[intro] When you have completed this guide you will be aware of any changes you need to implement on your Obodo shop in order to comply with the GDPR legislation due to be enforced on the 25th May 2018. [/intro]
[summary]
- GDPR Checklist
- Terms & Conditions and Privacy Policy
- Online Payments
- Offline Security
- Consent
- Active Opting-In
- Unbundled Opting In/Granular Opting In
- Opting Out
- Storing of Consent
- Cookies
- Updates to EKM Email Marketing
- Updates to EKM Domains
- FAQs
[/summary]
What is GDPR?
The General Data Protection Regulation (GDPR) has been introduced to harmonize data privacy laws across Europe. It aims to protect all EU citizens from privacy and data breaches and give citizens greater control of their data. It came into effect on 25th May 2018 and is enforced by the Information Commissioner's Office.
The GDPR applies to any organisation processing personal data of EU citizens. This can be a name, email address, address, phone number, social media account or even an IP address. It also applies to all industries and sectors.
The GDPR makes reference to ‘controllers’ and ‘processors’. A controller determines the means and purposes of processing personal data. A processor processes personal data for a controller.
GDPR applies to ‘personal data’ which is any information that can be used to identify an individual, such as their name, telephone number, email address, IP address and so on.
The GDPR features an expansion of individual rights including:
- Right to be forgotten: An individual can request that an organisation remove all personal data they hold without delay;
- Right to object: An individual can prohibit personal data being processed in certain ways;
- Right to rectification: An individual can request incorrect personal data to be corrected;
- Right of access: An individual has the right to know what personal data an organisation has about them and how it is processed;
- Right of portability: An individual can request that personal data be transported from one organisation to another;
- Right to fair and transparent processing: An individual has the right to information about the processing of their personal data.
The GDPR outlines stricter consent requirements and organisations must ensure that consent is obtained for every usage of personal data. Consent must be specific to a distinct purpose, pre-ticked checkboxes and silent consent will no longer constitute consent and you must be clear about the processing activities consent is given for.
GDPR Checklist
In order to perform due diligence on your own Obodo shop to ensure that you comply with the GDPR legislation, you need to work through the checklist below.
Terms & Conditions and Privacy Policy
Note: While we have drafted up a Privacy Policy template for guidance, any personal information contained within our customer's Obodo shops is their own responsibility. We have taken security measures to ensure that our customers are protected against loss, alteration or misuse but GDPR compliance is the sole responsibility of the website/business owner.
As part of the GDPR legislation, you need to ensure that the Terms & Conditions and the Privacy Policy on your Obodo shop are clear, concise and can be easily located. If you are using the default text on the Terms and Privacy webpages, this has already been completed for you and a link to those webpages will be visible in the footer of your Obodo shop.
Processing Customer Data
However, if you have amended the copy or are using all of your own text on either the Terms or the Privacy webpages, you need to ensure that how you process a customer’s data on your Obodo shop is clearly defined, and you need to explain how and why you are collecting data. Your Privacy Policy will also need to detail third party applications - such as Google Tag Manager for example - that you may be using to track user data on your Obodo shop.
Online Payments
As your Obodo shop is an e-commerce business, customers are able to process transactions using Stripe which you will have set up already. Your Obodo shop will collect data on each customer and as a result, you need to ensure that this data is removed after a reasonable period.
The actual GDPR legislation does not specifically detail a recommended period for this but as an Obodo shop owner, we recommend that you keep records for a period of seven years in accordance with the HMRC.
Offline Security
GDPR legislation advises that as Data Processors, Obodo shop owners have appropriate procedures in place for the storing of sensitive data offline. Customer details, website logins, staff details and similar must be stored securely offline with access granted only where needed. Obodo Customers are responsible for ensuring that only authorised personnel access their accounts.
Consent
The GDPR legislation requires that your customers have to give their explicit consent for you to process their data. This requires an ‘opt-in’ - the customer actually has to tick a box or similar in order to give their consent, and pre-filled forms and checkboxes are no longer allowed.
When asking your customers for consent, you have to explain exactly why you need it and what you need it for. You also cannot use one checkbox to ask for consent for lots of different things - each aspect of consent you are offering must be explained and offered individually as ‘blanket’ consent is not enough.
