Is your photo product E-Commerce GDPR compliant?

GDPR preparations

Surely, anyone used the internet on a daily basis has heard something about GDPR. This new legislation will soon impact any company that’s either located within Europe, or has customers here.

The General Data Protection Regulation (GDPR) hits the EU in May 2018 and is designed to strength individuals’ rights when it comes to the storage and usage of their personal data. Is your photo products store prepared for these changes and are you aware of how GDPR will impact your business?

Here, you can learn about the most important aspects of being GDPR compliant and how to accomplish them.

1. Decide what data you need to keep

According to the new legislation, you can’t store any personal data that you don’t need. In other words, for every personal contact stored in your database, you require a valid reason to keep it. If you don’t use some of this data, you should remove it. This is a key part of GDPR and, overall, it will encourage a more disciplined approach to personal data.

If you’re unsure what data you need, try asking yourself a few key questions. Why do you archive this information, rather than simply deleting it? Why do you save all of this data? Will it ever be useful for your photo product business?

To put it in other words, the data you store should be accurate and, where necessary, kept up to date. If it’s not, then there’s little to no reason to keep it.

2. Your customers have the right to be forgotten

The right to be forgotten is another core aspect of the GDPR. You need to remember that your customers must have an easy way to unsubscribe from your newsletter, edit or delete any personal data you own regarding them and even completely remove their account from your system.

Furthermore, you also need to adapt your contact and registration forms accordingly, to greater show this change. You must state this information, so users know they can ask you to delete their data at any point.

Of course, if you are sending your customers interesting newsletters, useful information and even tips on how to get the most out of your photo products service, rather than generic, ‘spammy’ email, you can rest assured that customers will not readily take up the option to unsubscribe.

3. Update you forms with requests for user consent

Aside from your privacy policy, the GDPR requires you to clearly and transparently state requests for user consent. In other words, you should update both your contact and registration forms to indicate you are collecting personal data with an intent to store it and consequently request a users consent.

You also have an obligation to inform users about how you store and use their personal data. Make sure your contact forms offer a link to your privacy policy.

According to Article 4 (11) of the GDPR, the consent of the data subject is:

”any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

4. The right of access

According to a users right of access, your customers or subscribers have the right to request the personal data you have on them. They can also ask how this data is collected and how it is used. If a customer makes such a request, you are obligated to provide a copy of their data.

Because of this, you should be prepared for such requests by having well organized databases for your subscribers and customers. Outside of meeting GDPR requirements, such a structured database will also help you when sending photo product newsletters. Because those that are not interested can request to unsubscribe, you are only left with those that are genuinely interested.

5. Implement privacy by design

Under the GDPR and the concept of privacy by design, data protection needs to be at the forefront of your business project, rather than a secondary component. As the online business owner, you will need to be thoroughly clear with your customers about what happens with their personal data, how it is processed, where it is send and for what purposes.

So, when you plan your next marketing campaign, you should not only think about new elements, such as a popup for subscripts, but also how you will collect data, how you will protect it, how you will use it and, just as importantly, how you will inform potential subscribers about all of these factors.

Your to-do list

As you can see, there’s some work to do! If you haven’t already started preparing for GDPR, you should do so as soon as possible. If you need a little assistance, here’s a simple to-do list to help you get started.

1. Get consent whenever you collect user data: you must obtain a user’s consent to process his or her personal data in any of your marketing efforts. You should implement some checkboxes in your contact forms for users to accept your Terms, Conditions, Privacy and Cookies Policy. Look at the following form as an example:

You should also avoid any unclear methods of obtaining consent: set the default option of all your contact and registration forms to unchecked. This way, you will avoid complaints about misleading methods of receiving consent. Ensure people need to opt-in, rather than opt-out, by default.

2. Make sure you are properly protecting the data collected: you must protect your users’ personal data when you store or process it. There are companies available that can conduct audits and assess whether your business is following acceptable data protection practice or has to improve this process. We strongly recommend conducting such an internal audit.

3. Correct or delete a user’s data if he or she requests: if a customer or subscriber requests you erase or change their personal data, you must do so: preferably in less than a week. The easiest thing to do here is to purchase an add-on, such as the one offered by PrestaShop. It adds two simple sections to a user’s account, allowing them to easily request the data or it’s removal.

Source: PrestaShop GDPR module add-on

4. Update your privacy policy: you must simplify the language of this policy and clearly explain how your collected data is used. You should also minimize the legalese. GDPR includes rules that require you to create or update your privacy policy. For this information, you can check privacy notices under the EU General Data Protection Regulation.

These tips should help you take care of the most important matters, but getting advice from your lawyer is also strongly recommended. It’s better to be safe than sorry!

Katarzyna Michałowska

Reader. Writer. Communicator. PR & Marketing Specialist at Printbox. Learning from only the best and writing killer copy.