Keep Your Customer Information Safe: It’s Your Responsibility!

What customer data you collect

When you get a sale, you can normally collect and process that customer’s data under the Contract legal basis to be able to complete that transaction: to take payment, any required communication to get it right, and to ship it.

If you need to pass on their information to someone else to complete the sale, like a courier company, you need to include that in your privacy policy and should explicitly mention it somewhere the customer will see before they check out.

If you want to do or collect anything not strictly necessary for the sale (like email marketing), you need to either have a legitimate business reason or their unambiguous consent.

That might mean you’re funnelling their data into a few different systems, for different purposes. So you need to understand your relationship to those systems or tools.

Understand controllers & processors

These terms are specific to the GDPR, but the basic responsibilities that come with them are not. Existing privacy laws in many countries already place similar obligations on businesses collecting personal data, regardless of where it’s stored or processed.

Data Controller

A data controller decides what information to collect and how to process it.

You’re a data controller if you’re exporting or copying customer data from your ecommerce system to use somewhere else. You’re also a data controller if your own website sends information about your visitors (eg. via a form or tracking code) to another system (a processor).

Data Processor

A data processor stores, processes or otherwise uses data on behalf of a controller, but doesn’t have any say on the data that it gets.

Both controllers and processors are responsible for keeping their data safe and secure!

Your responsibilities as a controller

Controllers are responsible for:

• Telling individuals where their data is going, including the country and a link to the legal terms for that processor.
• Getting consent (if required) before sending any data to another party or a processor. If the system helps you ask for and store this consent by adding features to their tools, then that’s great, but they’re not required to doing this.
• Choosing reliable processors that will meet their own legal requirements and help you meet yours.
• Notifying your customers (or anyone else whose data you store) about security breaches, including in any data processors you use.
• Acting as the main contact point for individuals who want to access, edit or delete their data, even if you have to request this from a processor.

Using an Ecommerce Marketplace

If you use a marketplace, like Etsy or Amazon, where the buyer first registers with the marketplace itself, then generally the marketplace is a data controller and has all the normal responsibilities around getting consent, providing access, deleting data etc.

However, you are a data controller as soon as you transfer any customer information outside of the marketplace system, such as to your accounting software or a courier company.

You should carefully review the latest privacy policy or terms for the marketplace you use to understand your specific situation. In Etsy’s privacy policy (section 12), they declare sellers “independent controllers of data” if they process Etsy user data outside of Etsy.

Bottom line:

• You as a seller are not responsible for providing access to or deleting buyer data from the marketplace system. You didn’t put it there.
• You might be responsible for providing access, editing or deleting buyer data from systems that you control.
• If you have to retain buyer data for legal reasons, that will normally override the buyer’s right to have their information deleted.

Running your own ecommerce website

If you run your own ecommerce site where the customer independently registers with you in order to check out, then you are the data controller. (Read the latest terms of your ecommerce platform to be sure of your specific situation.)

This is the case even if you use a third party system, like Shopify, which stores all your customer data. (View Shopify’s GDPR Whitepaper [PDF] for lots more detail about that system.)

In that case, you have all the normal responsibilities of a controller (see the list above).

You should also be careful to assess any third party plugins, apps or themes you apply to your shop! If they receive or process your customer’s data on their own servers, then you need to vet them as you would any other Data Processor.

(If their code is stored on and runs on your own server, like a simple WordPress plugin, then it’s not really a third party. Though you should still check that the code is reliable and secure.)

Data breach notifications

Today, we can’t pretend that data breaches “will never happen to us”. Instead, laws around the world (including the GDPR) make businesses responsible for notifying authorities and affected individuals of certain breaches within a short amount of time.

A breach might be a sophisticated hack of your email marketing system or accidentally leaving your laptop in a cafe with customer data accessible on it.

Breaches of the tools & services you use

As very small businesses, we can mitigate this risk by avoiding storing personal data ourselves, but using trustworthy tools instead, like putting our email contacts in Mailchimp or customers in Xero. We might still need to notify our own customers of any breaches, but we don’t have to monitor, identify or fix breaches in these tools – which is the tricky, technical part!

If any of your tools tell you about a data breach that might affect personal data you’ve collected (not just data about you), you should take action to notify your customers or contacts ASAP, as well as notify any authorities (including an EU supervisory authority). Read the notification carefully – they should tell you exactly what to do.

There should also be information about how to handle data breaches in the privacy policy or terms of your service.

Breaches of stored data that you caused

A breach isn’t just a hack. It could be accidentally updating the last name of all your email contacts (alteration or loss) or letting somebody log into your ecommerce system who isn’t covered by your privacy policy (access by an unauthorised party).

In many of these cases, you might decide that they aren’t notifiable because there’s very low risk to the individuals. You should still keep a record that the “breach” happened, however, and why you decided to not report it.

The UK’s Information Commissioner’s Office website has some good examples of breaches and how to assess this risk. You’ll need to check whether these are the same as any other security breach laws that might apply to you!

Breaches of data we store ourselves

If you store customer data yourself in documents, spreadsheets or programs that store the data on your own computer, you might have a “notifiable data breach” if your computer were ever hacked, stolen, left unsecured in a public place, or you accidentally sent the data to someone who shouldn’t have it.

This includes Outlook or any email client that’s a separate program on your computer, that you don’t access through your web browser. They store your emails on your computer harddrive, which could contain customer data, such as transaction notifications.

More info about data breach requirements

Here’s a list for more information about data breach notification requirements of a few countries. This list is not exhaustive and you should check what requirements might apply in your jurisdiction or those of your customers!

Some of these might only apply to certain eligible business, such as those turning over a particular revenue threshold.

• Personal data breaches under the GDPR
• Security Breach Notification laws for US states
• Australian Notifiable Data Breaches scheme
• Download this PDF from World Law Group (direct link to PDF file) for lots of detail about if there were requirements for your country in 2016, which you should then check for updates.