You have to keep evidence of your consent - what was explained to the customer when they gave consent, how they gave consent, who gave the consent and why you needed that consent. You also need to review consent on a regular basis.
If the consent that you have asked your customer to provide is on behalf of a third party - for instance, Google Analytics - you will need to detail this so that your customer is aware of what entities will be using their personal data.
Active Opting In
Customer Accounts
Obodo shop
If the functionality is turned on, customers are able to create accounts on your Obodo shop to view their previous orders and if applicable, take advantage of offers and promotions. Customers can sign up for an account on checkout flow when they make a purchase, or alternatively, you can manually create an account for them. If the customer has created their own account, they have already provided their consent for their personal data to be used.
However, if you have manually created an account for your customer using their personal data, it is your responsibility as an Obodo shop owner to keep a record of how and when the consent was obtained, and what was explained to the customer prior to the account being created for them.
Contact Forms
Obodo shop
If you are using the standard Contact Forms on your Obodo shop, you do not need to worry as the fields on these forms are empty by default and contain no pre-filled fields or pre-ticked boxes. You must only use the forms for their intended purpose and not as a way to gain email addresses to use for future email marketing campaigns or similar.
EKM Email Marketing
Contacts are added to EKM Email Marketing in one of three ways:
- Sign up through a signup form: Contacts signing up in this method receive a confirmation email asking them to confirm they wish to receive campaigns;
- Sign up via the checkout of your Obodo shop: Contacts signing up using this method actively check a checkbox during checkout;
- Manually added by the account holder: As the account holder, you are stating that you have permission to send the contacts you are adding your campaigns. This is stated on all input screens that are affected.
Third Party
If you are using third-party email marketing or contact forms on your Obodo shop, you need to ensure that by default, any checkboxes or fields must not be completed or ticked. This is so customers don’t submit the form without realising that they have approved something that they did not actively request; GDPR legislation requires that the visitor actively completes a field or ticks a box in order to sign up for something.
Unbundled Opting In/Granular Opting In
Unbundled Opting In means that when gaining consent and asking customers to opt-in that several different aspects are not bundled under a single checkbox that needs to be clicked - visitors to your Obodo shop need to be able to pick and choose consent for different aspects (dependent on your content and products of course).
Granular Opting In means that you need to give your visitor more than one option to opt-in for something. When you obtain consent here, you need to ensure that you offer more than one choice for them to contact you, such as by phone, by text or by email, and give them a checkbox or similar for each option. Granular opting in ensures that the customers are explicitly aware for what level of contact with you that they’re agreeing to when giving their consent.
EKM Email Marketing
Customers can sign up for your email newsletters by signing up via the checkout flow on your Obodo shop, using the sign-up form on your Obodo shop and can also be added manually by yourself. The EKM Email Marketing sign up flow prevents customers from signing up to anything other than your email newsletter.
Obodo shop
An Obodo shop using the default contact form and displaying a telephone number and postal address provides more than one option for customers to contact you should they wish to opt into something on your Obodo shop, such as having an account manually created for them. Using the default text on the Terms and Privacy pages also satisfies this part of the GDPR legislation too.
Third-Party
If you are using third party contact forms or email marketing, you need to ensure that these aspects offer both unbundled and granular opting in.
Opting Out
EKM Email Marketing
Your customers can easily opt of your email newsletters by using the unsubscribe link at the foot of each email, or by contacting your as the shop owner via the contact details displayed on your Obodo shop.
Obodo shop
Customers should be able to contact you easily via telephone, email and postal mail details displayed on your Obodoshop in order to opt-out of something, such as a customer account.
Third-Party
After you have ensured that opting in for consent is clearly explained and defined, you then need to ensure that opting out of consent is as easy as opting in. You need to offer options for each individual aspect that a customer could potentially opt-out from, and also ideally offer them the ability to change the frequency of communication with you if possible.
Storing of consent
Email Marketing
EKM Email Marketing
We have updated our system to enable the storing of consent information for each contact. Contacts we don’t have stored consent for will be visible via the Non-Consented Contact Group option in the left-hand navigation menu of EKM Email Marketing.
