Getting Ready for GDPR Security Requirements
An important new online security compliance deadline is coming up—the GDPR (General Data Protection Regulation). The FirstTracks Marketing development team has been researching GDPR security requirements to make it easy for you to understand what all this means for your e-commerce operation. It boils down to protecting the data you have, reporting a data breach if it occurs, not holding the data longer than needed, and removing the data when such a removal is requested. Here are the key elements you need to be concerned with for GDPR compliance:
Protecting the data you have.
As an e-commerce business, you obviously collect user data such as name, email, phone, address, credit card info, and possibly more. Most of this user data is stored in WordPress. But other companies you work with, such as your fulfillment company and your analytics providers, also store your users’ data on your behalf. For example, most of our clients use Google Analytics, which does a good job protecting and providing proper treatment of user data. However your fulfillment company and other analytics companies may not. You should contact them and find out how they treat your customer’s data. The GPDR mandates that you appoint a data protection officer (DPO) who keeps track of user data related to these requirements. This needs to be someone who is cognizant of what data are stored and where, and who can respond to inquiries about GPDR compliance. One of the biggest steps the DPO can take is to make sure that all passwords are secure. The DPO can also look in to security plugins for WordPress, since that’s where the bulk of your user data is likely stored. Let us know if you want our advice on WordPress security services.
Reporting a data breach if it occurs.
If your site is hacked, or if any of the other companies that store data on your behalf are hacked, you need to notify the affected customers that their data may have/has been breached within 72 hours of finding out. You also need to notify the National Data Protection Authority in the country your business is based in. For the U.S., this is the Federal Trade Commission (FTC). Depending on how or why the breach happened, you may face penalties. Legal advice is in order here, and is well beyond the scope of what we can help you with. Consult a lawyer.
Not holding the data longer than needed.
For the most part, this isn’t a huge factor. Your customers have entrusted you with their data to make purchases. You do need to hold on to their data because they “asked” you to. You use their data in order to provide your customers access to their accounts to log in and make and retrieve purchases. That is, unless…
Removing data when removal is requested.
This is also known as “the right to be forgotten.” If customers inform you that they no longer want you to store their data, you must comply and remove all their data from your systems in a timely manner. This is unlikely to happen very often, but when it does, you need to:
- Remove their data from WordPress and WooCommerce. You can find a customer by going to Users in the WordPress admin, searching for the name or email, and deleting the user.
- You also need to remove customer data from the order data on any orders that were made. Again, search the WooCommerce orders panel for the name or email and edit any orders that are found to remove the personal data.
- Remove the data from your analytics and fulfillment providers. Again, Google Analytics has good tools for this. For other companies, you’ll need to research that and find out.
- Remove the customer data from your payment processor’s systems. For regular payment providers like Authorize.net or Stripe, you should probably contact them to find out what the best approach is. Not surprisingly, those processors need to keep at least some information in case you need to issue a refund or the like. For PayPal, or any other payment provider wherein your customer likely has a dedicated account with them, they are responsible for that data.
I am not based in EU—does GDPR even matter to me?
It’s easy to think of the GDPR as just a European issue. To some degree that may be true; US-based businesses are unlikely to face serious penalties for running afoul of this law. However, you should still work on complying with these regulations for several reasons:
- Even if you don’t handle purchases from EU citizens, you may at some point. These customers expect the protections afforded them under the GDPR.
- You may still face liability from the FTC if you experience a serious security breach, either under the GDPR or other US laws. You also may face liability from your customers, who expect you to protect their data. Which leads to…
- It’s the right thing to do. These steps are fairly reasonable to take to protect the data of your customers who are trusting you. Further, it is well worth the time of any business to know whose data they have, what kind of data they have, when they acquired it or expect to release it, and where it’s stored.
Those are the basics of GDPR security.
Hopefully this information gives you a general framework of what to expect and consider regarding new GDPR data protection laws. For more detailed advice, we recommend doing more research yourself and consulting with a legal expert with knowledge of data protection practices.