Petr Svoboda CEO & Founder Shopsys
The EU’s General Data Protection Regulation becomes enforceable starting May 25, 2018. Petr Svoboda, the CEO of Shopsys, will share all the know-how of implementing GDPR compliance into tens of leading e-commerce sites. The presentation will cover: Protection of user data in today’s digital era; data subject/controller/processor relationship; obligations and customizations (customer rights, privacy policy consent); other recommended customizations; and the most important takeaways.
2. How GDPR Will Affect Your
Ecommerce Technology
Petr Svoboda, CEO at Shopsys
3. GDPR
Protection of users data in today’s digital era
Controlled user data flow in a supply chain
Users’ consent to processing their data
Prevention of users data leaks
The same regulation over all EU countries
4. Agenda
Data Subject, Controller and Processor
Obligations and Customizations
Customer Rights
Privacy Policy Consent
Recommended Customizations
Additional Customizations
Takeaways
5. Data Subject Data Controller Data Processor
Customer
Employee
eRetailer
Authorities
Tax Office,
Social Insurance
Administration, …
Payroll
Clerk
Marketing
Agency
Software
Provider
Server
Provider
1
1
2
2
2
2
3
1 Information obligation
2 Contract on the processing of personal data
3 Records of processing of personal data
10. Right To Access
Customer can make a request to retailer for all personal
information gathered. Information must be provided
within 30 days of request.
E-commerce platform’s administration panel can
provide feature to export all founded data.
11. Right To Be Forgotten
Customer can request that any and all personal
information be erased, except that pertaining to specific
legal duties (eg. accounting, archiving, etc.)
E-commerce platform’s administration panel can
provide feature to erase all founded and collected data.
12. Transfer Of Information
If a customer decides to change providers, he will still
be able to transfer his data.
We recommend preparing the import and export
features of a customer’s data and order history ahead
of time.
Shopsys and APEK (Czech e-commerce association)
have prepared an XML template document
13. Three-layered Information
1st layer: Sentence along checkbox with agreement
(easily understandable)
2nd layer: Paragraph describing the handling of user
data (easily understandable)
hovering bubble over 1st layer, or
summary on the top of the page with the Privacy
Policy (2nd and 3rd layer together).
3rd layer: Full version of the Privacy Policy.
17. Newsletter
Consent to Privacy Policy
Un-checked checkbox
Log with date & time
Recommendations:
double opt-in
bubble with 2nd level of three layered information
18.
19. User Registration
Consent to Privacy Policy
Un-checked checkbox
Log with date & time
Recommendations:
double opt-in
bubble with 2nd level of Three layered information
20.
21. Order
If there are only inputs needed for processing the order:
“I acknowledge the Privacy Policy for the purpose of
order execution”, along with agreement with the Terms
and Conditions.
There is no need for a stand-alone checkbox for
Newsletter/Promotions since you can send it to all your
customers (with an unsubscribe option).
Recommendation: bubble with 2nd level of Three
layered information
22.
23. Order
If we use a third-party service for the post-purchase
survey:
stand-alone checkbox for agreement with survey
authorities recommend unchecked checkbox
survey providers recommend checked checkbox
24.
25. Order
If asked to supply data not needed for processing the
order you need to use the stand-alone agreement with
the Privacy Policy.
The same applies for user’s registration.
26.
27.
28. Loyalty programs, Competitions
Consent to Privacy Policy
Un-checked checkbox
Log with date & time
Recommendations:
double opt-in
bubble with 2nd level of Three layered information
29.
30. Reviews, Discussions
Consent to Privacy Policy
Un-checked checkbox
Log with date & time
Recommendations:
double opt-in
bubble with 2nd level of Three layered information
31.
32. User Tracking Consent
ePrivacy (separate from GDPR)
Currently recommend waiting for a valid version
Presumably:
1st party cookies and 3rd party cookies continue to
collect anonymous data without requiring user
agreement
35. Double Opt-in
Newsletter/Promotions Sign-Up, Product Review
Submit, User Registration, etc. are completed once a
confirmation link in the email has been clicked.
Verifies identity of email address owner.
38. Security Audit
Security audit and implementation against the leak of
personal and other data.
We recommend following OWASP Top 10 - 2017:
shopsys.com/u/OWASP17
39. OWASP
Injection
Broken Authentification
Sensitive Data Exposure
XML External Entities
Broken Access Control
Security Misconfiguration
Cross-Site Scripting
Insecure Deserialization
Using Components with
Known Vulnerabilities
Insufficient Logging &
Monitoring
41. Data Pseudonymization
User data is encrypted before being saved in the
database
Encryption key is stored on separate sever and
communicated via API
Technically difficult solution
42. Anonymizing Of User Data
Anonymizing/overwriting of all user data when
database is being copied by developers to their local
computers or internal servers.
Inability to reverse decryption
43. Monitoring Data Access
Monitoring and logging of all accesses to user data
at administration panel of e-commerce platform
on development and production server
45. Takeaways
Add Consent to the Privacy Policy when asking for user
data (except for data for execution of an order)
Make a security audit and migrate to HTTPS
Always provide an unsubscribe option in your
promotion e-mails