Your Questions About EU GDPR: What Is It And How To Make Sure Your Webstore Is GDPR Compliant
Everyone is talking about EU GDPR and its effects. Let’s find out the definition of GDPR and talk about its impact on your dropshipping business!
Data protection is no joke.
Everyone needs privacy and safety while being online, and of course, everyone wants to shop online with confidence.
This is why there’s such a buzz around EU GDPR, the newest set of legal requirements that regulates the storage and use of online shoppers’ personal data.
Let’s try to figure out what it is, exactly!
What does EU GDPR stand for?
GDPR is an abbreviation that means General Data Protection Regulation.
Simply speaking, it is a regulation in the law system of the European Union. The main idea behind GDPR is to protect the personal data of EU citizens, and to guarantee their privacy.
What will happen to GDPR in May 2018?
The basis for GDPR was introduced in 1995 – as you can guess, the world of informational technologies has changed radically over these years, and it’s now really necessary to edit the regulation.
This is why in April, 2016, the updated version of GDPR was adopted. It will come in effect on 25 May 2018.
What’s the GDPR 2018 summary?
A brief GDPR overview makes it clear that the new regulations oblige companies to be more careful while storing and processing the customers’ personal data.
What does it mean?
Let’s go over the most important aspects – you can find the full explanation of the updates here.
You must follow the regulation if your customers are EU citizens
It doesn’t really matter where your business physically exists, or where it is legally registered. Generally speaking, if your website visitors are EU citizens, you must ensure the full protection of their personal data, and modify all of your data policies in accordance with the GDPR requirements.
Any piece of the website visitor’s data can be considered personal
Interestingly enough, the updated version of GDPR doesn’t give the exact definition of personal data and the types of information details that must be protected under the new regulations.
Still, the European Commission’s official website explains that any pieces of information that can possibly be used to identify the personality of the website visitor can be classified as personal data.
It means that online store owners must be exceptionally careful about the following pieces of information provided by their clients:
- Name and surname
- Email address
- Home address
- Identification card number
- Location
- IP address
- Cookie ID
These (and some else) personal details must be handled in full accordance with the GDPR.
The website must ask the visitors to give their consent on the data usage
Simply speaking, there must be some kind of a designated page, or a form, or a pop-up window that:
- Explains what kind of personal data is collected on this website, who will get and use it, and for what purpose (in clear terms and a simple language)
- Asks the visitors to confirm they agree to provide this kind of information
- Makes it possible for a user to easily cancel this agreement and withdraw the consent
The website must notify the visitors about data breaches
If the website gets hacked, or something similarly dangerous happens to it, there is a chance that the visitors’ data might have gotten stolen.
The companies must notify their buyers and website visitors about such events within 72 hours of discovering the breach.
The website must provide its visitors the right to access the gathered information
So, the webstore visitors now have the right to ask what kinds of personal details this website collects, and how the data is used.
The website, in turn, must be able to provide the necessary explanation on an electronic format and tell what’s the purpose of collecting and using these details.
It must be possible to delete a person’s data upon request
The website must have a technical possibility to erase personal data of an individual, stop it from further spreading, and prevent it from being used by third parties if an individual asks for it.
Is it really necessary to make my store a GDPR-compliant site?
Absolutely!
Even if you’re not residing in the EU and aren’t specifically targeting the EU customers, the global nature of dropshipping means that anybody can stumble upon your website, and order something from you.
Across different countries in the European Union, there will be set special Supervisory Authorities (SA): their purpose is to perform websites audit, issue warnings for non-compliant websites, and suggesting improvement measures for every particular case.
According to the updated version of GDPR, non-compliant organizations will need to pay a penalty charge. It can be amounted up to 4% of the company’s annual global turnover, or €20 million (whichever is bigger).
What exactly do I need to make a GDPR-compliant store?
Follow this step-by-step guide, and it will be fine!
1. Revise the types of data you collect
Since you’re running a dropshipping store, most likely, the personal details you gather are names and surnames, email addresses, physical addresses, phone numbers, payment details…anything else?
