Bold Commerce's very own Security Architect, Paul, dives into the world of GDPR and explains what eCommerce store owners need to know to protect themselves, their customers, and the steps we've taken to become GDPR compliant.
[I am not a lawyer, the information in this post is not legal advice, and the actions we’re taking may not be right for you or your company to take. If you’re not sure if GDPR applies to you, you should contact a lawyer to confirm. Though GDPR most likely applies to you in some way]
It should go without saying an individual’s privacy and the personal data they give a company should be treated with the utmost care and respect.
Since the General Data Protection Regulations (GDPR) came into effect May 25th, 2018, these beliefs now have the support of the European Union, and will hopefully encourage other countries around the world to fall in line.
How it will affect your online store
As a store owner, you're responsible for the compliance of every app you have installed on your store.
Not only will it give you the opportunity to attract new/larger customers as you'll be seen as a trusted company, you'll avoid the large fines you might have to pay if one of the apps you're using is non-compliant.
You know Bold is compliant, but if you haven't already we suggest confirming with any other apps you have installed that they meet GDPR regulations as well.
In this post, we'll also talk about:
- What is GDPR anyway?
- Data protection explained
- Does GDPR apply to you?
- Our commitment to merchants
- Bold's GDPR compliance
- Guide to GDPR resources
Let's get started...
GDPR is the latest iteration of privacy laws trying to limit the frequency and scale of data breaches.
It also puts boundaries on the who, when, and why companies may lawfully interact with your personal data. What’s unique about this legislation is the risk of significant financial penalties if found noncompliant.
Penalties can be as high as 4% of your annual global revenue, or €20 million (whichever is greater).
The new regulations are targeting the collection, processing, storage, and disclosure of personal data for individuals within the European Economic Area , with goals of:
- Improving the accountability and transparency of organizations interacting with this data
- Controlling the scenarios, duration, and security measures in which data may be lawfully interacted with and stored
- Limiting the transfer of personal data out of the EU to only countries and organizations who have also implemented adequate privacy and security measures
- Enshrining the ownership of an individual’s personal data and the rights the individual has to their data
These regulations are not limited to just companies in the EU though.
This means if a European user decides to buy something from your U.S. owned, hosted, and operated store, you will have just received their name, email address, shipping address, and anything else you need to charge for and ship a product. This means GDPR would apply to you, too.
Controllers and processors
In previous privacy laws, the company choosing to collect personal data has been entirely accountable for the privacy and security of that data. Now, it’s both the original company as well as any companies they partner with who process data on their behalf.
Here's how it works:
If a Merchant installs Bold’s App on their store, that Merchant has employed Bold to perform the function provided by the app, making the Merchant a “Data Controller” and Bold a “Data Processor.”
If Bold’s App is hosted by another company, like Google Cloud Platform (GCP), Google then becomes a “Data Processor,” and also must comply with GDPR. This will then apply to any companies Google has employed as well (Sub-Processors).
By enforcing GDPR compliance from Controller to Processor and to any Sub-Processor’s who may be involved, they all become accountable for the personal data they touch.
No more lengthy legal documents that only make sense to people who’ve passed their LSAT’s!
(As necessary, this information may also need to be in a Data Processing Addendum or Agreement between Controllers and Processor, or Processors and Sub-Processors, certifying their security and privacy measures are compliant with GDPR.)
As you can see from the above, this is kind of a big deal.
Now that GDPR is live, you should be looking into whether these new regulations apply to you and your business. Here’s a couple of question to ask yourself:
- Do you currently or will you have customers, partners, contractors, vendors, etc, based in the EU?
- Do you or will you have access to any personal data on behalf of your customers, partners, etc, which may be for an individual in the EU?
If you’re still not sure, it’s best to speak with a lawyer.
The changes we’ve made to our processes, apps, and services to meet GDPR will improve our handling of personal data, regardless of an individual’s country.
This means if you’re part of the European Economic Area, or Canada, Argentina, Japan, or anywhere else on Earth (and currently, just limited to Earth), we apply the same level of care to your personal data.
We know how important it is to protect an individual’s data; not only your own, but that of your customers as well.
That's why we're happy to announce that we've taken steps to ensure our apps, services, and processes are GDPR compliant.
We investigated all locations and scenarios where personal data may be collected, processed, retained, and disclosed. Each instance was scrutinized to ensure:
- Personal data is being collected and processed only as instructed by the Data Controllers (such as a merchant using one of our apps), or expressed consent is knowingly provided by the individual
- Data retention policies and enforcement methods are in place to only retain personal data for the length of time required to fulfil the purpose, complete the transaction(s) for which it was collected, or as required by law
- Reasonable security measures are implemented to protect the confidentiality, integrity, and availability of any personal data we come in contact with
- Processors engaged by Bold who may interact with personal data also meet GDPR requirements
As part of our GDPR initiative, we made sure each of the Data Subject’s Rights are well understood, and processes were put in place to assist if a user feels it necessary to act.
We've also been implementing the use of Data Protection Impact Analysis during the initial design of new apps, services, and significant features we've been developing
Our Data Processing Addendum (DPA) is also available if you need it for your own GDPR compliance plans, and we've published our Processors list to provide transparency to our practices, reinforcing our commitment to GDPR and the responsible handling of personal data.
If GDPR does apply to you, here’s are a number of great resources to get you started:
- EU’s Primary GDPR Page
- An easy to read resource for browsing the complete legislation
- GDPR Wiki page. It provides a great overview, but for specific compliance advice it’s best to speak with a lawyer. (Note: this page is only as accurate as the submitter and editors).
- The UK’s Information Commission Officer has provided a thorough page to becoming GDPR compliant
- ICO’s 12 step guide for GDPR compliance
- If you use MailChimp, they've created some GDPR friendly forms that can help you create a signup form to collect consent that will help you adhere to the new regulations.
Lastly, if you're looking for more information on Bold and our GDPR compliance, head over to our website to get all the details.