Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Who in the EU has heard of GDPR and will it affect you


14steve14

Recommended Posts

On the 25th May 2018 the updated General Data Protection Regulations comes into force. Well who knew anything about that. It would appear that the EU has or is about to change the way that people collect and store others data. This apparently supersedes the Data Protection Act in the UK. It has also been mentioned that when we leave the EU we will still need to comply with the regulations as the EU has made it worldwide somehow.

 

Has any store owner seen a sensible easy to understand website that explains how this may affect store owners, or like me have you never heard about this until now.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

  • Replies 279
  • Created
  • Last Reply

Thankfully I'm not in the EU and don't sell into the EU but...

 

E.U.'s New Data Protection Law Affects Companies Worldwide

 

Dan

Link to comment
Share on other sites

when we leave the EU we will still need to comply with the regulations as the EU has made it worldwide somehow.

 

Easy there! If you do business in the EU, and therefore handle the data of EU citizens, this applies to you. If you are located outside the EU, and are dealing with non-EU citizens' data, it doesn't apply to you. If you need to implement anything new to meet GDPR, it should be a superset of data-protection requirements anywhere else in the world, and you can handle everything the same way. Now, if you're physically located outside the EU, I doubt they'll have much leverage with you, even when dealing with EU citizens. If you're a small shop, and make a reasonable effort to protect personal data, frankly I doubt they'll bother coming after you. They've got bigger fish to fry with Amazon, Google, etc.

 

Has any store owner seen a sensible easy to understand website that explains how this may affect store owners, or like me have you never heard about this until now.

From a very quick scan of the Wikipedia article, it sounds like mostly common-sense data protections. I don't see anything that says the Data Protection Officer has to be a discrete person -- it can be another hat you wear (president, web guru, shipping clerk, bottle washer, DPO,...). People can request that their data be moved to another system, which is not applicable if you don't run elsewhere (what are they trying to accomplish here?). People can request to be forgotten (you erase their account information upon request, where that doesn't conflict with statutory data retention requirements or good accounting principles). Data breaches have to be reported to the appropriate authority. Customers have to explicitly consent to having data collected (it should be enough to add "By providing this information, you are consenting to our collecting it" to registration and PWA pages), and there are restrictions on collecting information from children. There are some privacy provisions which anyone handling personal data should already be implementing, at least for the type of data an online shop would hold. There may be some extra i-dotting and t-crossing to be done, but what else is new?

Link to comment
Share on other sites

@@MrPhil

 

Thats pretty how I read everything. I already get asked to remove customers which I always do unless they have bought something then I need to keep the information. Nothing on my site is pre selected as that was something that was implemented when the last lot of data Protection rules were changed and people had to opt in rather than opt out. The only thing I think that really needs sorting with regards to the webshop is something to say that a customer has given consent to store information. I suppose this could be something like a check box with the result stored in the database when creating an account, something along the line of the newsletter bit of the create account form.

 

Luckily all that I store is customer contact details, and order details so nothing too serious to be concerned about. I do also remove lots of old customers after a few years if they have never bought anything so thats sort of complying in that I dont keep data longer than I need. I also have unsubscribe links in the newsletters that are sent and mailchimp sorts all that out.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

Thanks for this tread.


We should ensure personal data deletion and GDPR confirmation in the registration where customer comes from EU.

 

 

In the official core need EU customer's delete option directly from the account and an administration delete mechanism after time periods.

 

The question is which data should be destroy?

 

I suppose transfer user to anonim user and never delete the orders data.

Sensitive data are Customer's name, Street Address, Birthday and Email Address. Another data are not connectable but need for stats.

Customers name should be anonim or nickname from the reviews.

So only the relations should be destroy when customer want delete registration.

I dont understand that why only personal data is sensitive and why not company is...

This law makes different effect to webshops. Some shop will offer partner programs to keep account in live and some not where orders are unique.

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

Never heard of it. No doubt more EU-Bulldust dreamed up by men in suits who have nothing better to do.

 

Not in the EU...the answer for many small businesses; don't sell to EU citizens. That takes away a whole layer of Bulldust.

 

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

 

@@burt Many small buissnesses can surive, to sell to EU it's a bigger market than the small UK. Why you so rude about that?

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Link to comment
Share on other sites

Thanks for this tread.

We should ensure personal data deletion and GDPR confirmation in the registration where customer comes from EU.

 

 

In the official core need EU customer's delete option directly from the account and an administration delete mechanism after time periods.

 

The question is which data should be destroy?

 

I suppose transfer user to anonim user and never delete the orders data.

 

Sensitive data are Customer's name, Street Address, Birthday and Email Address. Another data are not connectable but need for stats.

 

Customers name should be anonim or nickname from the reviews.

 

So only the relations should be destroy when customer want delete registration.

 

I dont understand that why only personal data is sensitive and why not company is...

 

This law makes different effect to webshops. Some shop will offer partner programs to keep account in live and some not where orders are unique.

