To some degree there’s not a huge amount of change here. The online web shop has had to be secure for a while and the amount of data collected often pared down to the bare minimum to make the purchasing process as pain-free as possible.
So aside from amending a few forms to have a consent statement stored there isn’t really much that needs to be done, other than perhaps removing any annoying newsletter pop-ups which co-erce people into taking specific actions that might be judged as not quite ‘informed consent’.
Although we believe this is the case for all shop websites we have built, there’s just a few reminders which we’ve included here to double-check you have the right things in place already.
All of these should also be in a clear English, rather than buried in legalese, and aren’t just GDPR-related but involve complying with Distance Selling Regulations too.
- Contact is possible, and not just through a form but with an address on the contact page (maybe below the form, but accessible, you can’t hide online)
- Delivery & Returns Policy as a separate page, easy to access (note: we’d ensure that postage is on here too), and this should have a postal address for returns on it
- Terms and Conditions, which a customer has to accept before making a sale
When using a system like WooCommerce most of this is already covered, especially access to information (through a customer’s account they should be able to amend, delete their account and details).
What you want to check are things like ‘did we ask them what their birthday was for some competition/ something and still have that’? Is that editable?
You may need to identify a Data Protection Officer (see the ICO’s Guide) if you’re doing a lot of online tracking and processing. We don’t think this applies to most smaller stores, and in most cases with something like Google Analytics you’re not trackign individuals just wider demographics.
It is possible to be more nuanced in your approach, and this more comprehensive guide from Business Bloomer may help, but we would generally encourage keeping your data minimal, contact easy and clear and responding quickly to user queries like you always have, eg. ‘remove my data’.