GDPR - Our guide to compliance 14 May 2018  |  Cate

On the 25th of May 2018 the EU's GDPR (General Data Protection Regulation) rules will become law and every single website and online shop must comply if they have visitors from inside the EU. This is because the regulations apply to all companies processing and holding the personal data of visitors residing in the EU, regardless of the company’s location.

What is GDPR?

The EU General Data Protection Regulation (GDPR) takes over from the previous Data Protection Directive 95/46/EC to unify data privacy laws throughout Europe. It will be put in place to protect and empower all EU citizens' privacy when it comes to collected personal data and will help to standardise the way organisations manage data privacy.

What is personal data?

Personal data can be any information relating to a person (known as the Data subject) that can identify them. This could be anything from a name, a photo, an email address, physical address, bank details, posts on social networking websites, medical information, or simply the IP address of their device.

What happens if I don't comply?

Fines for non-compliance of GDPR can vary from up to 4% of annual global turnover, depending on the gravity of the violation. However, the maximum is €20 Million for the most serious infringements, i.e. not having sufficient consent to process the visitor's data.

My website platform stores all my data, so why is it my responsibility?

The responsibility lies with both the business owner (known as the Data Controller) and the website platform (known as the Data Processor), and both can be fined accordingly. This is because it's not just about how it's stored, it is also about how it is obtained, how it's processed and how it is then used. For instance, it is the website platform's responsibility to make sure the data is stored securely and they have provided features to allow each website to be compliant when obtaining and processing data. It is then the business owner's responsibility to implement those features and make sure they're always kept up to date. It is also the responsibility of external systems connected to your site, such as payment processors, couriers and drop-shippers, to ensure their processes are compliant.

What happens if there's a data breach?

All data processed through the Bluepark platform is done so through our highly secure servers, which are located within RapidSwitch’s highly acclaimed and industry-leading data centre in Berkshire, UK. Rapidswitch provide world-class resilient infrastructure with multiple levels of security, including 24 hour monitoring, CCTV, and restricted access.

Should we ever experience a data breach, we will inform all affected customers immediately. As required, we will also inform the ICO (Information Commissioner's Office) within the specified 72 hours if it is likely that there will be a risk to people’s rights and freedoms. For instance, if personal data has been stolen or passed on to an unauthorised party.

As the Data Controller, it is your responsibility to make sure all passwords for accessing the website's admin panel, and all associated email accounts, are strong, secure and hard to guess, by using a combination of uppercase and lowercase letters, numbers and characters. These passwords should be changed regularly for additional security. If someone guesses your password and logs into your admin console or email accounts without your permission, then it is your responsibility to inform the ICO.

TIP: More information about data breaches and GDPR can be found on ICO's dedicated page.

Legal documents

Privacy policy

If don't already have a one on your website, you must provide visitors to your site with a clear and easy to read Privacy Policy. It must also be easy to find, and the simplest way to do this is by adding a link to it within the footer of your site. We also recommend adding the URL to the policy page in the HTML Privacy Policy (URL) field in Site > Configuration > Site Options, to enable it to appear within your cookie consent pop-up.

The policy must state what data is processed through your website and how it is stored, along with other important information that is specific to your company's handling of personal data. As this is a legal document, you may need to employ a solicitor to help write this with you.

TIP: For more information about creating a privacy policy, including the personal data that is processed through your online shop and the cookies it uses, please go to our dedicated article.

Terms & conditions

As with a Privacy Policy, if you don't already have a Terms & Conditions page, you must provide visitors to your site with a clear, concise and easy to read one. Within the checkout process, you can ask customers to agree to your Terms & Conditions via a tick box. This tick box is made available by simply adding the URL for your Terms & Conditions page to the Terms and conditions (URL) field in Site > Configuration > Order tab.

Terms & Conditions templates and generators are available online. However, as this is a legal document, and can be called upon in any related dispute, you may need to have it checked by a relevant solicitor before publishing it on your website. What may be suitable for one business may not be suitable for yours, so making sure you're covered from the start is vital.

TIP: A Terms & Conditions template for selling online can be obtained via Website Contracts

Consent

Under GDPR consent can no longer be implied or be obtained by pre-populated fields or tick boxes. Consent must be given by the customer taking an action, such as clicking a button, ticking a box or filling in fields with their relevant information. You cannot rely on a blanket consent, i.e. having one tick box to ask for consent for lots of different things, each one must be consented to individually. For instance, the customer must tick one box to agree to receive email newsletters from you and then tick another box to agree to your Terms & Conditions.

