Whether you’ve had a WooCommerce store for a long time or are in the earliest stages of an eCommerce endeavor, you’re probably wondering what you need to do about this new European law—the General Data Protection Regulation (GDPR).
Our six-part series on Getting Ready for the GDPR explores the ins and outs of the law and how it applies to you, a WooCommerce store owner. Let’s get oriented with a few common questions and answers.
What is the GDPR, exactly?
The GDPR is a new law that concerns itself with the handling of personal data of European Union (EU) residents. It takes effect on May 25, 2018.
Over two years in the making, the GDPR is intended to give EU residents more visibility and control over their personal data: how websites, including eCommerce websites, collect data; who they share it with; and what tracking technologies monitor them across the Internet.
If you sell to EU residents, this law applies to you — even if you aren’t in the EU. Fines for non-compliance will be substantial and can be levied on businesses both in and outside the EU.
What new privacy-related rights does the GDPR gives EU residents?
The new law requires stores to inform their customers about what information they collect, store, and share, and establishes specific rules about the kind of consent required before stores can collect personal data. That means that stores will be asking for consent more explicitly, and detailing their use of personal data more specifically in their privacy policies.
In addition to clearer notices and privacy policies, the GDPR also gives EU residents powerful new rights such as the Right of Access, Right to Rectification, and Right to Erasure.
That means that EU residents will be able to:
- Demand a copy of all the data you have about them.
- Demand any errors in the data be corrected.
- Request the removal of all personal data.
The GDPR also gives EU residents the right to find out if their personal data has been compromised. Stores will need to notify customers if their personal data is stolen in a breach, and do so in a timely manner.
What’s Personal Data, Exactly?
GDPR isn’t about all information—the new rights for EU residents specifically apply to Personal Data.
Personal Data means anything that can identify a person, either on its own or combined with other data. Examples include a person’s:
- Physical address or email address
- Phone number
- Last four credit card digits
- Shipping tracking numbers ( these are unique to an order, and thus to a person)
- IP address
Basically, if you can use a piece of data to identify an EU resident, or combine it with other data to identify them—that’s personal data.
What Should I Be Doing Right Now?
We’ll unpack this over the remainder of this series, which will cover:
- Why you need to put someone in charge of privacy. You’ll want to designate someone to lead this effort. Iif you’re a one-person shop, that’ll be you.
- How to respond to Right of Access and Right to Erasure requests. There are some helpful new personal data export tools coming to WordPress and WooCommerce.
- What to do in case of a security breach. No one wants this to happen, but preparing for this worst case scenario is part of your privacy responsibility under the GDPR.
The GDPR will be a fair bit of work for most online merchants, but this Getting Ready for the GDPR series will help you navigate this new way of handling personal data efficiently and effectively.