The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. Many people might see this as an unnecessary burden to their already busy lives, but if you are already using common sense and are careful with data, you are most probably already following GDPR directives. How GDPR will affect your website or online store and how you can make sure you follow all new guidelines can be found later in this article. If you are thinking about creating an online store, read our step by step guide.
Who is affected by GDPR?
GDPR affects every owner of a website or online store that collects information and data about their visitors. This information can be: first and last names, telephone numbers or email addresses. If you send blog updates, newsletters or other offers to your customers, you automatically become the Data Controller of your website and will need consent from your visitors to process their information. Also, you will have to be able to provide consents if asked at a later date.
When do I not need consent?
In some cases, visitor consent to the processing of their data is clearly given, meaning that you do not have to request consent again.
Consent is not necessary if:
- The data was collected when filling out a contract (i.e. name and address in order to deliver goods).
- The data was collected due to legal obligations (i.e. personal information needed to complete an invoice).
- The form on your website is used for a particular request by the visitor.
If you would like to use the collected data (email address, etc.) to send anything related to your business, you will need consent from the visitor.
What needs to be included in the consent?
Consent must be active and voluntary. This could be in the form of a checkbox that your visitor must check. Some businesses previously received consent as part of the order confirmation. The customer was forced to accept newsletters or could not complete their order. This is not compliant with the new GDPR law.
When asking for consent, you must clearly state what the information and data will be used for, how long you will use it and how the visitor can rescind their consent.
Be sure to collect consents in a separate document or on a special page within your website. Consents can no longer be given as part of your Terms and Conditions.
Be sure that your websites include all elements that are stated in Article 13 of the GDPR law. More information about what is needed in your consent can be found at www.ico.org.uk.
What about security?
Once you become the data controller, you become responsible for any unauthorized access to the data. You need to treat your visitors’ data with the same care that you give your own. You would not want to have your credit card number slapped on a park bench, sent by email or stored on a public computer.
If the data collected on your site is processed by a third party, such as an accountant who issues invoices, you will have to have a processing contract between you and the third party.
The contract can also include cloud-based storage and servers that store the information and data online. Please be sure to find out if you will require a contract with the third party in this situation. More information can be found in the FAQ in the 2nd-half of this article.
What do you have to keep in mind before the law goes into effect?
The basic goal of GDPR is to minimize the amount of stored personal data. What information do you actually require about your visitors or customers? Do you have anything extra? Get rid of it. If you need the data, be sure to get consent to process this data.
Any worries you might have about the impending start of this law is unnecessary. Owners of online stores and websites that have used common sense to this point will probably not have any issues providing how they received information about their visitors. For others, GDPR presents an opportunity to clean up and make your data collection more efficient allowing you to use the data more to your advantage within the law.
Frequently Asked Questions
Getting ready for GDPR to go into effect can be seen everywhere these days. Below are many of the questions that we see the most from Webnode users.
Will collecting information about visitors and customers on my site be illegal?
No. GDPR improves and affirms current security systems, attempts to solve issues of incorrect information and to give people more insight into how their personal information is handled. The collection of personal data will only be illegal if the data is collected for no specific reason.
What is legitimate interest?
Legitimate interest can be understood as the information needed for the completion of a contract or legal obligation such as for the delivery of goods or issuing invoices.
If the data is collected for other purposes, such as sending newsletters or offers, you will need to receive consent from the individual.
Am I responsible for managing data when I have made my website using Webnode?
Yes. If you collect information about your visitors on your website, you are responsible for the privacy of that information.
Do I need consent in order to send newsletters?
If a form on your website collects information about your visitors where it is clearly and unambiguously stated that the information collected is for a single purpose, such as the sending of newsletters, then no further consent is needed. However, be sure to include what information you collect, how you keep it, who processes it and what rights the user has somewhere on your website. If you collect information on your site that does not clearly state what the information is going to be used for, consent will be necessary.
Also, be aware of what is written in your newsletters. You will need to include an option for your recipients to unsubscribe because this will be mandatory. Also, your visitors can only receive newsletters about the goods they are interested in on your site. If you offer more categories of products or information, you will have to be sure each of your users receives the correct information.
Do I need to have a processing contract with Webnode?
Is Webnode and the Webnode website maker in compliance with GDPR?
It is extremely important to be fully aware of all of the data that you use. If you sell data to a third party, or if you use data for other purposes than what your visitor gave consent for, then you have broken GDPR laws. However, if you are secure and careful with data, you are most likely in accordance with GDPR.
Where does Webnode store its data?
All Webnode traffic and development takes place within EU borders. Therefore, all data is stored on servers within the EU.
We hope that this article will help assuage some of your fears and concerns before the new law goes into effect. However, we also know that we couldn’t cover everything. If you have a question that we did not cover in this article, please refer to your local GDPR experts.