GDPR Information

Over the years, we have helped many of our clients to migrate to Liquidshop. In many cases, taking their ecommerce website and their business, to the next level.

Please note that the purpose of this article is to provide you with an overview of the information and advice for our system, based on how we interpret the GDPR at Liquidshop.External links have been provided for further clarity and detail. Every business is different in how it will need to comply and we would urge you to consult a lawyer for legal advice to ensure you are fully compliant.

From Friday 25th May 2018, the GDPR (the EU General Data Protection Regulation), will replace the existing Data Protection Act.

It is important to note that regardless of whether your business is based in the EU or not, if you have European customers, this new data protection law will apply to your business. The main purpose of GDPR, is to ensure that all personal data is provided consensually.

A further detailed explanation can be viewed here – https://ico.org.uk/

The full, official GDPR document can be viewed here – https://gdpr-info.eu/

 

 

Data Subjects, Controllers and Processors

The three terms above are used frequently in GDPR guidlines, we have outlined the differences between each below:

Data Subject: The person providing their personal data, e.g. a potential or existing customer

Data Controller: The business providing goods or services that will state how and why the user’s personal data will be used, and will ultimately be responsible for the storage and use of the data, e.g. the website owner

Data Processor: This would be any third-party suppliers, e.g. Liquidshop, Newsletter, ERP and fulfilment systems

So, what’s changed?

Below is a breakdown of what has now changed in relation to handling data, and how these requirements can be met with Liquidshop.

Enhanced rights for customers

1. The right to be informed

Whatever your reason is for requesting a contact’s information, you will be required to tell them this reason, as well as details about how you will process and store this data. This applies for scenarios such as customer registration, and during the checkout.

Dummy

Liquidshop v3

All forms on the site (customer registration, checkout, contact us etc) should at the very least, include a sentence or two detailing what the data submitted via the form will be used for. Customers making use of our One Step Checkout module can take advantage of field hints at the checkout, as shown below.

Liquidshop v2

All forms on the site (customer registration, checkout, contact us etc) should at the very least, include a sentence or two detailing what the data submitted via the form will be used for. In addition to this, some fields on the registration form, such as email and phone number, can support an additional comment to offer the customer further information.

2. The right to access

In addition to knowing the reasoning behind the data you request during signup, checkout etc, users who share their information with you will also have the right to access this data at any time.

Should someone request this data, you will have one month to provide them with a copy of this information, free of charge.

Dummy

Liquidshop v3

All forms on the site (customer registration, checkout, contact us etc) should at the very least, include a sentence or two detailing what the data submitted via the form will be used for.

Customers making use of our One Step Checkout module can take advantage of field hints at the checkout, as shown below.

Liquidshop v2

Almost all customer specific information is available within the customers section in the admin area, there is no automated way to deliver this information to a customer so this would have to be done manually.

Customer Questions are tied to a customer account if a customer is logged in when submitting a question. These can be retrieved from the Questions section of the admin area only.

Note: A customer may have several customer accounts on your website, especially if they make use of the ‘guest’ checkout facility.

3. The right to rectification

Your customers will need to be able to amend/update the information you hold on them at any point. If a customer makes this request to you,  you will have one month to respond.

Most customer information can be updated by the customers themselves via the ‘My Account’ area (for a registered customer).

Dummy

Liquidshop v3

Registered customers (not guest customers) will be able to login and adjust their details. Guest customers will require you to update their details for them via the admin area.

Note: Customers are not able to delete their own account.

Liquidshop v2

Registered customers (not guest customers) will be able to login and adjust their details. Guest customers will require you to update their details for them via the admin area.

Note: Customers are not able to delete their own account.

4. The right to erase/be forgotten or restrict

In addition, users who share their information with you will also have the right to have their data erased from your system(s) and restricted in use.

Should someone request this you will need to comply, see our examples of how to action for Liquidshop.

Dummy

Liquidshop v3

Within Liquidshop v3, you have the ability to delete a customer from within a customer account, this will unlink the account from any associated orders they may have placed.

Liquidshop v2

Customer accounts cannot be deleted on LSv2, the reason for this is that customer accounts tie to orders.

If a customer wants their account deleted, the procedure would be to go into the customer record in the admin area and to change the relevant details to something else, “CustomerDeleted 18/04/18″ for the customer name for example.

5. The right to data portability

This right enables users to move, copy or transfer their personal data you hold on them within your system(s) to another service in a safe way.

Should someone request this data, you will need to comply with a suitable process.

Dummy

Liquidshop v3

There is no automated way to delivery a customer their data, this would have to be done manually.

All customer specific information (addresses, reviews, wishlists, orders) are held within the customer account.

Note: A customer may have several customer accounts on your website, especially if they make use of the ‘guest’ checkout facility.

Liquidshop v2

Almost all customer specific information is available within the customers section in the admin area, there is no automated way to deliver this information to a customer so this would have to be done manually.

