Your European customers may have a right to be forgotten, making your business responsible for capturing, tracking, and logging any valid removal requests.
The European Union's recently enacted General Data Protection Regulation (GDPR) requires businesses to erase an individual's personal data upon request when certain circumstances apply.
This right to erasure or right to be forgotten is found in Article 17 of the GDPR. While there are some exceptions — for the completion of a contract, regulatory requirements, legal cases, and the public interest — much of the time a customer from an EU member state can simply ask to be forgotten, and your ecommerce business will need to comply with the GDPR requirements "without undue delay."
Know Where Customers' Data is Stored
The first step in complying with this GDPR requirement is to know specifically where a customer's personal data is stored.
This may sound obvious, but ask yourself, do you know anything at all about the databases housing your customer's information? Does your business document how to access those records? If a request for erasure came in, where would you start?
As an example, 3dcart has an excellent Knowledgebase post describing the several records an ecommerce business might need to delete in the event of a GDPR erasure request. These include:
- Deleting orders
- Deleting customer account records
- Deleting customer support records
- Deleting email subscription data
- Deleting user generated content like reviews
Your business should document where customer data is stored including backups, note third-party tools which also have access to your customers' information, and develop a step-by-step process for removing customer records.
Recognize Removal Requests
The GDPR does not outline a specific method for submitting a request for erasure, so it may be common for customers to submit verbal or written requests to any part of your business from customer service agents to receptionists with or without mentioning the right to be forgotten, Article 17, or the GDPR itself.
Nonetheless, your organization must be able to recognize a request in all of its various forms and act. Consider these steps.
- Create a central form or repository for removal requests. When a request comes in, have your staff complete the form.
- Train your employees to capture requests. Note: directing a customer to a form is probably not the best option.
- Identify a person or persons responsible for dealing with requests.
- Have a draft response written ahead of time, so that you can quickly let the customer know the request was received and is being processed.
- Log the request, capturing sufficient information to perform the removal.
Validate Erasure Requests
While the GDPR allows for the right to be forgotten, this right does have limitations, so before you starting purging your database, ensure the request is valid.
Purpose. A user can request erasure if the personal data is no longer required to meet its original purpose. For example, an online store often collects personal data for the purpose of delivering a product. Once the product is delivered and legal requirements are met, that personal data is no longer serving its purpose, and a shopper covered by the GDPR can ask for it to be erased.
Consent. If personal data was collected with consent (cookies for example), and the user withdraws that consent he or she can also ask for the data collected to be erased.
Objection. A user can simply object to your company collecting his or her personal information. If your business cannot demonstrate "overriding legitimate grounds for the processing," the data subject can request deletion.
Compliance. Erasure may be required to comply with laws from individual nations in the E.U.
Legality. To state the obvious, Article 17, section 1, paragraph d, notes that a data subject can request erasure, if personal data was collected illegally.
If a request to be forgotten falls into one of these categories, your business will need to comply.
Erase Customer Data
Take the steps necessary to remove any of the customer's personal data from your production, development, and backup systems.
If you're using 3dcart, you can use the built-in GDPR Compliance Toolkit.
Notify Third-Party Data Processors
It will also be your responsibility to notify any third-party processors about the removal and verify from them that the data subject's personal information has also be removed from their systems.
Some of the plugins you use on your 3dcart site may share data with the plugin provider. For example, MailChimp will have a subscriber's email address and name, which will also need to be removed.
Log Customer Removals
Throughout the erasure process, your company should be logging and tracking each step.
- Note when the request for erasure is captured.
- Log each customer communication.
- Document that you followed the required procedures necessary to remove the data.
- Note that you verified the data was removed.
Want full instructions on getting your website GDPR-compliant right away? Download our free ebook below.