You have probably heard by now about this acronym floating around-- GDPR. You might even know what it is, or you have a general idea of what is to come which is great. If you've never heard of it, that's okay, we've got you covered.
If you're like me, when you first heard about it, you jumped on Google and went, "IS SHOPIFY HANDLING GDPR FOR ME?".... my initial reaction was a twinge of fear and confusion, mixed with 'how could they not let us know about this sooner?' and a pinch of-- so now what?
Welp, not to worry!
Shopify has been working on GDPR compliance for some time, and in combination with what they have setup, researching on my own, and beefing up my own website, I've put together a short-ish and sweet list for you on how to protect your piece of the Internet and your business from a (hefty) fine.
Ain't nobody got time for a €20 Million fine!
GDPR (General Data Protection Regulations)
If you're someone who has just heard of GDPR, we'll do a brief intro and move onto what you need to keep yourself and your business safe.
What is it GDPR and who does it effect?
GDPR stands for General Data Protection Regulations, and is new legislation that changes the way businesses are able to interact with data collection from the European Economic Area (EEA).
The impact of these rules affects both European AND non-European businesses that collect personal data from users in the EEA.
What this means is if, even if you're a U.S. based business, if there's even a .01% chance you could collect information and personal data (think an email opt-in to your newsletter) from any European resident, you must be compliant. We like to go the 'better safe than sorry' route. Since we run eCommerce businesses, it's nearly impossible to avoid a country when we ask others to share their information with us, such as their email addresses.
As mentioned above, if you do not comply and are found to be improperly collecting personal data from users in the EEA, you could face up to a €20 Million fine or 4% of your annual revenue. So... let's move on on how to comply, shall we?
Steps for Getting Compliant
What has Shopify done to protect its Merchants already?
1) They've created a really handy whitepaper that goes over everything you need to know about GDPR, what Shopify has done, and what their role is in your compliance. It's a long read but it's chalk-full of great information that you must know as a user of Shopify. You can find it in full here.
If you don't want to get your read on right now the basics of it are:
In Canada - "Data collected within Shopify is protected under PIPEDA, Canada's private sector privacy legislation, which is considered adequate under GDPR."*
In the USA - "Data collected within Shopify uses a combination of data centres and cloud based service providers to store personal data (for both the USA and Canada).
Personal data when transferred to the United States, is either done so through the EU-U.S. and Swiss-U.S. Privacy Shield, for Shopify’s own storage, or through contractual data protection addenda (DPAs) with third-party service providers. The EU-U.S. and Swiss-U.S. Privacy Shields are also considered adequate under the GDPR. Shopify’s Privacy Shield certification statement can be found on PrivacyShield.gov."*
2) If a Buyer asks that you erase their data under certain circumstances, it's required to first:
- Verify that the requester is the same as the data subject (that is, the requester is not asking to erase someone else’s personal data).
- Confirm there is no legal reason to preserve this data.
In addition to contacting Shopify, the merchant should also work with any relevant third parties to make sure that they delete or anonymise the personal data of the requestor.
(There are instances where data cannot be deleted immediately, in full or at all. Please read the Whitepaper under Erasure for more information)
3) Shopify has implemented many of the controls and processes identified in the GDPR, including:
- Anonymising and encrypting personal data.
- Ensuring confidentiality, integrity, availability, and resilience of processing systems.
- Restricting who may access personal data.
- Ensuring availability and access to personal data in the event of a physical or technical incident.
- Performing regular testing, assessments, and evaluation of technical and organisational security measures
4) Shopify has a designated Data Protection Officer, who works across many levels of Shopify to ensure that not only are they GDPR compliant but that Shopify, their merchants (you), and your customers can safely purchase using the platform.
Shopify creates personal data logs which are stored locally and then on backup servers to protect both merchants and buyers.
Now that we know what Shopify is doing, let's look at what you need to do to get your website compliant.
Update your opt-in forms: Whether these are on your website as a newsletter sign-in or as an opt-in for freebies on Facebook you must now include explicit information on how that data will be used.
- It's no-longer possible to use a lead magnet or deliverable in exchange for an email and then auto-enroll someone in your email marketing list. They must know specifically that they will receive the deliverable and be added to your email list.
Obtain active consent: You need to obtain active consent before collecting data from users. To do this, you can choose one of the following options:
-A double opt-in for your email list. (Available on MailChimp. Click Lists > Settings > List Names and Defaults > Double Opt-in for each list. You'll also see a checkbox for Enable GDPR Fields. hint: click that one too!)
-A checkbox (not pre-checked) that they agree to receive future marketing contact from you (along with any immediate deliverable you’re sending them, if applicable). Shopify has you covered for this, this will be an automatic setting you don't need to worry about.
-A clear explanation that by opting in to the form that they will be added to your marketing list. You may want to consider adding this information to your built in Newsletter. You may have something like "Join our Newsletter for the latest news and receive 10% off your first order!" and want to change this to include more GDPR-y info.
Find this under Online Store > Actions > Edit Languages > Filter by Newsletter > and edit where you want this information to appear. Be clear and concise.
- Confirm consent with your existing list: Sadly, this regulation is not null and void for emails collected before the “effective” date. So, although you may have collected 5000 emails prior to May 25th, you will want to be sure you have your list member's confirmation and provide the opportunity to opt-out. It's only necessary to confirm consent with existing email subscribes from the EU or UK areas. If you don't have a reliable way to decipher this, your best bet is to confirm with your whole list.
Assess your vendors for GDPR compliance: Your company can be held responsible if you share data with any non-compliant vendors (i.e. your email automation provider, non-compliant apps, etc.) so make sure to check in with all your sources to confirm compliance, if applicable. Shopify is working on ensuring all apps in their app store are compliant, but it is ultimately up to you to ensure that they comply with GDPR as the business owner.
What you need to ask yourself:
- Make a list of third party apps or themes, find out if they are compliant.
- Do you need to appoint a Data Protection Officer?
- Do you need to start conducting documented Data Protection Impact Assessments?
- Do you need consent from your customers to process data, and do you need to change how you obtain consent to comply with GDPR’s higher consent requirements?
Will you be able to comply with the rights provided to your customers and users in GDPR, including the rights to access, correct, erase, and export their data? With Shopify, the answer is yes!
However, keep in mind, being a Merchant on Shopify doesn't mean you're automatically protected. Shopify will comply with GDPR however it's the responsibility of each Merchant to ensure that their business is compliant with the new laws.
We hope this helps you with questions you have about Shopify specifically in regards to GDPR!
BIG DISCLAIMER: I am not a lawyer, nor do I claim to have a complete knowledge of all the nuances of the GDPR. This blog post is meant to help Shopify Merchants, still struggling with GDPR compliance protect your business, but is in no way a substitution for legal advise. We advise speaking with a lawyer fully educated in the GDPR.