How to make your webshop GDPR compliant

On May 25th 2018 the General Data Protection Regulation, GDPR, will come into effect. GDPR applies to all european citizens when visiting and shopping on all websites, not just european ones. That means that YOUR shop needs to be GDPR-compliant if you have european customers or web site visitors.

As fines for breaking GDPR can go up to 20 million euros (yes, really), very few companies can afford to take GDPR lightly. So here’s what you need to do:

1. Make a privacy policy stating clearly what you are collecting by way of user data, how you store it and what you use it for. Remember this needs to cover cookies you set, forms on your site, customer info, analytics tools etc etc. Here’s one privacy policy template.

2. Place a clickable link to this privacy policy on every page on your website (putting it in the footer is the usual way).

3. Place a clickable link to this privacy policy on every submission form on your web site. Make sure you get an active (not pre-checked) opt-in for every piece of information that is not strictly necessary in order to complete an order.

4. Make sure you have separate active opt-in fields (not pre-checked) for giving you permission to use info like email address or mobile phone numbers for marketing or any other use other than fulfilling the order.

5. Make sure you have a system in place for sending people copies of the data you have on them on request. (Manual handling of email requests is fine to begin with.)

This is a good place to start, but GDPR compliance is very much more than a few easy(ish) tweaks. In fact, it is a matter of adapting your entire business to putting the customer first and ensuring that customer data is handled with care and respect.

One of the most important aspects is how securely data is stored. You need european or Privacy Shield certified hosting and storage partners, and you need valid data protection agreements with all providers of systems where customer data is being processed. That means Shopify, Oberlo, Google and others. Most suppliers are currently reworking their terms of service to comply with GDPR requirements, so make sure you accept the new terms.

This article is not exhaustive as GDPR advice. Please seek professional legal advice for further GDPR compliance strategies.

Leave a Reply

Your email address will not be published. Required fields are marked *