Last updated - February 24, 2020
If you are a WooCommerce store owner, you must have heard of GDPR by now. It is the General Data Protection Regulation (GDPR) that is being enforced by the European Union. All store owners that sell to European markets and handle the data of European citizens need to comply to GDPR guidelines. 25th May 2018 is the deadline to make sure that your WooCommerce store follows all the data privacy guidelines specified in GDPR. This article intends to help you understand the nuances of WooCommerce GDPR compliance that you need to pay attention to as a store owner. After reading this article, you should have a clear idea on the various aspects of GDPR, as well as the important measures you need to take.
Note: The information in this article is only for general information. You may need to get professional legal advice for your specific business scenario.
The importance of GDPR
GDPR is enforced to make sure that users (specifically EU citizens) across the world have better control on the data that they share with businesses. A hefty fine is proposed to ensure that most businesses comply to this. The fine can go up to €20 million, or 4% of the annual turnover of a company in the previous financial year. The larger amount will be imposed as a penalty on those businesses that don’t comply to the guidelines.
Across the world, companies are taking these guidelines seriously. A survey conducted by PwC, among US companies revealed that over 77% of companies are willing to pay over $1 million to ensure GDPR compliance. This is an important pointer that would give you an idea on how much global impact is there on the matter.
WooCommerce GDPR perspective
As a WooCommerce store owner, you may have to specifically address certain aspects related to your store. Each WordPress site has a different approach when it comes to collecting the data of its users. You need to do a thorough research on the various aspects related to your site and accordingly devise a plan. Generally speaking, a WordPress site may collect user data through several means. These include user registrations, comments, analytics inputs, contact forms, security solutions, etc. And a lot of other plugins you are using might be collecting information of users.
Every site owner has to follow the GDPR guidelines, which includes some of the points listed below:
You need to clearly communicate to your users about the reasons for data collection, how long you are going to keep it, and who all will have access to it, etc. This is important in making the users understand the possibilities with which a business can use their data.
You also need to get an informed consent from your users regarding any data that you are going to collect from them. And, it has to be the decision of the user to provide consent for data collection. For example, enabling certain fields by default is not an advisable practice according to GDPR guidelines.
Right to access
Your users should have a right to access to their data at all times. In addition to being informed about the specific data points, their storage and processing, and reason to collect, your users should also be able to get a copy of the data when they request. This is somewhat a tricky aspect for a WooCommerce store owner, as they might be using several third party plugins and solutions that also need to adhere to these guidelines. And it is the site owner’s responsibility to make sure all the tools that are collecting user data complies to the new regulations.
Right to withdraw consent
Users will have much better control over their data as per these guidelines. At all times, the user will have the right to revoke the consent given to a site to keep the data. And if they want, users should be able to delete their data from the site.
Data breach notification
Another important aspect of GDPR guidelines is the requirement to promptly inform the users about any data breach on your site. According to the guidelines, you need to inform users about data breach within 72 hours after being aware of it. Using a good security plugin like Wordfence to monitor traffic and activity logs might be a good option in this regard.
Steps to take for WooCommerce GDPR Compliance
As a WooCommerce store owner, you have to take several steps to ensure your site complies to GDPR regulations. Some of these steps are listed below:
Ensure the user has given consent
You need to ensure that users agree with you to collect and store their personal information on your site. This can be achieved by actively taking consent for each specific information that you request from a user. One aspect to focus here to make sure that you are not enabling automatic opt-ins. Each of the specific field that requests the consent of users should be kept disabled by default. You can collect personal information from users only if they actively chooses to provide them to you.
Collect only relevant information
Many sites and business owners tend to collect and store information that is not really relevant to their business. This trend is going to stop with the introduction of GDRP. Basically, you will have to delete any information that you no longer use. And there is no need to collect any information that you think would be useful in the future. In fact, if you collect lesser amount of information that will reduce the risk of data breaches.
Also, make sure that you are keeping only one version of the data. However, you may have to keep multiple copies when you store backup. You can keep up to four backups as a standard norm. Also, you will have to properly record the location where you are storing your backup so that it will be transparent to data audits.
Create a process for potential data breaches
There are several scenarios where the user’s data on your site will be compromised. One of the common cases will be a site hack where attackers can access your data. Apart from that unauthorized access by data processors can also pose a problem. All the plugins, softwares, and other tools on your site that access your users’ data are called data processors. Sometimes you may pass access of your users’ personal information to processors that are not supposed to gain those. This can also be considered as a data breach. Similarly, passing of personal information to a non GDPR compliant country too is considered as a data breach.
It is advised to have a clear process well in advance to deal with any sort of data breaches. According to GDPR guidelines, you have inform users about a data breach within 72 hours after you first came to know about it.
Create processes to handle when users request their data
With GDPR compliance, your users have much better control over their personal information. These include requests to copy, port or delete the data, or sometimes withdrawal of previously given consent. You need to be equipped to handle all these requests without collecting additional data from users.
Also, note the GDPR guidelines are equally applicable to big and small businesses.
GDPR or General Data Protection Regulation is a set of regulatory code applicable to all websites and businesses that have European Union citizens as their users. In fact, it is an effort to ensure better data privacy all over the world. The basic aspects of GDPR guidelines can be summarized as follows:
- Inform your users on all the personal data you collect from them. You need to also communicate why you are collecting the data, who all will have access to it, and how long you are holding it on your site, etc.
- Get an informed consent from your users before collecting information from them in any form.
- Collect data only when it is really relevant to your business. When you have less data, you can protect it more effectively.
- Create a process to provide users their data whenever they request access.
- Notify users promptly if there are any data breaches.
A WooCommerce store owner is considered as a data controller according to GDPR guidelines. Even though different tools might have different approaches to data privacy, it is the store owner’s responsibility to ensure that all the plugins and tools follow the guidelines. The deadline for GDPR compliance is May 25, 2018, and it is time to focus on it, if you have not already taken the required steps.