The EU General Data Protection Regulation (GDPR) is set to take effect at the end of this month, setting stronger rules around how companies use and protect EU citizens’ data, while at the same time giving people more control over their personal information.
At Robot Ninja, we take your privacy seriously and have been putting measures in place to ensure that we fulfill the GDPR’s obligations as well as maintain our transparency around how we use data.
Here’s an overview of the GDPR and how we’ve been preparing for it at Robot Ninja.
What is the GDPR?
The EU’s GDPR is a new and comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU data protection laws in an effort to strengthen the protection of “personal data” and the rights of the individual.
The European Commission has published a great infographic/website that explains how the GDPR works and breaks down the different components.
The GDPR for WordPress site also provides a summary of site owners’ obligations in regards to the collection of EU citizens’ data. In short, you must comply with the following:
- Tell the user: who you are, why you collect the data, for how long and who receives it.
- Get clear consent before collecting any data
- Let users access their data, and take it with them
- Let users delete their data
- Let users know if data breaches occur
For more on the GDPR, check out An Introduction to GDPR Compliance for WooCommerce Stores on the WooCommerce site.
Does it Affect Me?
There’s a pretty good chance it does! Even if you’re not an EU citizen or based in the EU, if your WooCommerce store sells goods to people in the EU and you hold or process their data, the GDPR will apply to you.
How is Robot Ninja Preparing for GDPR?
We’ve been working to learn more about the GDPR and overhaul our processes to make sure we meet our legal obligations once the GDPR becomes law.
Here’s what we’ve been doing to prepare:
We’ve appointed a Data Protection Officer
Yep, it’s me! (We’re a micro team here 🙂 If you have any questions about how we’re complying with the GDPR after reading this post or what to learn more, email me at firstname.lastname@example.org.
We’ve reviewed how we collect and process data
We’ve been conducting an audit of the personal data we collect and process, and mapping it as part of a Personal Data Register. Some of the questions we’ve been asking ourselves to determine any gaps include:
- What personal data is being collected?
- Where is the data being sourced?
- Why is the data being collected?
- How is it processed
- Who has access?
- How long do we retain the data?
- Where is the data being transferred
We’re updating our privacy policies
We’ve reviewed our terms of services, privacy policies and forms of consent with the aim of making these documents clearer, easier to understand, and more useful.
We’re coordinating with third parties
We’re identifying and assessing external services that we use, and getting in touch with them to determine what they themselves are doing for GDPR compliance.
We’re examining security measures
We’ve been reviewing our incident response policies and procedures and overall security posture.
We’re developing new processes and procedures
We’re creating new procedures around Data Subject Requests. We’re also putting in place procedures for periodic analysis.
Leveraging WordPress and WooCommerce Changes
Since the GDPR was announced, there’s been a lot of work going on in the WordPress and WooCommerce communities to help site owners comply with the new rules.
The front-end dashboard and user account management components of Robot Ninja are built on WordPress and WooCommerce, so we’ve been keeping a close eye on what is being developed.
There’s much we plan to leverage, including:
- Ways for users (and guests) to request personal data and/or removal
- Personal data export system
- Helper functions for anonymizing data
- Comment form cookie opt-ins
Just last week, the WooCommerce core development team announced a raft of new GDPR-focused features you’ll find in WooCommerce 3.4, which is scheduled for release on May 23. Here’s a summary of the features:
- Personal data exporter: WordPress 4.9.6 (which will drop soon) includes the ability to export personal data associated with an email address to a HTML file. WooCommerce 3.4 will add to the generated export file, exporting Customer address/account information, orders associated with the given email address, and download permissions and logs associated with the given email address.
- Personal data eraser: This feature allows users request to have their information removed from your database and lets you verify requests. It’s important to point out that simply erasing data from a WooCommerce site is complicated since store owners may need to keep data other reasons such as tax compliance. As such, some options for erasure are optional.
- Data retention settings: To help reduce the amount of personal data that is stored, you can now define how long you want to retain data that’s no longer needed for order processing.
- Checkout page display options: To reduce the amount of personal data you store, you can turn off some optional fields you may not require for processing, and also update the terms and conditions checkout box.
Here are some fantastic and useful resources we’ve come across that you too might find handy:
- GDPR For Dummies – MetaCompliance ebook.
- The GDPR Checklist – A basic checklist you can use to harden your GDPR compliance. You can even contribute over at GitHub.
- How GDPR Will Change The Way You Develop – Smashing Magazine
- New Team Forms to Facilitate GDPR Compliance in WordPress Core – WP Tavern
- GDPR Compliance – GitHub
We’ll keep sharing information on our progress as we make changes, but for now, we wanted to provide an update on our efforts to comply with the GDPR.