Just like you need to have a basic understanding about tax laws and business registration laws, you need to get the gist of how to keep your customers’ details safe and secure.
Understanding your obligations will help you:
- Know what information you can ask for and how to ask for more.
- Deal with any customer requests about their data.
- Vet the tools and services you use to make sure they help you stay compliant.
- Inform your customers if they might be affected by a security breach in any of the systems you use.
I’m not a lawyer and none of the information in this article should be interpreted as legal advice. Please do your own due diligence to determine if or how much of this information is relevant to your circumstances, and whether you should seek professional legal advice.
Jump straight to…
Collecting customer data
When you get a sale, you can normally collect and process that customer’s data under the Contract legal basis to be able to complete that transaction: to take payment, any required communication to get it right, and to ship it.
If you want to do or collect anything not strictly necessary for the sale (like email marketing), you need to either have a legitimate business reason or their unambiguous consent.
That might mean you’re funnelling their data into a few different systems, for different purposes. So you need to understand your relationship to those systems or tools.
Controllers & processors
These terms are specific to the GDPR, but the basic responsibilities that come with them are not. Existing privacy laws in many countries already place similar obligations on businesses collecting personal data, regardless of where it’s stored or processed.
A data controller decides what information to collect and how to process it.
You’re a data controller if you’re exporting or copying customer data from your ecommerce system to use somewhere else. You’re also a data controller if your own website sends information about your visitors (eg. via a form or tracking code) to another system (a processor).
A data processor stores, processes or otherwise uses data on behalf of a controller, but doesn’t have any say on the data that it gets.
Both controllers and processors are responsible for keeping their data safe and secure!
Your responsibilities as a controller
Controllers are responsible for:
- Telling individuals where their data is going, including the country and a link to the legal terms for that processor.
- Getting consent (if required) before sending any data to another party or a processor. If the system helps you ask for and store this consent by adding features to their tools, then that’s great, but they’re not required to doing this.
- Choosing reliable processors that will meet their own legal requirements and help you meet yours.
- Notifying your customers (or anyone else whose data you store) about security breaches, including in any data processors you use.
- Acting as the main contact point for individuals who want to access, edit or delete their data, even if you have to request this from a processor.
If you use a marketplace, like Etsy or Amazon, where the buyer first registers with the marketplace itself, then generally the marketplace is a data controller and has all the normal responsibilities around getting consent, providing access, deleting data etc.
However, you are a data controller as soon as you transfer any customer information outside of the marketplace system, such as to your accounting software or a courier company.
- You as a seller are not responsible for providing access to or deleting buyer data from the marketplace system. You didn’t put it there.
- You might be responsible for providing access, editing or deleting buyer data from systems that you control.
- If you have to retain buyer data for legal reasons, that will normally override the buyer’s right to have their information deleted.
Running your own ecommerce website
If you run your own ecommerce site where the customer independently registers with you in order to check out, then you are the data controller. (Read the latest terms of your ecommerce platform to be sure of your specific situation.)
This is the case even if you use a third party system, like Shopify, which stores all your customer data. (View Shopify’s GDPR Whitepaper [PDF] for lots more detail about that system.)
In that case, you have all the normal responsibilities of a controller (see the list above).
You should also be careful to assess any third party plugins, apps or themes you apply to your shop! If they receive or process your customer’s data on their own servers, then you need to vet them as you would any other Data Processor.
(If their code is stored on and runs on your own server, like a simple WordPress plugin, then it’s not really a third party. Though you should still check that the code is reliable and secure.)
Data breach notifications
Today, we can’t pretend that data breaches “will never happen to us”. Instead, laws around the world (including the GDPR) make businesses responsible for notifying authorities and affected individuals of certain breaches within a short amount of time.
A breach might be a sophisticated hack of your email marketing system or accidentally leaving your laptop in a cafe with customer data accessible on it.
Breaches of the tools & services you use
As very small businesses, we can mitigate this risk by avoiding storing personal data ourselves, but using trustworthy tools instead, like putting our email contacts in Mailchimp or paying customers in Xero. We might still need to notify our own customers of any breaches, but we don’t have to monitor, identify or fix breaches in these tools – which is the tricky, technical part!
If any of your tools tell you about a data breach that might affect personal data you’ve collected (not just data about you), you should take action to notify your customers or contacts ASAP, as well as notify any authorities (including an EU supervisory authority). Read the notification carefully – they should tell you exactly what to do.
Breaches of stored data that you caused
In many of these cases, you might decide that they aren’t notifiable because there’s very low risk to the individuals. You should still keep a record that the “breach” happened, however, and why you decided to not report it.
The UK’s Information Commissioner’s Office website has some good examples of breaches and how to assess this risk. You’ll need to check whether these are the same as any other security breach laws that might apply to you!
Breaches of data we store ourselves
If you store customer data yourself in documents, spreadsheets or programs that store the data on your own computer, you might have a “notifiable data breach” if your computer were ever hacked, stolen, left unsecured in a public place, or you accidentally sent the data to someone who shouldn’t have it.
This includes Outlook or any email client that’s a separate program on your computer, that you don’t access through your web browser. They store your emails on your computer, which could contain customer data, such as transaction notifications.
More info about data breach requirements
Here’s a list for more information about data breach notification requirements of a few countries. This list is not exhaustive and you should check what requirements might apply in your jurisdiction or those of your customers!
Some of these might only apply to certain eligible business, such as those turning over a particular revenue threshold.
- Personal data breaches under the GDPR
- Security Breach Notification laws for US states
- Australian Notifiable Data Breaches scheme
- Download this PDF from World Law Group (bottom left, no opt-in) for lots of detail about if there were requirements for your country in 2016, which you should then check for updates.