 

The data for the bookkeeping have to destroy after 10 years in some EU contry longer, in some EU country shorther.

I did recommand already that osC have to consider the EU law in every new version. I know some people don't like that, but i have a 100% EU law suitable version. The community know already it's my pimp version. The link you can find in my profil.

 

And this new law have to be suitable for every EU country, this will need long time too.

 

Here is the text of the law: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Link to comment
Share on other sites

@@burt Many small buissnesses can surive, to sell to EU it's a bigger market than the small UK. Why you so rude about that?

 

Because the EU is full of un-elected bureaucrats that have nothing better to do all day apart from make up complicated legislation that affects everyone, and makes their life so much harder.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

Sure, bureaucrats can spend the day fantasizing new rules in order to justify their existence (big complaint here, too, which is a major reason President Doofus, er, Trump, is in the White House). If you're a small business, do those things which are common sense and practical and fair, and ignore the rest which are an unreasonable burden to you. If you're small enough, they probably won't bother you. If they do, you can get a lot of public sympathy and support by pointing out that you are being quite reasonable -- and they're not.

Link to comment
Share on other sites

Because the EU is full of un-elected bureaucrats that have nothing better to do all day apart from make up complicated legislation that affects everyone, and makes their life so much harder.

 

Thats why the UK is out of the EU. That will things much more complicated for the UK in future. :D

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Link to comment
Share on other sites

Thankfully I'm not in the EU and don't sell into the EU but...

 

E.U.'s New Data Protection Law Affects Companies Worldwide

 

Dan

 

Yes, this will effect the data protection worldwide. May be the result will be: That worldwide the data protection is more respected and more controlled. Everybody like to have his own data protected, if they in the wrong hand, very fast some people can take over the online identity and more. I appreciate the new law.

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Link to comment
Share on other sites

I don't want to get into a political debate on the rights or wrongs of the EU and the UKs decision to perform a Brexit.  If anyone really wants that discussion, go find a political forum and mass debate it.

 

In a ecommerce context, discussion here is most welcome;

 

As for the option of a non-EU shop NOT selling to EU Citizens...that's an option some shopowners might like to take.  

Link to comment
Share on other sites

I don't want to get into a political debate on the rights or wrongs of the EU and the UKs decision to perform a Brexit.  If anyone really wants that discussion, go find a political forum and mass debate it.

 

In a ecommerce context, discussion here is most welcome;

 

As for the option of a non-EU shop NOT selling to EU Citizens...that's an option some shopowners might like to take.  

 

 

I did the opposite and stopped selling some products ie electronic services to customers within the EU. It was a very simple mod if you remember Gary, so it must be possible to do something similar for other countries.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

  • 9 months later...

I have an appointment booked to find out more about this and what my site needs to do to comply. From talking to people it seems pretty straight forward, but you never know. Consent to store and use information seems to be the biggest factor and new policies have to be written about the removal of data.  More to follow.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

I attended local seminar about GDPR by our accounting firm and their security and audit department.

Basically GDPR lays out common sense for security measures to protect the privacy of personall data of your customers. Plus you need to document who the consumer can contact for personal data (verification, correction or removal)

Adres information that you keep with the orders in the accounts is not sensitive data. If you start to profile and keep track of the age of their kids and stuff then you can become in the grey area of things. If you have a doctors practice with medical records that is a big difference from an ecommerce operation.

So you need to do common sense to ensure data theft is not possible (securing logins, pasword policy, no usb stick backups, servers behind lock). Make sure that (paper) processes are documented and paper records are destroyed so that private and sensitive personal data can not end up in the wrong hands. Also in a bigger setting with sensitive data, staff should only have access to the (sensitive) data that they need to know. Eg the janitor should not be able to access medical records to be blunt about it ... :D

I personally think it is a good effort to raise the awareness, it is just peoples reaction is over the top if they don't understand the concept of sensitive data and overall risk mitigation.

Edit: big caveat, if you sell personal data then you are in trouble :D

KEEP CALM AND CARRY ON

I do not use the responsive bootstrap version since i coded my responsive version earlier, but i have bought every 28d of code package to support burts effort and keep this forum alive (albeit more like on life support).

So if you are still here ? What are you waiting for ?!

 

Find the most frequent unique errors to fix:

grep "PHP" php_error_log.txt | sed "s/^.* PHP/PHP/g" |grep "line" |sort | uniq -c | sort -r > counterrors.txt

Link to comment
Share on other sites

On 1/20/2018 at 5:16 AM, bruyndoncx said:

you need to document who the consumer can contact for personal data (verification, correction or removal)

That's what worries me. If someone sends me an email that's not associated with their account, or calls me up, and asks what personal data I'm keeping on Carine Bruyndoncx, how do I know it's really you? Should I only permit access via signon through their customer account? What if they claim they have forgotten their password and no longer have that email address? I don't want to give out personal data to random people who may well have malicious intent. If someone can sign on to their account, they can see their data, modify it if they wish, or ask for removal (in practice, taking it offline). That's all that seems reasonable to me. If they no longer can sign on to their account, they have no way to prove who they are, so T.S.

