GDPR compliance is a primary requirement for any website that offers its products or services to the European countries. It not just makes the website compliant with the legal framework but also makes it trustworthy in the eyes of the visitors. As it increases its transparency. But how to be compliant with GDPR can be a fuzzy point for some website owners.
In this article, we have brought a GDPR eCommerce checklist for you. No matter whether you are a newcomer in the field or an expert, our GDPR checklist will serve as a guiding framework for eCommerce compliance. At the end of the article, we will also tell you how to make your site compliant with GDPR in an easy way using two simple WordPress plugins. Go through the article, you will be able to make your website GDPR compliant with a few easy steps without any hassles.
What is the GDPR?
General Data Protection Regulation or GDPR is a European legal framework. It was implemented on 25th May 2018 to protect the data privacy of the residents of the EU.
Who does the GDPR apply to?
GDPR applies to a for-profit organization if it -
- Has a business presence in any of the EU countries.
- Does not have a business presence in the EU but processes personal data of European residents and offers its products or services to the residents of the EU countries
- Has a strength of more than 250 employees
- Has fewer than 250 employees but its data collection and processing affect the privacy rights and freedoms of data subjects, the process is regular and includes certain types of sensitive data.
The eCommerce GDPR fines you need to know about
Here are the major fines under GDPR -
- Up to 2% of a company’s annual income of the previous year or up to $10 million, whatever is higher. It is applicable for non-compliance.
- Up to 4% of the previous year’s annual income of the company or $20 million, whichever is higher. It is for data breaches.
Main GDPR requirements and how to comply with GDPR
Legal basis for processing data
As per GDPR, the personal data of the EU residents can only be possessed if it has at least one legal base. Following are the legal bases that GDPR provides for data processing -
- Users have given their consent for a specific purpose
- Data processing is required to maintain or enter a contract in which the user is a participant
- Data processing is required for fulfilling a legal obligation of which the controller of the data is a subject
- Data processing is required for the protection of users’ interest
- Data processing is required for an activity done in the public interest
- Data processing is done in the legitimate interest of the controller of the data or some other person
The word consent simply means users’ permission for data processing. The consent must be voluntary and it is usually variable in nature. Means, a user may change his or her consent any time. The consent notification must be clean and clear. There should not be any ambiguity in it.
An organization must keep the following consent records -
- Who gave the consent?
- In what way the consent was obtained from a user and when
- Whether a user was presented a consent form at the time of consent collection
- What legal documents and conditions were applicable at the time of consent collection
GDPR has given the citizens of the EU many rights for the protection of their privacy and security. Following are the major rights under GDPR -
- The right to be informed
The data subjects must be informed about data processing and should be asked for their consent before the collection of data. They have the right to know for what purpose the data is being collected, how it is to be processed and stored and if it is to be shared with third parties, who it is being shared with.
- The right of access
Data subjects now have the right to access their personal data that is in the database of an organization whenever they want. The controller is bound to present an overview of the process of data processing if a user requests it.
- The right to rectification
The users now have the right to get their data rectified in case it is incomplete or inaccurate. GDPR also states that the rectification must be disclosed to all the third-party recipients involved in the process. If a user requests, the organization must inform him about the third-party recipients.
- The right to erasure
A user may ask an organization to delete his data from its database. The organization is bound to delete the information in that case.
- The right to restrict processing
The data subjects have the right to restrict data processing. The request must be processed within one month of receiving the request.
- The right to data portability
A user may obtain their personal data for transferring it from one controller to another without any objection from the data processor. Both provided and observed data come under this rule.
- The right to object
GDPR gives the right to the users to object to some specific data processing activities that involve their personal data. The user has to give a valid motivation for the objection if the data processing is carried out in public interest. If the processing is done simply for marketing purposes, no motivation is required from the users’ side to place an objection.
- Rights in relation to automated decision making and profiling
Data subjects have the right to say no to the system of automated data processing. An organization may carry automated data processing only if it is required to enter or maintain a contract acknowledged by the EU state laws, based on users’ permission and does not have any legal or similar effect on the data subjects.
Cross-border data transfers
GDPR allows data transfer outside the EEA or European Economic Area only with the condition that the country to which the data is being transferred has an adequate level of data protection as per the EU standard.
The other condition is the data subject must be informed about it. Without the consent of the subject, it is not permitted to transfer any data.
Privacy by design & default
Data processing must be included from the onset of the design of the business process and its developments. In other words, a company must ensure that the standard of the data processing is set high and all the required measures are taken to meet the standards set by GDPR as far as the data processing life cycle is concerned.
In case of a breach, the superior authorities must be informed by the data controller within 72 hours of the data breach awareness. If the data is processed by the data processor on behalf of the data controller, he must inform the controller about a data breach the moment he gets to know about it. The users also must be informed about data breaches.
Data Protection Officers
The Data Protection Officer is a person who helps an organization to be compliant with the GDPR laws. He helps an organization to implement all the rules, set agenda and take actions for internal compliance.
A data protection officer is required especially in the following cases -
- A place where a large scale of systematic user monitoring is done on a regular basis
- If the data processing is done by public authorities
- If a complex operation is carried out with users’ data, especially if it deals with sensitive data.
Maintaining records of processing activities
GDPR mandates the data controller and the processor both to keep a comprehensive and updated “ full and extensive” record of the users’ data.
A record must be kept if -
- The data processing is not occasional
- May result in a risk to the privacy rights and freedom of the EU residents
- Involves sensitive or special categories of data
- The processing is done by an organization with more than 250 employees
The record must include -
- Name and contact information of data controllers
- The purpose of data processing
- Adequate description of the categories of the data, the users and the data recipients
- An approximate time limit for the processing of different categories of data
- Description of technical security measures of an organization
Data Protection Impact Assessment (DPIA)
DPIA or the Data Protection Impact Assessment is a process that helps an organization to upgrade itself to meet the standards of GDPR and be compliant with it. It is mainly a process of record keeping. It is mandatory in the cases where there are chances that the data processing may result in a risk to the privacy of the data subjects. The DIPA must be recorded in writing for the convenience of the organization.
DIPA includes the following things -
- Description of the processed data
- Purpose of data processing
- An evaluative report of the requirements and scope of data processing in relation to its purpose
- An assessment of the risk factors
- Descriptions of the measures taken to address the risks
Here’s what you need to get started with full compliance:
WP Cookie Consent is an elegant and modern WordPress cookie consent plugin that helps you to make your site compliant with GDPR by using a custom cookie bar on it. It allows you to create cookie notices without any difficulty within minutes. You can show or hide these notices based on geolocation. There is a one-click scanner, that detects all websites and third-party cookies automatically while enabled. You may edit the cookie details manually.
In this article, we have tried to give an idea about GDPR legal framework and eCommerce compliance. We have also given a detailed GDPR requirements checklist to help you make your website comply with the newly implemented privacy rule. At the end of the article, we have suggested two beginner-friendly and responsive plugins designed to generate legal documents required by GDPR. You can grab the plugins and proceed forward. Within minutes, you will be able to make your site compliant with GDPR.
If you found the article useful, please share it on Twitter and Facebook. Leave your views on the comments section below. We would love to hear your feedback. If you need any further information, please don’t hesitate to reach out to us. We will get back to you soon. Subscribe to our YouTube channel for our video tutorials.
Disclaimer: This is the guest contribution from the neighbor’s blog