The General Data Protection Regulation (GDPR) came into force in May 2018. It’s one of the world’s most stringent set of data protection rules and relates specifically to the personal data of people who reside in the E.U.
Any organization that collects, stores and processes the personal data of any E.U. citizens must abide by GDPR rules. That said, the GDPR affects your Shopify store if you have E.U. based customers or subscribers.
GDPR and personal data
Any information that can identify a person is classed as personal data. Broadly speaking, that includes a person’s name, address, email address, phone number, date of birth, usernames, IP address and more. It also includes sensitive data, such as medical history and religious beliefs.
As a Shopify store owner, the type of data you’re likely to collect are contact details so you can process orders and carry out marketing activity.
GDPR data controllers and processors
Under the GDPR there are two ‘roles’ that people who handle personal data fall into; data controllers and data processors.
Controllers exercise overall control over the purposes and methods of processing personal data. Data processors follow instructions on how data should be processed, or are told what data to collect.
Each role reflects other criteria too, but to make things simple for this article, you are the data controller for your Shopify business, as you decide what personal data needs to be collected and how. Firepush is the data processor.
Seven GDPR key principles
The GDPR sets out a number of principles that should be central to your approach to the processing of personal data. They are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
When collecting, storing and processing personal data, you need to comply with these principles. You can read all about the principles here, but as an example, we’ll cover the third one – data minimization. This is all about making sure you’re only collecting the data needed for specific purposes. As an example, if you don’t need to capture a person’s date of birth in order to process their order, then you shouldn’t.
Lawful bases for processing
The GDPR states that you must have a lawful basis for processing personal data before you begin to process it. There are six lawful bases to choose from, and this is where it can get confusing.
You’ll need to check all the lawful bases for yourself to see which ones apply to you and the data you’re intending to capture and process. For many Shopify stores, the lawful bases of ‘contract’ and ‘consent’ are likely to apply – the latter is often relied upon for marketing communications.
Getting consent for marketing purposes
When getting consent, you must do so in the right way. The GDPR explains that this must take the form of a positive opt-in and to avoid pre-selected opt-in boxes or other types of default consent.
You must be clear on what your subscriber is signing up to, so use clear language that’s easy to understand.
For example, let’s say that you want to encourage email signups to your newsletter. Rather than having a sentence that reads, “Sign up to our newsletter” alongside your opt-in box, it’s best to explain exactly what your subscribers will receive from you. So this might be better: “Sign up to our weekly newsletter for product discounts, tutorials and all the latest happenings in store!”
You must also allow subscribers to give their consent freely, by not making consent a precondition of service. E.g., you can’t have a statement at checkout that says, “To continue with your purchase, you must subscribe to our newsletter.”
As well as providing the option to give consent easily, you must also provide a way for consent to be withdrawn just as easily. For email and SMS marketing, this can be as simple as a prominent unsubscribe link.
At Firepush, we can help you meet some of your GDPR obligations, particularly in relation to consent. We require all our clients to obtain consent for marketing purposes, not just because of the GDPR, but also because of TCPA legislation and CITA rules too.
Data access rights
E.U. citizens have a right to access their data at any time so that it can be checked, amended, or deleted. You need to ensure that if you get a request like this, you can pull up, change or remove all the records you hold on a particular person – or offer a way for subscribers/customers to check their data themselves.
What happens if you breach GDPR rules?
If you breach GDPR rules for any reason, you must notify the relevant supervisory authority within 72 hours. In the UK, that’s the Information Commissioner’s Office. You must also inform any individuals if any of their data has been compromised if the breach is highly likely to affect their rights and freedoms.
Breaches might include data loss or theft, but also the mismanagement of personal data. The penalties for GDPR violations can be severe. A business found in breach can be fined up to €20 million or 4% of its annual turnover.
GDPR best practices for Shopify stores
This article provides a snippet of what the GDPR is all about. The full legislation consists of 99 articles! It’s important that you do a bit of research yourself to understand your obligations when it comes to processing the personal data of your E.U. customers and subscribers.
As a starting point, follow these best practices when sending out marketing campaigns with Firepush:
- Capture explicit consent: you can do this on your checkout page – see this example and follow these steps, or set up a Firepush GDPR-friendly popup form. Use positive opt-ins only (no preselected checkboxes).
- Tell subscribers what to expect: be clear in the language you use during signup.
- Use unsubscribe links: do this for both your SMS and email campaigns.
- Minimize the data being collected: only capture the personal data you need for the purpose of your marketing campaigns.
- Get separate consent for new communications: someone who has signed up to your store’s newsletter may not want to know about a new store you’re setting up.
This article originally appeared in the FirePush blog and has been published here with permission.