GDPR and your online business

The GDPR affects any business that processes or stores data of an individual resident of a member country of the European Economic Area or Switzerland.

The guidance below lists some of the ways in which your business might be affected by the GDPR. It is not an exhaustive list and should not be considered as one. It does not constitute legal advice. All businesses are advised to contact a legal professional to seek guidance and assistance in relation to their obligations under the GDPR.

The GDPR affects different businesses in different ways. No one business is the same.

For further guidance we'd recommend consulting the following external guidance:

• The European Union has published information about The GDPR on a website available at https://www.eugdpr.org.

• The Office of the Information Commissioner (the UK body responsible for Data Protection) also has guidance available on their website.


Collection of personal data

The GDPR applies to personal data which covers a range of data points.

For example, names, addresses, email addresses, social media account details, telephone or fax numbers, date of birth, social security/national insurance number.

Personal data can also include a digital identifier where it can be linked to an individual such as an IP address, a cookie ID or a customer reference.

The GDPR protects the rights of individuals within the EU in relation to the processing of personal data, which includes the collection and storage of that data.

The guidance we publish only relates to the collection, storage and processing of personal data in so far as it is done specifically on the ShopWired platform. It does not cover you if your website uses any third-party apps or any externally designed/coded themes or externally provided tools (such as Google Analytics).


Privacy policy

Most online businesses are familiar with providing a Privacy Policy or notice on their website which covers collection and storage of personal information.

The GDPR includes specific information that must be provided to individuals whose data you are processing.

You should ensure your privacy policy includes all of the information that you are required to provide under the GDPR.


A Data Protection Officer (DPO)

All businesses are advised to appoint a DPO to oversee how the business collects, stores and processes personal data.

The GDPR includes specific tasks that a DPO needs to conduct, or oversee, such as conducting a Data Protection Impact Assessment (DPIA) whenever your organisation changes the way that it collects and processes personal data.

Whilst it might not always be a requirement for you to appoint a DPO, our recommendation is that you should appoint one anyway (even if this is yourself).


Obtaining customer consent

The GDPR places specific obligations on businesses surrounding obtaining consent from users to collect and store their personal data.

It also has specific requirements about how that consent is obtained.

Consent has to be freely given, specific, informed and unambiguous.

Individuals have to actively give consent, i.e. not opting out is not sufficient. Customers need to be given detailed information about the ways in which you will use their information.

You might like to consider the following questions about your processing of your customers data. Other questions might be pertinent to your business too.

• Are you providing your customers with enough information about the way in which you collect, store and use their data?
• Are your customers actively giving you consent to collect, store and use their data?
• Are you recording the fact that customers have given active consent?

If you process the data of residents that are under 16 years of age (or even lower for certain countries) you may need to obtain parental consent.

Our advice would be to ensure that you obtain parental consent when collecting, storing or using the data of any resident of the EU that is under 18 years of age.


Data requests

The GDPR expands on existing legislation that covers an individual's right to access and control the personal data that you have about them.

You should review your own internal policies about how you respond to requests from individuals in relation to data you have about them.

In certain circumstances, individuals can request a copy of their data. Where requested, the data that you provide to your customers must be in an easily readable and portable format so they can use that data with a different service provider.

We're currently working on a way where you can download all of the data about a specific individual from a page within your ShopWired account.

If you hold other data about the customer, away from the ShopWired platform, you need to consider how you will join the data together so it can be presented to the customer that makes the request in a portable format.


Data erasure

The GDPR gives individuals the right to ask that any personal data you hold about them be permanently and irrecoverably erased. This right only applies in certain circumstances explained in more detail here.

We're currently working on a way where you can permanently delete all the data about a specific individual from a page within your ShopWired account.

If you've been collecting personal data on other systems then you'll need to consider how you can permanently erase that data on request.


Data breach

The GDPR introduces a duty on all organisations to report certain types of data breaches to the relevant supervisory authority.

In certain circumstances, the organisation will also have a duty to report the breach to the individual(s) affected.

A breach is more than just the loss of data, it also includes destruction, alteration, unauthorised access or disclosure of personal data.

If there is a breach of personal data on our platform we will notify the relevant regulatory authority within the regulatory requirement of 72 hours after we first become aware of it.

If the data of your customers is, or might have been, affected, we will notify you within 48 hours. The GDPR will likely also place a legal requirement on you to also report the breach. We will provide you with the necessary details in order for you to report the breach within your own 72 hour time limit.

The GDPR allows for organisations to provide information to the supervisory authority in stages, where necessary (a full investigation of the breach can take some time). As we make our own updates we will notify you.

More information about data breaches, and your obligations, can be found here.

You should familiarise yourself with these requirements now and implement a process for dealing with a data breach that originates from our platform and also your other systems on which you store or process personal data.