Third Party
However, if you are not using EKM Email Marketing and are using a third-party email marketing provider instead, it is your responsibility to ensure that your account with them adheres to GDPR legislation and recommended practices.
Cookies
Obodo shop
Your Obodo shop uses cookies in order to function, and your customers need to be aware of this. This can be done by implementing a banner or a pop-up modal advising the customers that cookies are used on your Obodo shop for analytical purposes with an accompanying statement in an easily accessed area which explains this in greater depth.
A banner or a pop-up modal is not essential, but you must include the use of cookies in your Privacy Policy. If you are using the default Privacy Webpage on your Obodo shop, we have already included this for you as standard.
Your Obodo shop will deliver the following cookies to the browsers of your customers:
Name | Purpose | Content | Expires |
ekm_USERNAME | Temporary cookie generated to test if cookies are enabled on the visitor's browser. | TestCookies=ACTIVE&RS=FALSE& logged_in=USERNAME&ServerID=*** | 72 hrs (3 days) |
ekm_pp_USERNAME | Stores a unique reference to visitors cart contents. Stores authentication details for customer logged in section. | Unique ID | On Exit |
ekm_tmp_ORDERNUMBER | Stores a reference to the visitor's order number after an order has been generated. | Unique ID | On Exit |
Third-Party
If you are not using the default text on the Privacy and Terms pages on your Obodo shop and you also use third party code to analyse traffic, for example, you need to ensure that your customers are made aware of this.
You will also need to check that each third party you use on your Obodo shop is GDPR compliant and that this is reflected in your own statement regarding tracking cookies and data shared (if applicable). If you use Google products, you can read about Google’s GDPR compliance on this page.
As part of this, you will need to sure that any agencies - this could be your website designer if you have employed one to work on your Obodo shop for you, or a marketing agency who help you by managing your digital marketing campaigns- that their responsibilities regarding access to this data is clearly outlined and it’s protection understood.
To read more about cookies and processing consent on the Information Commissioner's Office website, click here.
Updates to EKM Email Marketing
The Email Marketing feature on the Features tab of your Obodo shop is Email Marketing, EKM’s own email newsletter platform. We’ve already implemented changes to EKM Email Marketing to ensure that it is compliant prior to the launch of the GDPR legislation:
Storing of consent
We have updated our system to enable the storing of consent information for each contact. Contacts we don’t have stored consent for will be visible via the Non-Consented Contact Group option in the left-hand navigation menu of EKM Email Marketing:
Contacts are added to EKM Email Marketing in one of three ways:
- Sign up through a signup form: Contacts signing up in this method receive a confirmation email asking them to confirm they wish to receive campaigns.
- Sign up via the checkout of your Obodo: Contacts signing up in this method actively check a checkbox during checkout.
- Manually added by the account holder: As the account holder, you are stating that you have permission to send the contacts you are adding your campaigns. This is stated on all input screens that are affected.
Consenting Current EKM Email Marketing Contacts
There are several ways that you may set consent to your existing contacts, it is, however, important to note that by clicking the available consent buttons provided by EKM Email Marketing you are in fact stating that you have consent. You may give consent to your contacts in the following ways:
- Re-import from Obodo shop: As contacts from your Obodo shop have provided consent, re-importing them into EKM Email Marketing will ensure that the correct consent is stored and they can be contacted in future campaigns.
- Non-Consented Contact Group: In this group, you are able to give consent to all of your non-consented contacts simply by clicking the ‘Consent All’ and confirming your decision. If you do not want to Consent All of your contacts, you are able to give consent to each contact individually.
- GDPR Information Modal: The model will appear when you first log into EKM Email Marketing after the GDPR code has gone live. This gives you the opportunity to give consent to all of your contacts immediately. This modal will re-appear shortly before the GDPR legislation comes into effect.
- Re-Permission Campaign: You may send a re-permission campaign to your contacts by simply creating a campaign as normal and then adding the RePermission tag. Once the recipient has received this email they can then click the link which will take them to a consent form (in a new browser window) and once they click the button EKM Email Marketing will be automatically updated.
Preferences Link
Within the GDPR legislation is the need to provide a route that will allow recipients to update their personal details. To achieve this we have added a new Preferences link in the footer of each email that allows the recipient to update their personal details (except their email address) that is held by EKM Email Marketing.