Link to comment
Share on other sites

17 hours ago, MrPhil said:

That's what worries me. If someone sends me an email that's not associated with their account, or calls me up, and asks what personal data I'm keeping on Carine Bruyndoncx, how do I know it's really you? Should I only permit access via signon through their customer account? What if they claim they have forgotten their password and no longer have that email address? I don't want to give out personal data to random people who may well have malicious intent. If someone can sign on to their account, they can see their data, modify it if they wish, or ask for removal (in practice, taking it offline). That's all that seems reasonable to me. If they no longer can sign on to their account, they have no way to prove who they are, so T.S.

For data protection you are supposed to already implement something to ensure you only give the requested information to the correct person. That is why when you phone anywhere asking for information they ask security questions to confirm you are who you say you are. They are generally things like first line of address or postcode, date of birth that sort of thing. they are generally easy to bypass if you know the person you are asking about, but as they have asked the questions, I believe they would be covered for a data breach.

I know lots of small businesses that have never even heard of GDPR so they could be in big trouble. Saying that some of them still quote sales of goods act and 7 day returns so they are well behind. I got caught out the other day by a business that I buy lots of stuff from, and to get through their security they asked what the last item I bought from them was. I was not at the office so could not find a copy of the last invoice, so I was stumped, but good og them for asking the question.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

So, is there any written legal guidance on what constitutes proof of identity? If someone calls me up and asks what information I have on them, but can't remember their ID and password, and no longer has the email they signed up with, and I don't keep their credit card number, and they can't remember their last order... what am I supposed to do? Is every EU customer supposed to give me security questions that I keep on file*, and can challenge them with? It seems that this is getting very stupid. I wouldn't want to get in trouble for giving out personal information to the wrong people, either. There is no legitimate reason for someone to ask what information I have on file, and if they have an active account, they can check, verify, and update it themselves (or ask to be forgotten). Case closed. I'm not in the EU, and I intend to ignore these "requirements" for any EU customers.

* which, if you think about it, constitutes even more personal information to protect and be queried about!

Link to comment
Share on other sites

It should be interesting to see if Harald updates this forum to get explicit permission for each post and to put up an avatar, and that anyone claiming to be that member can request that everything be removed!

Common sense data protection is one thing, but the ability to delete all your material (including posts and avatars) is absurd. I'm not sure I would let someone remove their posts, as that would totally scramble any forum or blog. It only makes sense that permission is implicitly given if someone chooses to place an order, make a post, add an avatar, etc. I don't care to ask for explicit permission -- that's too much Nanny State. Whatever happened to people exercising common sense? If irresponsible parents choose to let their children act unsupervised, that's not my problem -- don't punish me for a minor joining up, posting, or making a purchase while claiming to be an adult. Obviously, the vast majority of those who post on social media and news websites are about 12 years old!

Link to comment
Share on other sites

What my company has done in our API is to (simplified) encrypt all data fields such as name, address, email (anything identifiable) on the way into the db, and decrypt it whenever it comes out.  So you never store anything in your db unencrypted. 

Makes it harder for searches from your app, but there you go.  

You don't need to delete data ever.

Link to comment
Share on other sites

What good does encrypting your customer data do? The password, etc. has to be in your store code, so anyone who can get access to your database can probably easily get the means to decrypt the data, too. And vice-versa -- if they get to your code, they can find the DB name and access information. This doesn't seem to me to be very useful. Only a hash (one-way encryption), such as used for a signon password, would be fairly secure, and that's good only for passwords where you're comparing hashed fields (not decrypting data). Please don't say, "well, it satisfies the regulators".

Link to comment
Share on other sites

@MrPhil

I love your comment about common sense. Haven't you noticed that 'common sense' has slowly been bred out of the latest version of human beings, and has been replaced with a fully fledged version of 'stupid'.

I have a webinar booked for later this month, and will pass on the findings.

 

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

From my latest readings, I get the impression, it#s fairly standard stuff, common sense and something we should all be doing anyway;

1.  define whom people can request what details you hold about them.  
I imagine for most users of osCommerce, that is the same person as does everything else... You (shopowner)!
Maybe put this on your T&C page?

2.  have a mechanism whereby a person can request that you delete out their details.
I imagine that You (shopowner) would respond to request by email, and on that email "if you want us to delete out your data email us back".
Admin side already has a delete account mechanism IIRC.

3.  You (shopowner) could potentially add a shop-side "delete my account" mechanism.
Obviously people would be logged in, so perhaps an extra link or button on their "account" page.

4. You'd need to make it clear that deletion of data, does mean that you'll retain at least some of their details
Orders made.  Perhaps Reviews?  Maybe you could update reviews to change the persons real name into a nick name?

5. Possibly You (shopowner) could have an extra account page which lists everything you know about the person who is logged in?
Maybe this could list Name and Address, any extra addresses, orders made, Ip address(es) (if you've collected), and so on.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...