The GDPR: Ongoing Compliance

Over the past week we’ve answered some key questions about GDPR compliance. You’ve read about the changes coming to eCommerce (and the internet in general), the importance of putting someone in charge, and how to craft a privacy policy. You learned the basics of responding to Right of Access and Right to Erasure requests, and the importance of keeping your data — and your customers’ data — secure.

There’s also a larger issue at play: privacy isn’t a one time effort. It’s part of the ongoing maintenance for your business.

The GDPR is only the latest law designed to shift the balance of power back to consumers — it builds on older laws like the UK’s DPA. And it won’t be the last; store owners can expect updates to the GDPR, and similar laws will be enacted in other countries. Keeping abreast of these laws and which ones apply to you is an ongoing responsibility.

Whoever is charged with keeping an eye on privacy matters for you will need to make sure your store’s privacy policy stays fresh, especially as you add, update, or remove plugins and third-party services. Plugins will also update their privacy declarations, as they evolve to use personal data in new ways. Stores will need to keep on top of requests and security and data retention on an ongoing basis. Data security is as much a part of day-to-day work as tracking inventory and sales.

You’re part of a larger WooCommerce community

As one of hundreds of thousands of WooCommerce store owners, you’re part of a larger community. GDPR requirements might be intimidating, but they’re not insurmountable! If you have feedback on how we can make compliance a little bit easier, we’d love to hear from you in the comments, or in the #GDPR channel on WooCommerce Slack.

Good luck, happy selling, and drop us a line on privacy at woocommerce dot com if you have anything to share about your WooCommerce experiences in this brave new personal-data oriented world.

Take a look at our tools and resources on GDPR
Kevin Bates Avatar

About

16 comments

  1. May I know the concept of woocommerce?

    Loot Deals
    mai 18, 2018
  2. Thanks for these helpful, clear and informative articles on GDPR. Much appreciated!

    David Stark
    mai 18, 2018
  3. I want to get the password

    Ali A/Aziiz aadan Yuusuf
    mai 19, 2018
  4. GDPR giving us a headache. Thanks for the information.

    kyra Pieterse
    mai 19, 2018
  5. Hi, i have 2 question….
    the GDPR say the user can deny the cookie?
    If thay do, how can we sell without cookie?

    2nd question, the GDPR say that user have right to ask erasure, but… if the customer do order, we need to keep the data of order and invoice for 10 years? How we can do? We must delete parts of data or we must waiting 10 years to delete it?

    Stefano
    mai 19, 2018
    • Hello Stefano ,about cookies you need the customer aproval to use them if they deny you refuse to sell.
      About the second question , if the law asks you to keep invoice data for 10 years , then the users request do not apply.Any time the users req. something ,but on your side law asks for his data you have no obligation , maybe just to inform the customer you cannot fulfill his req bc of the law.

      Ovi
      mai 22, 2018
  6. Good article

    AMiR
    mai 19, 2018
  7. I gave the RC2 a quick test and checked a order for deleting personal data. Personal data was removed after. But related orders were still there with personal data. And are we able to use that new tool anywere in world? How about law related terms like tax laws? I do need that info because I have to give my clients a note about and how they may use that new tool.

    What about subscriptions?

    I found at https://www.willows-consulting.com/gdpr-for-ecommerce/ this note about tax compliance:

    GDPR does not trump other laws. E.G. if you have to keep personal data to justify vat charges then this is needs to be kept for tax compliance. The rule in GB and Ireland is 7 years. Other countries may vary.

    Shoudn’t there be a setting for how old a order has to be in case for which personal data should be removed? If a shop owner deletes such personal data from a order accidentally to early, it can’t be restored with a click!

    Adrian Wackernah
    mai 23, 2018
    • Hi Adrian!

      I like this idea – i.e. allow store owners to check the « erasure » box but also set a minimum age below which data is nonetheless retained (e.g. for tax purposes)

      Would you mind opening an issue at https://github.com/woocommerce/woocommerce/issues ?

      Thank you!

      Allen Snook
      mai 24, 2018
  8. Great article! Bookmarked

    GDPR Blog
    mai 23, 2018
  9. Hi Allen,

    thank you so much! I appreciated a lot. Now, with your posts I feel ongoing GDPR compliance.

    Giancarlo
    mai 26, 2018
  10. very good
    clarified very well about gdpr

    Apostila Concurso
    mai 27, 2018
  11. I upgraded Woocommerce and tried to anonymize older order (in test environment), work just fine except one huge issue: IP adresses are considered to be personal data and orders still contain ip-adresses…

    Kristin
    mai 29, 2018
  12. Thanks to numerous articles on the Internet about GDPR and how to comply, my company prepared for it quickly and effectively. We found checklists and done all items from them, to not pay huge fines in future. Here is one of the best checklists I found https://qawerk.com/blogs/gdpr-compliance-checklist-outsourcing-companies/ and it fully corresponds to GDPR requirements. Hope it will help someone)

    Alise
    juin 7, 2018
  13. Just calling out attention on this line: « privacy isn’t a one time effort. It’s part of the ongoing maintenance for your business. » That’s well said and absolutely correct. We typically refer to it as the GDPR journey for that reason.

    Rob - Clarip
    juin 11, 2018

Stay up to date with WooCommerce emails

View our privacy policy. You can unsubscribe anytime.

Subscribing...

There was an error subscribing; please try again later.

Thanks for subscribing!
Emails will be sent to

You're already subscribed!
Emails are sent to

Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.