When consent is given for any reason, you must record who consented, when they consented, how they consented, and what they consented to. We have outlined how this will be done below for each process that happens on the Bluepark platform.

TIP: On or before the 25th of May, we highly recommend switching on the Require GDPR Compliant Consent option in Site > Configuration > Site Options. This will ensure all emails that are sent via the Bluepark platform are only sent to customers who allow contact and have their consent recorded in your website's database.

Email marketing

Consent for receiving email newsletters can be done in several ways on Bluepark and each one has been carefully considered in relation to GDPR. Consent can be obtained in three ways and each of these must be treated differently, so please make sure you read all of the relevant sections below for your website.

1. Via the small Allow Contact tick box within the New Account section and Checkout
2. Via a sign up form created in the Form Manager
3. Imported or simply typed into the Additional Recipients field in the Email Newsletter itself.

1. Consent via the Allow Contact tick box in New Account or Checkout

Allow Contact consent for new customers

Previously this tick box could be set to ticked by default, meaning that if the customer didn't notice, they would automatically be set to allow consent. As this is no longer allowed under GDPR, we have set it to unticked by default, so the customer must give consent if they want to receive email newsletters from you.

To cover the 'who and when', this is recorded within their user account within the User Manager. For the 'how and what they consented to', this is the text that is set out in the Account :: Allowcontact field in the Language Manager and can be viewed on the customer's account by hovering over the date stamp.

Once you are happy with the wording of the Allow Contact text in the Language Manager, we highly recommend leaving this as it is, because any major changes to this text will result in any consent given prior to the change becoming invalid for GDPR.

Allow Contact consent for current subscribers

Users who previously signed up to your email newsletters via this method will not have this data recorded within their account and therefore will not be compliant with GDPR. To rectify this you must contact these subscribers to ask if they consent to receiving your email newsletters. We have added a helpful feature into the Email Newsletter system to allow you to do this easily. We highly recommend that you don't ever delete the GDPR email you create within here to make sure you have a record of what they consented to.

How to send out your GDPR email:

• Go to this post on our forums - https://www.bluepark.co.uk/forums/showthread.php?amp;8487-GDPR-Resubscribe-Email-Template
• Highlight and copy the HTML code for the email template
• If you wish to do so, right click and save one of the email header images
• Create a new email within Marketing > Email Newsletters in your admin panel
• Click on the HTML button next to the Body field, click on Accept Changes and save
• Click on the Edit button next to the Body field to view the email
• Click on the broken image at the top to highlight it and upload the email header image to replace it
• Give your email a title
• Select Non-GDPR Compliant Users in the Recipients drop-down and save
• Now you're ready to send

Once this email has been sent, your users will be listed in two different groups within the Recipients drop-down. All Users will only include those who have responded to the GDPR email and/or have a date stamp within their User account. Non-GDPR Compliant Users will be those who haven't responded to the email, and therefore do not have a date stamp. Before the 25th May deadline, you are welcome to resend the email to these customers.

2. Consent via a sign up form created in the Form Manager

Subscribers obtained via this method are already GDPR compliant due to the fact that the date they subscribed is recorded alongside their subscription within the Subscriptions tab in the Form Editor. As above, we highly recommend that you do not make any major changes to any text that surrounds this form to make sure your subscribers have all subscribe to the same thing. For instance, if the wording says "Sign up to our email newsletter", don't change it to "Sign up to our email newsletter and receive promotions from third parties" at a later date because this will make any consent given no longer GDPR compliant. If you wish to change this, then please make sure you create a new form and place it within a new block or page and save the previous version for reference.

3. Contacts added to the Additional Recipients field in the Email Newsletter itself

As the account holder, you are stating that you have consent from the contacts you add to this field and therefore it is your responsibility to make sure these are GDPR compliant.

Third-Party email marketing

If you use a third party to send out email newsletters, such as MailChimp and Constant Contact, then it is your responsibility to make sure your contact list adheres to GDPR legislation and recommended practices.

Product reviews

Prior to GDPR, customers who had unticked the Allow Contact option still received product review emails. However, due to the new regulations, we have changed this accordingly, and if a customer doesn't allow contact then they will not receive product review requests via email. To truly make sure you are GDPR compliant, however, please make sure you tick the Require GDPR Compliant Consent box in Site > Configuration > Site Options. All Product Review emails and Follow Up emails will then only be sent to customers who have ticked to allow contact and have a date stamp on their User Account.