Customer Questions are tied to a customer account if a customer is logged in when submitting a question. These can be retrieved from the Questions section of the admin area only.

Note: A customer may have several customer accounts on your website, especially if they make use of the ‘guest’ checkout facility.

New regulations for obtaining consent

This is one of the clear cut aspects of GDPR, the changes to ‘opt in’/’opt outs’. To be clear, an opt in is NOT the same as an opt-out. The regulations state you must get clear consent to process the data, this means that the users have to explicitly say ‘yes’ to sign up to marketing, is it not okay to assume they would say yes and give them the option to opt out.

Key points:

  1. Ensure that terms and conditions are separate from other consent request, e.g. email subscription
  2. Review your methods for obtaining consent
  3. Ensure all opt ins are not ticked by default
  4. If you advertise your products through a third party platform such as Google Adwords and use customer website behavior to personalise campaigns, this must be specified to customers.

As an online seller, it is crucial that you’re not only aware of the GDPR’s regulations surrounding how you obtain, process and handle your customer’s data (whether potential or existing data), but also that you’re acting on them ahead of May.

While you can read more about consent here, a few key things you need to comply with include the fact that:

1. Consent must be freely given, specific, informed and unambiguous

Any person sharing their personal data with you should have no doubt as to how their data will be handled and processed, and even why their data is necessary.

This means that when requesting consent, the wording should be clear, concise, easy-to-access and distinguishable that it is a request for consent.

As mentioned in the ‘right to be informed’ section, a great way to do this is through the use of ‘real-time privacy notice’, whereby the user is provided with an explanation about why and how their information will be used.

2. Individuals must actively opt-in

If you currently use pre-ticked opt-in boxes, whether that be for agreeing to terms and conditions, subscribing to your mailing list, agreeing for information to be shared with a third-party, or anything else for that matter, this is something that you will need to change promptly.

The simple reason for this is because under the GDPR’s regulations, ‘silence’ does not constitute consent. Instead, your customers will need to provide consent through a statement or clear affirmative action, i.e. by actively ticking an opt-in box themselves.

3. Consent must be separate from other Terms and Conditions, and it should not be a precondition of signing up to your service

Going forward, users must be able to accept your terms and conditions separately to providing consent. Making it a prerequisite that a user consents to subscribing to your newsletter or any other service, simply by accepting your T&C’s, will no longer be acceptable.

In order to comply with the GDPR, you will be required to provide users with a separate opt-in box/option for agreeing to your terms and conditions.

4. Allow users to consent separately for different services

You will no longer be able to use a single opt-in box for instances where data processing has multiple purposes. Instead, consent for different services will need to be ‘unbundled’.

If, for instance, you provide users with the option to consent to being contacted via multiple services – post, email, telephone, SMS etc. – you will need to ensure that they can consent to each separately.

5. You are required to name any third parties who will rely on the consent

Now this is incredibly important. As an online retailer, it is extremely likely that you share your customer’s personal data with numerous third parties – your CRM provider, email marketing software, inventory management system, eCommerce platform, payment processing provider, marketing agency, advertising service such as Google, and so on.

Under the GDPR, you will now be required to be explicitly clear as to who these third parties are that will have access to your customer’s data, with a further explanation on the reasoning behind this.

6. You must make it abundantly clear that your customer’s have the right to withdraw their consent at any time, while detailing how they can do this

With the right to erasure being a fundamental part of the GDPR, it is crucial that you know how to handle any requests.

7. You must make is as easy as for customers to withdraw as it was for them to consent

Following on from the point above, the process a customer goes through to withdraw their consent and ultimately request to be erased from your system, should be as straightforward as it was for them to consent in the first place.

This GDPR information has been provided as a guide and outlines many key areas, it is important to understand GDPR in full, what is means to your business along with the processes and policies required to meet compliance. Although, GDPR sets a high standard for consent, it’s worth keeping in mind that it puts your customers in control, which can in-turn build trust and help to enhance your brand’s reputation.

Data Breach Notifications

It should be made clear that your customer’s own their data. This essentially means that you must provide these consumers with the control to not only correct their own data so that it is accurate, but also ensure that they are the only ones who can provide and revoke consent on the use of this data.

In the event of a data breach, as the data controller you are required to inform your users. This should also be reported to the relevant supervisory authority within 72 hours of becoming aware of the breach.

Data Security

With an introduction of new regulations, it is worth reviewing your own security policies and processes for how you handle and store your customer’s data. With this review, we would suggest that you reset for all of your systems, the passwords for your users, making sure that these are created as a ‘strong’ type. This means, using a mix of upper and lowercase characters including special.

Other processes recommended for implementation are Malware and Anti Virus scanning, this should be actioned on a regular basis for all of your devices that connect to your systems.

Liquidshop version 3 users can also take advantage of other enhancements, please contact support for further details.