GDPR TL;DR (Too Long; Didn't Read)
There's a lot of talk lately of the new EU GDPR rules that come in to force in May 2018, and we've been asked by several clients for advice.
The GDPR rules are well-intentioned and are there to protect the consumer - I get far too much spam and would love to see this reduced, but the rules are very high-level and can be quite vague which makes compliance especially difficult for the small business without their own legal team.
Unfortunately (or fortunately as the case may be!) Antropy is a web agency, not a law firm, and we aren't able to give legal advice but I have tried to simplify some of the guidelines in simple language below and mentioned a few areas where it may affect OpenCart store owners at the end.
The original 12 (somewhat unclear) guidelines come from the ICO who are in charge of enforcing the rules and they can be found here:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
So, what exactly do you have to do:
- Email the main people in your company telling them there are new data protection laws coming in to force from 25th May 2018 called the GDPR (General Data Protection Regulation).
- Document what personal data you hold, where it came from and who you share it with. If you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. GDPR requires organisations to be able to show how they comply with the data protection principles by having written processes and procedures.
- If you store personal data you will need to add to your Privacy Policy explaining your lawful basis for processing the personal data and your data retention periods.
- Individuals must be able to control their own data by being able to access it, change it and have it removed at no cost.
- This seems to be a duplicate of 4.
- This seems to be a duplicate of 3.
- If you want to contact people or use their data, they have to actively opt-in rather than not opt-out.
- If children use your website, you will need their parents' permission to store their data.
- You should monitor your computers and websites for data breaches and notify the ICO as soon as you know there has been one.
- Your systems must be designed to be secure from the ground up - no more emailing credit card details as some people used to do!
- You should designate someone to take responsibility for data protection compliance.
- If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority (where your HQ is) and document this. In the UK this is the ICO.
In a nutshell: take extra care of any personal data you keep, the end user has control of their data, don't spam people, make sure your employees and customers know about GDPR, appoint someone to be responsible for personal data, make sure your systems and processes refer to GDPR and are secure.
Does everything have to be encrypted?
The above linked document doesn't mention encryption but more detailed documents on GDPR do and they go as far as to say that personal data should be encrypted and the key to the encryption not stored with the data. While OpenCart only stores encrypted passwords, it would not be possible for OpenCart (or indeed pretty much any other website) to work if data had to be encrypted and the key not used. So it's probably safe to ignore that one until further guidance appears.
Specifics for OpenCart
- In the checkout, make sure you don't automatically subscribe people to your newsletter.
- Mention GDPR in your Privacy Policy.
- Delete customers if they ask you to, unless you have a lawful reason to keep their data such as to maintain legal accounting records.
- Make sure your webhost has anti-malware software running and regularly check your website for malware with something like Sucuri. Notify the ICO (if you have a UK HQ only) if you find anything by clicking here.
- Use SSL.
Final Thoughts
Again, I'm not qualified to give legal advice and the above is offered without any guarantees, but hopefully it may be helpful as a starting point.
The GDPR does seem like a bit of a pain for the small business because it's not very specific and requires interpretation to translate it in to specific steps and these are somewhat subjective.
However, I think it's very unlikely that the ICO would punish any business that has made a genuine effort to comply.
What do you think of the GDPR? Is anything still unclear? Let us know in the comments!
blog comments powered by Disqus