Is your eCommerce website GDPR compliant? Maybe it is, maybe it is not. It is always good to be sure about these kinds of things as the fines and consequences are huge.
GDPR regulation will impact all eCommerce business who capture, store, use and analyze visitors and customers data from EEA. (more on this below)
GDPR quick overview
GDPR is a regulation in European Union law on privacy and data protection. On 25th May 2018, the General Data Protection Regulation (GDPR) came into effect.
If your website visitors and customers are coming from European Economic Area (EEA), following GDPR is a must. European Economic Area (EEA) includes European Union (EU) and also Norway, Liechtenstein, and Iceland.
There is no need to panic; we are giving you the GDPR audit checklist for ecommerce websites. If you wish to read everything in detail, you can check out the full form of GDPR here.
E-commerce GDPR Audit Checklist
The following GDPR checklist will help audit your eCommerce website for compliance.
1. Database Access
A. Confirm the login access recording of to the following:
- The table which stores personal data
- Create a record containing personal data
- The specific record containing personal data
- Modify records containing personal data
- Delete records containing personal data
2. Collected Data
A. Review collected data:
- Is it necessary for a user to fill all the data shown in form fields of the page?
B. Review sensible data processing:
- Are subcontractors capable and skill enough to process sensitive personal data?
- Is sensitive personal data masked/encrypted/pseudonymized?
- Is encryption used for the transference of personal data (e.g., Secure Sockets Layer – SSL)?
3. User Consent
A. Review the consent boxes visible on the website:
- What kind of personal data do you collect/store?
- Is one checkbox only apply to one request for consent?
- Do you obtain the consent fairly?
- Did you inform the visitors/users what, how, where, when, why you’ll be using their data before taking the consent?
B. Are checkboxes independent as follows:
- When one checkbox is selected, the other checkboxes are unaffected
- Selecting a checkbox should not be a compulsion before selecting another checkbox
- The page should not have “select all” option for checkboxes
- All the checkboxes should be unchecked by default
- Are the opt-in checkboxes separate from the terms and conditions?
- Are the opt-in checkboxes separate for each marketing activity?
- Did you specifically mention the names of all 3rd party tools/software you use on your website?
- Do you have mechanisms in place to ensure that a person can opt out of marketing easily?
4. Data Profiling & External Software
A. Confirm data profiling:
- Possessed data (excluding the ID, name, surname) does not allow for the unambiguous identification of a natural person.
- There should not be any records of personal data completed on forms by 3rd party software like MailChimp Newsletter Signup.
- Did you ensure that the data won’t hold any further than necessary?
- Are you keeping the data up-to-date?
- Are you limiting access to ensure the that the data is being used for its intended purpose?
- Are you meeting the standards to collect, process and store the data if you are collecting sensitive personal data, generic or biometric data, children’s data, etc.?
B. Confirm external software data profiling:
- Are 3rd party software cookies getting cached?
Is 3rd party software unable to:
- Suggest products for a specific user
- Profile data unique to the respective user
- Save a phone number, name or surname
- Marketing automation activities do not use scenarios created from the behavior of specific users and their data.
C. Confirm traffic source
- Tracking the source of the user’s arrival source does not use specific users and their data.
D. Information security
- Is your data secured?
- Are the written agreements established for the user data security and protection which the third party service providers and processors will access and process on your behalf?
- Is your security team informed on their obligations under the GDPR?
- In the event of a data breach, the appropriate security controls were in place, are you prepared to demonstrate it?
- Does your security team have sufficient resources to apply new processes and any required changes?
- Do you regularly test if the security controls are working as designed?
- If the data breach occurs, will you be able to identify and respond as soon as it happens?
- In the event of data breach, are all the relevant parties informed and aware of what to do?
5. User Possibility of Being Forgotten
A. Inspect archived data:
- Can all the past filled data be deleted?
Are your procedures in place to modify, delete or access the personal data if the visitor/user/customer request you to do so?
- Are your procedures in compliance with the new rules under GDPR?
- B. Inspect transaction data:
- Is the transactional data of customer deletable?
- Is the order history of customer deletable?
C. Inspect Login & Emails:
- Are past emails in the mailbox (incoming/outgoing) deletable?
- Are server logs about the execution of an action associated with a given person or email deletable?
D. Inspect Fiscal Documents:
- Are personal data in fiscal documents and invoices deletable?
E. Inspect a complete set of data deliverability:
- Can you prepare customer data along with the history of its sharing and processing?
Note: Keep in mind there’re priority rights about storing fiscal documents over
time for customer and tax service purposes.
6. Integration and Transfer of Data
A. Inspect personal data transferring procedure:
- Are the customers informed about the data transmission to external entities like PayPal, Stripe?
- Can your system export personal data to machine formats?
- Are you transferring the personal data outside the EU (European Union)?
- If yes, then do you have sufficient protections in place?
B. Inspect personal data receiving procedure:
- Are the customers getting informed about the data receipt from an external entity?
C. Inspect sensitive personal data procedure:
- Are users immediately getting the notification about the processing of their personal data?
- Do you use encryption for the personal data (np.SSL) transmission with 3rd party applications?
7. Data Administrator Procedures
A. Perform self-reporting concerning breaking the rules of GDPR:
- Have you prepared for reporting the GPRD violation within 72 hours of the detected violation?
B. Choose data security administrator:
- Does your service have its own Data Protection Officer?
C. The Documentations
- Did you conduct data protection awareness training for your staff?
- Have you considered how you are going to handle employee data in your plan?
- Did you define the retention periods for all items of personal data, prospect, customer and vendor data in your policy?
- Are your internal procedures properly documented?
- If you are a data processor, did you update your contracts with respective controllers to make sure that they include compulsory provisions set out in Art. 28 of the GDPR?
The above legal information is not the same as legal advice. We insist you consult an attorney. Briefly, do not take the above information as legal advice or as a recommendation of any legal understanding.
Go through the above GDPR ecommerce checklist and make changes to enforce best GDPR practices. Giving greater control to your customers over their data and access to information will help you build trust with your visitors and customers.
Many of the users and website visitors are now aware of GDPR, and they keenly check if the website is showing GDPR compliance in their process. If they do not find it, they may leave your site, and you may end up losing a potential client. Learn more reasons why visitors leave your website.