GDPR and small ecommerce website


#1

Hi all

Ive got a client who is a small local florist selling flowers online and using Woocommerce.

What actions do I need to take on his website to comply with GDPR?

Ive put a cookie notification on his site which links to some generic cookie text (all he uses is Analytics).

When people buy a product theyre details are stored within the Woocommerce Orders tab. Is there a way these can be automatically deleted after x many days?

Does anyone have a generic privacy policy/cookie policy document I can use?

Thanks


#2

You could have a cron-job run every x-period and delete orders that are y-old.

You will need to make it clear to users what data is stored, for what purpose and for how long. I think the usual thing is an "I Agree" checkbox on any input form and a link to your Ts & Cs/ Privacy Policy.


#3

I can't speak authoritatively, but my understanding is that "making it clear" and giving the option to "opt out" is not enough and that they must explicitly opt-in.

After that things get a lot more fuzzy as to what exactly constitutes PII (Personally Identifiable Information) and what rights users have for that information.

My take is that when and if a user challenges a sites practices the site should be prepared to defend those practices.


#4

By checking "I Agree" (to the site's T&C/PP) you are opting in. By presenting the T&C/PP you are laying it all out and making it clear.

At the end of the day, if you are making an on-line order for a physical item you want delivered, they will need certain data about you to process the order and deliver.
If a user doesn't like that, they can leave the site and get on down the high-street.

There is an awful lot of reading on GDPR, but the jist I get in a nut-shell is: always giving users options, being transparent about data you keep, and offering the rights for data disclosure and erasure.
I know that's a huge dumbing down of a huge topic, but it's almost too huge for its own good.


#6

GDPR is a bit misunderstood by a lot of people. The main jist as above is don’t do things with peoples data that they haven’t asked you to do and keep it safe.

Arguably you could be keeping it safe by deleteing it but surely you need a record for auditing purposes. If you log onto amazon or ebay etc they don’t remove everything you bought every 30 days. I can still check what i bought in 2015 if i want. I’m unfamiliar with woocommerce but by the sounds of it it would be reasonable to assume that it is built for sales and therefore as long as you don’t do anything odd it should be safe. If you get hacked due to an error in their software it is their fault not yours as they provided the platform for you to use for that purpose. If you added a random module that caused the problem then that’s your fault.

You don’t need a cookie bar if you aren’t using tracking that personally identifies the user. If its GA then have a look at the docs as it’s pretty easy to turn off marketing and anonymise the IP.

The main thing i would stress to them is to manage who controls the data. If they had a data breach the ICO would ask things like how did it happen, who was in charge of the data, who had access to the data. This doesn’t have to be on the website. If an assistant downloads orders to an excel spreadsheet and then emails it to the boss without a password on the spreadsheet and it gets accidentally emailed to the wrong person (it happens!) or an email account gets hacked then that is the companies fault as that is a process they have allowed to happen.

Additionally knowing how has the password to log in is important. If a member of staff gets sacked or leaves. Remove their account or change the password immediately.