The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018. In your capacity as a company that uses personal data, you are concerned by this regulation.
To facilitate your compliance with the GDPR, LivePepper has developed some new features and made some changes on its platform. These are discussed below.
Data portability, erasure and rectification
The GDPR reaffirms the right of your customers to take back control of their personal data. In this respect, they may contact you to request the portability, erasure or rectification of their data.
By definition, the right to data portability allows a data subject “to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format”. Source: Art. 20 GDPR
From the LivePepper back office, you can now export the data concerning each customer in a standard data exchange format (.json).
Here’s how to proceed:
- Go to Customers
- Enter the first name/last name of the customer concerned in the search field.
- Click the corresponding customer file.
- Click Export (GDPR)
- Your browser will then download a file which you simply send to your customer by email.
Your customers also have the right to request that their personal data be erased from your database.
This is the role of the “Anonymise” function, accessible via the customer file. This function erases all of the customer’s personal data.
Lastly, your customers can request the rectification of their personal data.
You can now rectify a customer’s data by clicking “Edit” in the customer file.
Automatic deletion of inactive accounts
The GDPR requires personal data to be stored for a reasonable retention period.
From now on, your customers’ accounts will be automatically anonymised three years after their last connection. Once a customer’s account has been anonymised, that customer will have to re-create an account if he/she wishes to place an order again.
Customers concerned will receive an e-mail two weeks before the retention period expiry date to inform them of the imminent deletion of their account. If they do not object to this deletion by clicking the link contained in the e-mail, the deletion will take effect two weeks after the e-mail was sent.
Secure SSL hosting
Although not explicitly required by the GDPR, we have decided to switch all our sites to SSL hosting to provide your customers with optimal security concerning their personal data. If your site is still not hosted using SSL, it will be automatically migrated in the coming weeks.
Thereafter, your website’s address will be preceded by https:// instead of http://. There is no need to inform your customers of this change, as the old address preceded by http:// will automatically redirect the user to the new address preceded by https://
Explicit agreement to receive marketing information
Depending on your site’s setup, when a customer registers with your restaurant, the checkboxes for receiving promotional offers may be pre-checked (i.e. pre-ticked).
Considering that this situation is incompatible with the principle of the GDPR’s “protection of privacy by default”, these boxes will now be unchecked by default. You customers must therefore explicitly consent to receiving any marketing information from you.
Explicit acceptance of your General Conditions of Sale
You may add a checkbox at the end of the purchasing process to allow you customers to confirm that they acknowledge the general conditions of sale before confirming their order.
To add this box, proceed as follows in the back office:
- Appearance > Content
- In the Information section, enter the following phase: “I agree with the general conditions of sale.” in the third block entitled “Acceptance of general conditions at the end of the purchasing process”. You can place a link to your “General Conditions of Sale” static page on the words “General Conditions of Sale”.
We advise you to add a static page containing your general conditions, or the measures to adopt concerning your customers’ data.
Note that the GDPR requires you to clearly state the following on your website:
- The personal data retention period (in your case, three years after the customer’s last connection),
- A reminder of the customer’s rights concerning the rectification, erasure and portability of their data,
- The contact details of a personal data controller with whom they may exercise the above rights,
- The right to make a lodge a complaint with a supervisory authority.
If you have not already done so, we advise you to contact a legal expert to validate your compliance with the GRPR.