How Robot Ninja is Preparing for GDPR

The EU General Data Protection Regulation (GDPR) is set to take effect at the end of this month, setting stronger rules around how companies use and protect EU citizens’ data, while at the same time giving people more control over their personal information.

At Robot Ninja, we take your privacy seriously and have been putting measures in place to ensure that we fulfill the GDPR’s obligations as well as maintain our transparency around how we use data.

Here’s an overview of the GDPR and how we’ve been preparing for it at Robot Ninja.

What is the GDPR?

The EU’s GDPR is a new and comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU data protection laws in an effort to strengthen the protection of “personal data” and the rights of the individual.

The European Commission has published a great infographic/website that explains how the GDPR works and breaks down the different components.

The GDPR for WordPress site also provides a summary of site owners’ obligations in regards to the collection of EU citizens’ data. In short, you must comply with the following:

  • Tell the user: who you are, why you collect the data, for how long and who receives it.
  • Get clear consent before collecting any data
  • Let users access their data, and take it with them
  • Let users delete their data
  • Let users know if data breaches occur

For more on the GDPR, check out An Introduction to GDPR Compliance for WooCommerce Stores on the WooCommerce site.

Does it Affect Me?

There’s a pretty good chance it does! Even if you’re not an EU citizen or based in the EU, if your WooCommerce store sells goods to people in the EU and you hold or process their data, the GDPR will apply to you.

How is Robot Ninja Preparing for GDPR?

We’ve been working to learn more about the GDPR and overhaul our processes to make sure we meet our legal obligations once the GDPR becomes law.

Here’s what we’ve been doing to prepare:

We’ve appointed a Data Protection Officer

Yep, it’s me! (We’re a micro team here 🙂 If you have any questions about how we’re complying with the GDPR after reading this post or what to learn more, email me at privacy@robotninja.com.

We’ve reviewed how we collect and process data

We’ve been conducting an audit of the personal data we collect and process, and mapping it as part of a Personal Data Register. Some of the questions we’ve been asking ourselves to determine any gaps include:

  • What personal data is being collected?
  • Where is the data being sourced?
  • Why is the data being collected?
  • How is it processed
  • Who has access?
  • How long do we retain the data?
  • Where is the data being transferred

We’re updating our privacy policies

We’ve reviewed our terms of services, privacy policies and forms of consent with the aim of making these documents clearer, easier to understand, and more useful.

We’re coordinating with third parties

We’re identifying and assessing external services that we use, and getting in touch with them to determine what they themselves are doing for GDPR compliance.

We’re examining security measures

We’ve been reviewing our incident response policies and procedures and overall security posture.

We’re developing new processes and procedures

We’re creating new procedures around Data Subject Requests. We’re also putting in place procedures for periodic analysis.

Leveraging WordPress and WooCommerce Changes

Since the GDPR was announced, there’s been a lot of work going on in the WordPress and WooCommerce communities to help site owners comply with the new rules.

The front-end dashboard and user account management components of Robot Ninja are built on WordPress and WooCommerce, so we’ve been keeping a close eye on what is being developed.

There’s much we plan to leverage, including:

  • Ways for users (and guests) to request personal data and/or removal
  • Personal data export system
  • Helper functions for anonymizing data
  • Comment form cookie opt-ins

Just last week, the WooCommerce core development team announced a raft of new GDPR-focused features you’ll find in WooCommerce 3.4, which is scheduled for release on May 23. Here’s a summary of the features:

  • Personal data exporter: WordPress 4.9.6 (which will drop soon) includes the ability to export personal data associated with an email address to a HTML file. WooCommerce 3.4 will add to the generated export file, exporting Customer address/account information, orders associated with the given email address, and download permissions and logs associated with the given email address.
  • Personal data eraser: This feature allows users request to have their information removed from your database and lets you verify requests. It’s important to point out that simply erasing data from a WooCommerce site is complicated since store owners may need to keep data other reasons such as tax compliance. As such, some options for erasure are optional.
  • Data retention settings: To help reduce the amount of personal data that is stored, you can now define how long you want to retain data that’s no longer needed for order processing.
  • Checkout page display options: To reduce the amount of personal data you store, you can turn off some optional fields you may not require for processing, and also update the terms and conditions checkout box.
  • Privacy policy page: WordPress 4.9.6 includes a privacy page setting and allows plugins to suggest connect. WooCommerce 3.4 adds some suggested content of its own.
  • Privacy policy snippets: WooCommerce now outputs notices and links to your privacy policy in two locations: the account registration form and checkout form.

For more on the latest GDPR updates to WooCommerce, check out WooCommerce 3.4 GDPR features. And for a rundown on how WooCommerce is complying, How we’re tackling GDPR in WooCommerce core.

GDPR Resources

Here are some fantastic and useful resources we’ve come across that you too might find handy:

Questions?

We’ll keep sharing information on our progress as we make changes, but for now, we wanted to provide an update on our efforts to comply with the GDPR.

Feel free to reach out to us via email (support@robotninja.com) or live chat if you have any questions about the GDPR.