11 steps to get your store GDPR compliant

This big hype of talking about GDPR has changed how businesses work. Specially for digital marketing systems and ecommerce businesses there are things to be considered by 25th May. We’ve put together a list of actual things you need to do. Vibetrace helps you with everything related to our marketing automation system, but some of them you need to implement. To achieve full compliance by this year deadline, ecommerce businesses will need to:
  1. Tell the user about your business, what data you collect, why you collect the data, and how long do you plan retaining it
  2. Tell them which third parties receive it (if any)
  3. Get a clear consent before collecting any data
  4. Let users access, download, update and delete their data
  5. Let users know if a data breach has occurred
Turning all this into plain english, so everyone understands, these are the tasks you need to implement:
  • Terms & Conditions (Checkout page)
  • Privacy Policy (Checkout page)
  • User Account registration (My Account page)
  • Cart Abandonment (Checkout page)
  • Product reviews/Product Questions or Comments (Single Product page)
  • Opt-in forms (Newsletter, Lead magnets, etc.)
  • Contact forms (Contact Us page, widgets, etc.)
  • Analytics (Google Analytics, screen tracking, etc.)
  • Third parties services (Payments, Email marketing, Remarketing, Retargeting, Push Notifications, LiveChat etc.)
  • Breach notifications

Vibetrace 11 steps for GDPR compliance

We’ve put together this list of things you need to consider (and implement) to be GDPR compliant.  

Step 1. Terms & Conditions

Terms and Conditions  represent the legal terms and rules that form the relationship between the customer and your business. Needless to say, if you do not have a Terms & Conditions page, you need to create one. (search Google for Terms & Conditions generator). Also, on the checkout add checkbox that users must click (it cannot be “checked” by default). Changes needed to be done in Terms and Conditions: Your TO-DO List:
  • Create a T&C page if you don’t have one
  • Add a paragraph with a link to your revised Privacy Policy
  • Make sure there is a checkbox to it in Checkout page, unchecked

Step 2. Privacy Policy

Privacy Policy is to inform the user about the data you gather and how is it stored and how you use it. The biggest changes will be done here, in the Privacy Policy, as well as linking to it everywhere. If you can’t afford legal expenses and you do not require a DPO (Data Protection Officer), our suggestion here is to take a look at reliable ecommerce websites and copy their Privacy Policy. Surely, you will need to cover the following:
  • who you are (company, address, etc)
  • what data you collect (IP addresses, name, email, phone, address, etc)
  • reasons for collecting the data (invoicing, tracking, email communication, marketing etc)
  • for how long you retain it (e.g. you keep invoices for 5 years for accounting purposes, you keep email addresses for 1 year)
  • which third parties receive it (MailChimp, Google, Vibetrace, etc)
  • how to download data (either automatically or by emailing the Data Protection Officer, or contacting you)
  • how to delete data (either automatically or by emailing the Data Protection Officer, or contacting you)
  • how to get in touch with you for data-related issues (the contact details of the assigned Data Protection Officer, or probably you)
After you have all this information in a Privacy Policy page, you need to link to it on every page of the website (footer link would to). On top of adding links to it, you need to have checkboxes on any opt-ins: user account registration, email popup collector, checkout forms . Do not pre-select that checkbox by default). On the checkout page, where you already have a checkbox to Terms&Conditions, you will need a similar one to link to Privacy Policy. TO-DO List:
  • Create a Privacy Policy page (if you do not have one)
  • Add whowhathowwhywhen to Privacy Policy
  • Display link to Privacy Policy in the footer on every page
  • Display Privacy Policy checkbox on the checkout page

Step 3. User account registration

If your site requires user registration in order to make a purchase (or simple register to the website), you will also need to have a checkbox near the form. Also do not ask for more information than you require, so make sure you need all the data or remove the input fields. TO-DO List:
  • Make sure you really need all the personal data you ask for
  • If yes, add a Privacy Policy checkbox (unchecked, yes) to the registration form 

Step 4. Abandoned cart& checkout

This is more into marketing field, but it’s very very important. Because most of the cart and checkout recovery solutions collect emails without consent. So you won’t be able to send email to that user if he didn’t agree to opt-in. This is against the GDPR rules, which requires explicit consent (i.e. ticking a box). In order to do it right, you’ll need to have a checkbox right next to the input field for the email address. An alternative, is to discover the checkout form fields gradually so you can first ask for email address, including consent checkbox and then display the rest. An alternative, but a terrible idea, is to disable all guests checkouts, so people will need to register an account (where they have agree with your Privacy Policy through the checkbox click) TO-DO list:
  • Make sure you do not run abandoned cart & checkout recovery emails without having explicit consent for them.

Step 5. Product Reviews, Product Questions or Comments

Many of our customers use past purchase emails to get reviews of their orders and products. And of course, reviews might contain personal data (email/name/city) A good solution for consent on product reviews forms is to have the same checkbox near the form, which must be unchecked before submitting the review. Another alternative is to allow reviews to be given only by logged in users. The same rules apply to comments forms. TO-DO list:
  • make sure your review forms include consent for the personal data you ask.
  • allow reviews only from logged in users.

