GDPR and your online shop

2 May 2018
Intended audience: store owner

You are most likely aware there is a new data protection regulation coming into force soon. This article is to let you know what we are doing in FoodCommerce to ensure we comply and anything we think you need to review.

This new EU regulation is known as the General Data Protection Regulation (GDPR) and it comes into effect on 25th May 2018. It replaces the current UK Data Protection Act and basically tightens up the rights of individuals to access, correct, delete, and restrict the processing of their data. It also introduces strict guidelines on how individuals consent to the processing of their data. This is especially important if you're using your customers’ data beyond the processing of their orders, such as for marketing.

The UK authority on data protection is the Information Commissioners Office (ICO) and the information on their website can therefore be relied upon. You can also find other interpretation of GDPR in blogs across the Internet all skewed to whatever they are selling (including this one). Ultimately it is up to you to do your own assessment and obtain appropriate legal advice as necessary.

Processing orders

In general very little has changed in the regulations regarding contracts and there is no additional processing in FoodCommerce beyond the fulfilment of orders. We therefore comply with the new regulations in this area. For transparency and documentation reasons you now need to to update your privacy policy to say the legal basis for processing customer orders is contract. The ICO says:

“your privacy notice should include your lawful basis for processing as well as the purposes of the processing”.

Individuals right of access

By signing into their account in your online shop individuals can see all the data we hold about them. This same data can be accessed by you in the FoodCommerce control panel. If an individual does request the data you hold about them you have one month to comply and you must do it free of charge. You will need to include any additional data you have stored elsewhere such as in emails, spreadsheets and paper notes. There is no longer a distinction between electronic and manual records as the GDPR equally applies to both. Data where the individual is identified indirectly must also be included.

Right to be forgotten

This is new and it gives your customers the right to ask you to delete all data in which they can be identified. We intend to make it possible for both the individual and yourself to do this by the simple press of a button. Until then please inform us of any such requests and we will handle them manually.

Data security

Data security has always been a primary consideration with FoodCommerce and therefore no changes are needed to comply with this new regulation.

Using collected data for marketing

This is the tricky one and there is conflicting advice out there. One of the biggest changes in GDPR is the standard of consent and the focus on that has led people to say that you must now have consent in order to send people marketing emails. This would appear to be a myth. Who says so? Well Elizabeth Denham, the Information Commissioner, in her blog consent is not the ‘silver bullet’ for GDPR compliance

Consent is only one of six possible lawful bases for processing data and the ICO clearly says that:

“no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual”.

Further to this the marketing page on the ICO website says:

“The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you're targeting has given you their permission. However, there is an exception to this rule. Known as the 'soft opt-in' it applies if the following conditions are met;
  • where you've obtained a person's details in the course of a sale or negotiations for a sale of a product or service;
  • where the messages are only marketing similar products or services; and
  • where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages.”

Continuing to rely on the “soft opt-in” as a legal basis for marketing to anyone registering with your online shop would therefore still appear to be a valid option.

BTO Solicitors goes further on their The Post GDPR and ‘Soft Opt-In’ For Marketing blog by advising:

“...if you can rely on another processing condition, then do - consent should be your last option and is generally not your only option.”
“There is an exception called the ‘soft opt-in’. This means that consent is not required if you are sending marketing message about similar products and services to your customers/clients or those you have negotiated with to provide products or services”
“This processing is not based on consent, but rather the legitimate interests processing condition and can only be relied up on by the organisation that collected the contact details, not third parties.”

Using consent as your legal basis for marketing

If you choose to change your legal basis for marketing to people who have registered with your online shop to consent then most likely you don’t have any so you will be starting from scratch. The ICO says:

“check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard”

To begin with you should probably contact your existing mailing list asking for their consent, and in doing so expect to lose a significant chunk of it. You should also do this before the new regulation comes into force.

Whatever legal basis you choose for marketing to your registered customers you will need to document that in the privacy policy on your website.

Recording consent in FoodCommerce

We will be making some changes to FoodCommerce so individuals will be able to opt-in and opt-out of marketing consent at registration. They will also be able to change their consent in their account and you will be able to do similar in the control panel. GDPR requires us to keep a history so we will be keeping a record every time that changes. For customers who have registered before the 25th May we will initialise that change log with a “soft opt-in” record or similar.

To make consent work you will need to make changes to your registration and accounts pages. I will give you more information on what needs doing when we release the update.

If you are using a third party marketing application you will need to ensure that opt-in changes made in FoodCommerce are applied to that application. Again I will give you more information when we release the update.

Our sample terms and privacy policy

GDPR has caused me to make changes to the sample terms and privacy policy we provide in our support pages. Specifically I have added the legal basis for processing to the privacy policy and removed the £10 charge for an individual requesting their data as this is no longer permitted. In both terms and privacy I have removed “unless you agree otherwise” from the end of statements saying their data will not be shared with third parties.

If you used our sample terms and privacy policy as a basis for creating your own then you may need to make similar changes.


The legal basis for processing orders and marketing to registered customers needs adding to the privacy policy on your website. Deciding the legal basis for marketing is something you need to consider and if necessary you should take appropriate legal advice. We are making changes to FoodCommerce so if you decide to change your legal basis for marketing to consent you can make it work.

Tony Fear
Tony Fear