Updates to EKM Domains
There are no changes to the EKM Domains platform and your domain will continue to function as normal, however, GDPR has an impact upon the Whois data for all registered domains. Currently, personal data such as name, address and email address is visible for all whois lookups.
Whilst it is not a legal requirement to display personal data in a Whois lookup, our domain providers will be taking steps to ensure that access to personal data is given to only those with a legitimate reason for accessing it for domain types where displaying this information is not a legal requirement.
FAQs
How does GDPR affect Obodo?
Since GDPR was announced, Obodo has and continues to take steps to review our current privacy policies. The good news is that our current and existing privacy policies are already compliant with the terms set out by the Information Commissioner's Office. There will be an amendment to the current Obodo Terms & Conditions to include a Data Processing Agreement clause which will be introduced prior to May 2018.
What has Obodo done so far?
- We have appointed a dedicated team member to deal with GDPR and ensure compliance;
- We have an internal focus group dedicated to ensuring Obodo’s terms of service will be continuously reviewed and to ensure any new policies or procedures are GDPR compliant;
- We have made updates to EKM Email Marketing to ensure that the platform and it's users are compliant;
- We are working towards updating our terms to include relevant clauses required by GDPR;
- Any new functionality or partnerships are built or entered into with GDPR compliance in mind.
Do we need cookie banners?
In regards to banners or pop-up modals alerting visitors to your Obodo shop that you use cookies, this has not been outlined yet in GDPR legislation. The subject of cookies and the use of them is addressed in the default Privacy Policy on your Obodo shop, and if you are using your own text on the Privacy Policy page, you need to ensure that the use of cookies is thoroughly explained.
Where is our Obodo shop data stored?
The Obodo platform, it’s content and databases are located on our own servers, housed within a secure data centre in Manchester which is ISO27001 and PCI compliant and has BS5979 security on-site.
Is this data secure?
Yes.
How long do you keep our data and how is it removed, if ever?
We will remove non-essential customer data after a period of six years.
Where are the servers that hold the customer contact details/login details - are they in the EU?
Yes, all Obodo data is stored at the data centre in Manchester.
What level of encryption do you use to protect the details?
Sensitive data is encrypted using AES256 and passwords are hashed using SHA256.
Will you inform me if you are hacked and my customer details are stolen within 72 hours of finding out?
Yes, we will, in accordance with GDPR legislation. Where a breach may ‘result in a risk for the rights and freedoms of individuals’ Obodo must tell you within 72 hours of our Engineering Team realising that a breach has occurred.
This also refers to you too as an Obodo shop owner, as Data Processors too need to notify their own customers ‘without undue delay’ when they are first made aware of a breach. The only circumstances when this would not be the case would be if the breach was unlikely to present any risk to the rights and freedoms of the data subjects concerned.
Can I charge customers if they ask for a copy of their personal data?
In most cases, you cannot charge customers a fee to provide them with a copy of the personal data you hold for them. However, if the request is 'manifestly unfounded or excessive', you may charge a fee based on the admin costs of completing the request. Also, if the customer requests further copies of their personal data after an initial request, you can apply admin costs in that situation too.
I used to be able to email and telephone my Obodo shop customers with details of sales and promotions using the contact details from their order - will GDPR allow me to do this?
You cannot contact customers via telephone or email with the aim of selling them something unless they have explicitly given their consent for you to do so. You may want to read this guide which explains how to set up a checkbox for consent on the Checkout Flow of your Obodo shop, which would allow you to gain consent for these kinds of situations.
I amended the default text on my Privacy Webpage a long time ago - where can I access the original version?
You can download a .txt version of that text by clicking the file at the bottom of this Guide. Simply download the file and copy the text onto the Privacy Webpage of your Obodo shop. This is the updated, 'GDPR-friendly' version of the original. If you have always used the default Privacy Webpage text, this update has already been implemented on your Obodo shop.
Where is Obodo's Privacy Policy located?
You can find it here.
Where can I read more about GDPR legislation?
Details about GDPR can be found at the following sites:
The European Union’s GDPR portal
The full GDPR legislation
The Information Commissioner's Office (ico) Guide.
[caution]Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organisation.[/caution]
[more]
[/more]