You probably know someone who’s requested their data from one of the big social media platforms. It can be staggering to see all the detail in one of these data “dumps”!
If your store collects data from EU residents, you can expect to start receiving “Right of Access” requests under the GDPR.
An EU resident has a right to a copy of all the data you’ve collected about him or her, ideally in an electronic format. This includes information like name, address, and phone number, along with less obvious things like shipment tracking numbers or VAT IDs. Thankfully, WordPress 4.9.6, WooCommerce 3.4, and many WooCommerce extensions automate the legwork Right of Access requests require — we’ll walk you through the process.
Before You Get Your First Request
To start, do a few test orders with your store to understand what data you collect and develop a standard procedure for responding to requests. Your procedure should include:
- How you will confirm the person’s identity: You don’t want to send personal data to anyone but an authorized person!
- Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data. Make a list of all sources of personal data connected to your store.
Not sure you know all the places data might be stored? Do a test order at your store and use it to flesh out your procedure. You’ll be able to see what plugins are automatically providing data using the new WordPress export tool — and what plugins are conspicuously absent. Note all the plugins you don’t see in the export tool; you’ll have to get their data separately.
When The First Request Comes In
1. Confirm identity of the requester
Confirm the identity of the person making the request before you export their personal data. WordPress has a new page under Tools → Export Personal Data where you can send a confirmation request to the customer’s email address (or via their username, if they’re a registered user on your site):
To send the request, type their email address in the box provided and hit “Send Request.” They’ll receive an email with a confirmation link, which they’ll use to confirm the request:
While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.” Once they click the link, the status switches to “Confirmed”:
2. Export data
WordPress, WooCommerce, and many extensions work together to assemble an “export” file containing a person’s personal data. You can either send the customer a link to the file — it’s good for three days — or download their file yourself. The latter is useful if you need to combine the export file with sources of data from other plugins to get a complete picture.
After you’ve downloaded or emailed the file, the request will be marked “Completed.” You can leave the completed request alone or use bulk actions to remove it, depending on how you want to log compliance with the law.
Curious to know what a download might look like? Voila:
What About Repeated or Nuisance Requests?
If you find yourself facing multiple requests from the same customer, you are permitted under the law to assess a reasonable fee. That’s something else you should consider as you draw your “right to access” procedures together.
We’ve covered the importance of putting someone in charge of privacy, how to build a policy, and how to prepare for Right of Access request. Next up: Right to Erasure.