Step 6. Opt-in forms (Email collector, Lead Magnets)

Opt-in forms help you build your subscribers database, with some amazing results. These forms all collect personal information, so you need to comply to GDPR rules. First of all, you must remove all automatic opt-ins on your site. All checkboxes must be not checked by default (a “checked” checkbox by default cannot imply acceptance). Besides that, if you use a third party service to acquired these emails, make sure they are GDPR compliant. We, at Vibetrace provide you with GDPR compliant forms. Make sure you update your forms before 25th May, or we’ll do it for you automatically. So, in order to continue using those data collector forms, users must:
  • give explicit consent
  • give you only required information. Do not ask for more data than you need, just because you think it will be useful in the future
  • know how they can delete/update/access their information
TO-DO List:
  • audit all your opt-in forms and only keep those that comply with the rules
  • if you use a third-party solution provider, make sure it’s GDPR compliant
  • display Privacy Policy consent checkboxes 

Step 7. Contact forms

All the contact forms needs to be GDPR compliant. Also you must not use personal information from those forms to add subscribers to your marketing database. These forms will also require explicit consent for Privacy Policy. If you store the data in a database or a CRM system you need to tell users why, where and for how long you are storing the data. TO-DO List:
  • Add Privacy Policy checkbox to all your contact forms on the website
  • If you’re storing personal data in a database and/or is tied to an CRM software or SupportTicketing Solution, you need to tell your users why, where and for how long you’re storing data

Step 8. Analytics

Whether the analytics solution you are using (Google Analytics, HotJar, Piwik) you’re collecting user data and use cookies without consent. Same applies to Google AdWords, Facebook pixels and any other similar solutions. Vibetrace enters here as well. You need to make sure each solution is GDPR compliant and also check each solution Privacy Policy. The reason to do it is they are collecting the data and not you, but they do it for you. Any of these solutions are called Data Processors. According to Google Analytics (they sent an email in April):
  • GDPR requires your attention and action even if your users are not based in the European Economic Area (EEA)
  • They introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Google Analytics will automatically delete user and event data that is older than the retention period you select
  • Before May 25, Google Analytics will also introduce a new user deletion tool that allows you to delete all data associated with an individual user (e.g. site visitor) from your Google Analytics properties
  • GA remain committed to providing features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization
  • They are also updating their policies as Data Processors
You can find this information under your Account Settings. For all such solutions you’re using make sure they have a Data Processing Policy. To-do list:
  • Only use reliable, GDPR-compliant tracking software
  • Ask software providers how they’re handling GDPR compliance
  • Add to your Privacy Policy who and how they handle personal data collected from your website

Step 9 Third Parties Services

Analytics services are similar to any third-party solution. Marketers usually try such solutions from time to time, and those you try need to be GDPR compliant as well. Simply ask anyone involved into decisions to implement such solutions (marketers, website developers) the following. The answer should be yes to all these questions:
  • make sure they are a reliable service, with contact details and everything
  • make sure they are GDPR ready
  • make sure to add their service to the list of “third parties” that get access to user data in your Privacy Policy
There are cases where such information is passed server-side, through API’s. Technically the tracking is different but from GDPR perspective, the same rules apply: you pass data to an external service, Data Processor which needs to comply with the rules. TO-DO List:
  • Ask every time the GDPR compliancy question about each third-party service
  • Select only GDPR-compliant plugins
  • Add their name into your Privacy Policy page

Step 10. Existing subscribers

Hopefully you already have a database of email subscribers, you built by yourself. (If you ever bought such list, remove any emails completely and never to that again). An email list has a very high value, but it needs to get their consent again to make sure you do not have any other issues in the feature. As we all know such lists are built from various sources:
  • automatically added all your customers, regardless their option to be subscribed or not to the marketing list
  • emails coming from contact forms, product reviews or offline forms
  • new users, who were just trying to see the products.
You need to get clear consent from all these users. You can continue sending to them starting 25th May, the same way you do now. I’d bet you had a disclaimer in the email footer like: “You’re receiving this email because you input your email address in one of our forms, or it was found on a public website”. Those disclaimers have 0 value and won’t help at all. TO-DO List:
  • ask your entire database for consent. Basically send an email with a subscribe button: those who click it will become the new subscribers and the rest who don’t do anything will be removed.
Vibetrace makes it possible to do it automatically, and you can repeat the process a few times, in order to recover as many subscribers as possible.

Step 11. Breach Notifications

Under the new rules, if your system experiences a data breach it needs to be immediately communicated to those users affected by the breach. A notification must be sent within 72 hours. A breach is a dissemination of your collected data to any party, without your consent:
  • an unauthorised data processor or subcontractor
  • a non-GDPR compliant body
  • a third party without the knowledge of the data subject
  • a hacker
On top of this, you need to have prepared a security emergency data breach response plan and process in place. Make things public on your blog, website, social network profiles and also inform on how you plan to recover lost data, secure it and make it not happen again in the future. TO-DO list:
  • Secure your ecommerce store. Use strong passwords, give access to servers only to some people
  • Subscribe to all your third-party software / API providers so that you can become aware as soon as a data breach that affects your users occurs;
  • Reduce the amount of data you store.
  • Create a breach emergency plan.

What you won’t be able to do anymore:

  • Send unsolicited emails (no more purchases of email lists)
  • Send emails/sms unless the visitor gave consent to (welcome emails, cart abandonment…)
  • Doing anything illegal (like selling information) with user data.
  This article does not represent legal advice, but it helps you comply with GDPR rules.  Make sure you only use solutions that are GDPR compliant, and complete our 11 steps. This article is an interpretation from links found on the web and some legal advice from our advisors.