, privacy and access to held data, as well as the right to be forgotten, ported and deleted.
It contains stricter rules about the processing of sensitive data (medical and financial information, for example) as well as data about children.
Another key change is the definition of “personal” data. Whereas previously legislation treated consumer data and business data separately, GDPR regulations apply to any data that could result in an individual being identified, and that will include data for business contacts.
Why do we need more data laws?
The Data Protection Act (DPA) came into force in 1998, and controls how personal information is used by organisations, businesses or the government, and sets out strict rules for how personal information is collected, stored and used. Since 1998, the use of personal data has increased exponentially, and the DPA is no longer sufficient to cover all data use.
While there are still details to be finalised, the principles and concepts of the GDPR are similar to those of the DPA, so if you are already compliant with DPA regulations you’ll be well on the way to complying with GDPR.
For more information about the principles of GDPR, visit the Information Commissioner’s Office website.
What about Brexit?
Regardless of Brexit, UK organisations will still have to be compliant with GDPR as the UK government incorporates much of the existing EU legislation into UK law. Just because the UK plans to leave the EU doesn’t mean that we can ignore GDPR in the hope it won’t apply - it will.
GDPR protects data subjects - i.e. the individual person who could be identified from the data collected, stored or processed about them. And you are obliged to follow the law in the country in which your data subject resides, so regardless of Brexit, your German, French and other EU data subjects (your customers) will still be protected and you will still have to comply.
Shopify and GDPR
Shopify, along with other large data-led organisations such as Google are themselves preparing for GDPR, and are taking steps to ensure the way they collect, handle and process data complies with the new regulations.
Shopify has published several articles about how GDPR will affect it as a platform, and how it will affect Shopify merchants. The latter explains in some detail the questions you should be asking about yourself in preparation for GDPR.
How seriously should I take GDPR?
Very. The handling of personal data is already heavily protected by UK and EU law, and GDPR will tighten the legislation even further. Failure to comply with these regulations, if data security is breached, or if an organisation fails to notify the ICO of a data breach, will result in significant fines being imposed - up to 10 million euros or 2% of your global turnover. So the risks are there if you can’t show that you took reasonable steps to become GDPR compliant.
Read the ICO’s guide - GDPR: 12 steps to take now
Updating your Privacy Statement
Organisations will have to be clearer about what tools they use to gather data, why that data is being collected, how the organisation will use that data, and the data subject’s (i.e. the individual about whom the data is collected) rights to access, amend and delete data held about them.
For online businesses, the scope of the legislation is far reaching - from gathering and using website analytics in the development of products, services and how they are served to customers, through to email data collection and methods of communication. And that’s on top of an organisation’s own internal data processes, for example the collection, storage and handling of data about its own staff and suppliers.
Audits and Risk Assessments
GDPR will require organisations to carry out risk assessments and have procedures in place to deal with data breaches (hacking, theft, server outages etc).
As an organisation which relies heavily on data, Eastside Co will be undertaking its own data audit to review its data practices, and identify areas required for compliance.
All set to comply? Get in touch to discuss making changes to your Shopify Store.