This analysis is a good reason to rethink your questionnaires and data forms (if you have any): both you and your customers will benefit from the renewed, ‘minimalistic’ forms.
As you probably remember from our conversions boost guide, the less details a shopper has to provide during checkout, the more likely he/she is to complete the purchase.
At the same time, a short personal details form fully matches your interests, too. Your goal is to gather only the strictly necessary personal info: if you don’t collect unimportant data that is not required for the order processing, you don’t have to protect it – and you don’t have to explain your visitors why you need to know their eye color or Zodiac sign.
2. Think who you share these details with
At this point, you can surely say what types of customers’ data you collect. Now, it’s time to think whom you provide with these personal details.
Typically, you share such info with mass mailing services (Aweber, MailChimp, etc.), with outer plugins and themes, and, obviously, with AliExpress sellers.
Mostly, you need this breakdown to give a clear data usage explanation to your clients – later, in your privacy agreement, you’ll list all your partners/technical solutions and clarify who uses the personal details, how exactly, and for what purposes.
Also, if you have a list of entities/tools that have some kind of access to your clients’ personal data, you can conveniently go through this list and find out whether each one of them is GDPR compliant. It’s a good idea to only do your business with those who stick to the new regulations.
3. Write a new privacy note
It’s wise to have a separate website page designated specifically for this purpose, but you can also write it all on your Terms and Conditions page.
First, write that your webstore is GDPR compliant.
Then, write the full list of personal details your webstore collects (IP address, the type of device used to browse the site, cookies, the visit duration, email, phone number, physical address, postal address, etc.)
Then, repeat the same list, and specify who exactly uses the collected personal details, and for what purposes (for example, Google gets the device information and visit duration within the sphere of Google Analytics goals tracking, Aweber uses email addresses to send mass emails, manufacturers/stock owners use the order product details to assemble the packages, delivery companies use the buyer’s physical address to send the orders, etc.).
Then, explain (in simple and understandable terms) that every store visitor has the right to demand a copy of his/hers personal details collected by you, and can even ask you to delete all these details permanently.
Then, write a specially created email address: it will be the emergency contact address for the people who have questions or requests about their data privacy. Don’t use this address for any other purposes, and don’t show it in your regular contact details – this way, you’ll be sure that every letter coming on this address is related to this particular issue.
Finally, write that if after reading this, the visitor keeps browsing the site, it means he/she fully agrees with these terms and gives full consent to use his/hers personal details for the legally approved and business-necessary purposes. If the visitor doesn’t agree to the terms, he/she must leave the site immediately. If the person has already given consent to use his/hers data, but now wants to withdraw it, he/she should contact you by email and ask to delete all the data.
Please note: since May, 25th, every new custom-made store developed by AliDropship team has a GDPR-compliant ‘Terms and Conditions’ page that covers these basic points. Clearly, the details (contact email, the list of third parties using the personal info, etc.) should be amended by the owners of these stores because every business is managed in its own unique way.
4. Set up a pop-up or a push notification on your landing page
This is a highly useful action if you want to prevent the cases of misunderstanding (for example, if your store visitor claims he/she has simply looked through the products in your store and hasn’t specifically visited the privacy note page, and therefore, hasn’t given the consent to collect his/hers data).
To ensure your own safety, you can set up a privacy notification that appears when someone visits your site. The message should say that:
- The website collects some personal details of every visitor
- It is recommended to read the full explanation of the webstore’s privacy policy (here, you provide the link to the page with your privacy note)
- By clicking ‘OK’ on this notification, the visitor confirms he/she has read the privacy note and agrees with its terms
For this purpose, you can safely use the GDPR Banner plugin for WordPress: it helps you create a catchy banner that is linked to your privacy policy page.
5. Think how to handle every procedure
Under the new regulations, you must be able to:
- On a visitor’s request, show what kind of this visitor’s data you’re collecting
- If necessary, delete a user’s personal details
- If required, withdraw a user’s consent to further use his/hers personal data
Do a little research and pick the relevant plugins that would perform these tasks if necessary: developers all over the globe are currently offering various GDPR-friendly solutions for WordPress that can make your webstore more compliant with new regulations.