Third-Party reviews

If you use a third party to send out review request emails, such as Trustpilot and Reviews.co.uk, then the Bluepark system will check the GDPR status of the customer before sending the request to the third-party system. If the customer doesn't allow contact then it will not send the request.

Cookie Consent

Agreeing to the use of cookies on a website has been around for a few years now, but as ecommerce sites cannot work without cookies, implied consent was appropriate for such sites. However, under GDPR, this is no longer the case, particularly if you use cookies for collecting analytical data such as sales statistics. Consent must be given through a clear action, such as clicking on a button or ticking a box. As a result, we have created a simple and unobtrusive Cookie Consent pop-up feature available for all sites.

In Site > Configuration > Site Options tab, tick the option to Display Cookie Banner. Above this option there is a field to add a link to your Cookies Policy page and this link will appear on the banner for visitors to click on. If you do not have a separate Cookies Policy, then leave this field blank and the link will direct visitors to your Privacy Policy instead.

TIP: Please see our Creating a Privacy Policy post for details about which cookies the Bluepark platform uses.

Customers rights

The right to access

All customers who have created an account on your website can access the data you hold about them by logging into their account. It is important to make customers aware of this and can be included within your Privacy Policy. Information such as their IP address and the last time they logged in is not viewable here, but is stored within their user account within the admin console. They can request to see this at any time and you must provide them with this.

Customers who checkout using Guest Checkout will not be able to access their data via an account on your website. Therefore, you must provide details of the data you store for them within their order, if they request to see it.

The right to rectification

Customers with an account can change any information stored about them within the Personal Information section of their account. It is important to make customers aware of this and can be included within your Privacy Policy.

Data stored within a customer's order remains unchanged if they change their personal information within their account. This can be changed, upon request, for all customers even if they checked out as a Guest. Just click on the pencil icon next to their data in the Order Processor screen to make the changes.

The right to be forgotten

Under the new rules everyone has the right to be forgotten on websites. Subscribers to your email newsletters can click on the Unsubscribe link that is automatically added to all email newsletters with the Bluepark system. However, we would also recommend creating a form within the Form Manager, placing it on a page called The Right to be Forgotten, and linking to it from your privacy policy, to allow customers who have a user account to request to be forgotten. You will need to make sure their email address is requested in this form as this is the unique identifier for each customer.

When someone fills this form in, it is up to you, the shop owner, to find them within the User Manager and delete their account. Please be aware, their details will still remain on any orders they have placed due to VAT regulations. This is because VAT records must be kept for at least six years from the date of creation and, if they're not, you will be in breach of the VAT Act 1994 and HMRC Notice 700/21 October 2013.

Purging customer data

There has been a lot of confusion around deleting data collected prior to May 25th. There is no need to delete user accounts already stored within your website due to legitimate interests, i.e. customers wanting to return to purchase. However, you can delete User Accounts if you wish to and this can be done on an individual account basis or in bulk before a certain date via the Prune Users feature in the User Manager.

If you wish to just purge non-customers, i.e. someone who signed up for an account but has never made a purchase, then you can do so by using the same Prune Users feature, but just select Non-Customers.

Please take care when deleting users as these actions are permanent and irreversible.

Purging order data

For those of you who have been with Bluepark for a long time, there is an option within the Order Manager to delete all orders in bulk that are were placed more than six years ago.

Please take care when deleting orders as these actions are permanent and irreversible.

Controlling customer's privacy in admin and email accounts

In the Admin Manager, the Global admin user can set further permission restrictions in each admin user account to make sure customer's privacy is controlled. Admin user permissions can be set to disallow these admins from downloading customer and order data in bulk.

It is now possible to receive Order Notifications to admin email accounts with the customer's personal information removed to avoid storing this data within company email accounts. Just select Enabled, Strip Personal Information in the Order Notifications drop-down in Site > Configuration > Order tab.

Data processing agreement between Bluepark and yourselves

We are required to provide you with a written Data Processing Agreement (DPA), this is something that will be included as an Addendum within our Terms and Conditions that form the agreement between Bluepark and yourselves. We will send you a link to the updated documents as soon as they are live on the Bluepark site.

Helpful sites for more information relating to GDPR requirements

Information Commisioner's Office (ICO)
EU General Data Protection Regulation
The European Commission's Data Protection

Please Note: This guide is for information purposes only and should not be relied upon as legal advice. We highly recommend that you work with legal and other GDPR professionals to determine precisely how these new regulations may apply to your organisation.