GDPR one page summary
The EU’s General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018.
The regulations were created to harmonise the different privacy and data protection laws present within different member states of the European Economic Area (EEA). They also provide more rights to individuals in relation to their ability to access and control personal data that is collected and stored about them. The GDPR applies to all businesses processing personal data of people who reside within the EEA, even if your business is located outside of the EEA.
When the UK left the EU the GDPR was incorporated into UK law as the UK GDPR at the end of the transition period. In the UK GDPR there is little change to what is found in the original EU GDPR. The UK GDPR applies the same regulations found in the original GDPR to the UK. UK data protection law is currently framed by the Data Protection Act 2018 alongside the UK GDPR.
In addition to complying with the UK GDPR, the EU GDPR may also still apply to you if you operate in the European Economic Area (EEA), or if you offer goods or services to or monitor the behaviour of individuals in the EEA.
The European Union has published information about the GDPR on a website available at https://gdpr.eu/.
The Information Commissioner's Office (the UK body responsible for Data Protection) has guidance available on their website.
ShopWired’s platform is compliant with the GDPR.
The guidance listed below is aimed only to give guidance on how the GDPR affects your business in relation to its use of the ShopWired platform. It should not be taken to constitute legal advice. You should consult a legal professional to find out how, and to what extent, the GDPR applies to your business.
As the EU GDPR and the UK GDPR are very similar in practice some of this guidance will only refer to ‘the GDPR’ and not one or the other specifically.
Consent from your customers for you to collect and process their data
Under the GDPR you may need to obtain consent, according to the parameters set out, to process the personal data of your customers. The GDPR says that consent must be given freely and specifically for the purposes for which you intend to process the data provided. Consent must be informed and unambiguous.
For example, if you use retargeting apps or techniques to attract customers back to your website, you should consider what data about customers you process as part of this retargeting process and what degree of consent you need to obtain from your customers in order to use their data when doing so.
For the processing of data to be lawful under the GDPR you need to identify a lawful basis for doing so. You can read more about this here.
The storage of your customers' data
As a user of our platform you use our services to collect and store data about your customers and website visitors.
All of the information that we store and process on your behalf, about your customers, is held on servers hosted with Amazon Web Services (AWS). We do not store data on any devices, internal databases or networks outside of AWS.
For more information about security at AWS please see their guidance at https://aws.amazon.com/security/. AWS have published information about the GDPR on their website here.
The security of your customers' data
All data stored on our platform is encrypted whilst ‘at rest’ and ‘in flight’. This means when stored on our servers the data is encrypted, and we use encryption when allowing you to access the data through your account or when downloading information to your computer (e.g. a download of customers).
Any data processed by our platform is processed in a manner which ensures its security. Access by our team is restricted on a ‘need to know’ basis, and all access is logged by our internal systems.
Because data is not stored on networks or devices outside of AWS, our exposure to accidental loss, destruction or damage or unauthorised or unlawful processing is limited.
Any data transferred between devices in the network is transferred in an encrypted state.
Breaches of your customers' data
The GDPR places a duty on all organisations to report certain types of data breaches to the relevant supervisory authority.
In certain circumstances, the organisation also has a duty to report the breach to the individual(s) affected.
A breach is more than just the loss of data. It also includes destruction, alteration, unauthorised access or disclosure of personal data.
If there is a breach of personal data on our platform we will notify the relevant regulatory authority within the regulatory requirement of 72 hours after we first become aware of it.
If the data of your customers is, or might have been, affected, we will notify you within 48 hours. The GDPR also places a legal requirement on you to also report the breach. We will provide you with the necessary details in order for you to report the breach within your own 72 hour time limit.
The GDPR allows for organisations to provide information to the supervisory authority in stages, where necessary (a full investigation of the breach can take some time). As we make our own updates we will notify you.
More information about data breaches, and your obligations, can be found here.
You should familiarise yourself with these requirements and ensure you have implemented a process for dealing with a data breach that originates from our platform and also from any of your other systems on which you store or process personal data.
Appointing a Data Protection Officer (DPO)
A DPO should be appointed to oversee how your organisation collects and processes personal data. The GDPR introduced specific tasks that a DPO is responsible for, including conducting data protection impact assessments when your organisation changes how it collects and processes personal data.
Whilst it might not always be a requirement for you to appoint a DPO, our recommendation is that you should appoint one anyway (even if this is yourself).
Further information
If you are preparing your own documentation in relation to your compliance with the GDPR and you require our assistance, in relation to the storage and processing of your customers’ data on our platform, please contact us.
Please note!
Our team cannot complete documentation on your behalf, or complete questionnaires about data storage and processing. If you have a question about how your compliance with the GDPR is impacted by your use of our platform it must, for legal reasons, be submitted in writing. Unfortunately, we are not able to answer questions about GDPR compliance over the phone.
Data we hold about you, as our customer
As our customer, we also store and process data about you.
As well as storing and processing this data on our platform, on AWS, we also store and process this data on our own internal devices and networks. Data we hold about you is encrypted whilst being stored and whilst in transit between devices.
Access to data we hold about you is restricted on a need to know basis.