Our team has tested several options, so we can recommend GDPR plugin that covers a wide variety of the necessary tasks, and Delete Me plugin that specifically allows users to delete their data from a particular website.
6. Improve the store security
If your store is well-protected from malware and hackers’ attacks, most likely, you won’t have to deal with security breaches.
Read this article to learn how to make your website secure.
7. Think what to do if a data breach still happens
According to the new regulations, as soon as you learn about a data breach, you need to do the following within the next 72 hours:
- Write down its details and keep a record of every incident
- Report the incident to the local Data Commissioner (supervisory authority)
- Notify your clients about the breach in case it threats their personal rights and freedoms
8. Consult your local lawyer
We strongly recommend you to get legal advice concerning the GDPR: many of the statements in the new regulation are quite ambiguous, and if you want to interpret them in the most favorable way for you, it’s necessary to discuss it with a professional lawyer.
Now you have a general idea about EU GDPR and its influence on your business. Don’t worry – with the due preparation, you’ll keep enjoying your thriving dropshipping store without any troubles!
tutorials and special offers from AliDropship
Recommended for You
Hi Olga,
Thanks for information about GDPR. Do you provide Site Review service so that my site is properly compliant to GDPR?
And, may I have your GDPR-compliant ‘Terms and Conditions’ page?
FYI, my site was developed by your team on Jan 2018
Thank you, John!
No, we are not authorised to perform site audit of this kind: since it’s a legal matter, only a certified lawyer can give you a professional and reliable feedback concerning GDPR compliance.
The new version of our Terms and Conditions page is a work in progress; after May, 26th, you can get in touch with your dedicated support manager, and ask to provide you with the updated page version.
Hi Olga,
So basically, we will have to be transparent about all our suppliers to the customer? The fact we source products from Aliexpress, the supplier we use in Aliexpress? If so, does this not kill the dropshipping industry?
Hello Andrew,
On your privacy policy page, you can write the following:
– External product suppliers and stock keepers receive the details of the order contents and the buyer’s shipping address: the data is necessary for them to arrange the shipment
– Multiple suppliers are cooperating with the store, and for every particular order, it might be a totally different company
– In order to figure out what exact supplying/stocking company received the data of this particular buyer, the buyer can write a request email to you
This way, you will only provide the supplier’s name (the legal name of the company that placed this exact product on AliExpress) upon a particular buyer’s request.
Thanks for that, very helpful.
Olga, I’m sorry to be harsh, but your comment is completely not true.
Your client has to be informed specifically where their data goes to prior the purchase and has to agree on that. Such an obligation results directly from the provisions of the GDPR! In the scenario you have presented you are in great danger of breaching the GDPR rules! You will not be able to defend that specific person has been informed and agreed on sharing their data with company XYZ prior the purchase.
Additionally it is not allowed to share EU citizens data with companies from 3rd countries, i.e. with wicker data protection policies than GDPR. Unless such country has been white-listed by the EU regulator itself. The official list can be found below and transferring data to China is a clear breach of GDPR!
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Please do not spread such faulty approaches since GDPR fines are no joke!
Hi Olga,
Thanks for the article. Just wondering. Article 13 and 14 of the gdpr state that notices need to be sent to data subjects upon collection of data.
Does that mean that Aliexpress will be sending notices to our customers according to art. 14 that they have received their names, emails, phone number, etc?
Hi Olga,
Thanks for the article. It is very helpful. I have a web store that is made by your team. I have read somewhere that any web stores selling products to EU citizens has to charge 21% VAT to them. Is it right? If yes, How can we identify them and charge them the VAT?
Olga L. I admired his wisdom. I’m surprised how you wrote all this. I see you everywhere. I would like to thank you and the Alidropship team for sharing this valuable information with us. I feel very lucky to work with a very professional team.