GPDR (General Data Protection Regulation) is the new data law coming into effect on 25th May 2018 to update the previous Data Protection Act. For more information on the regulation itself, take a look at our previous blog post on the topic.
We have made a number of changes to the bluCommerce frontend as well as internally to comply with GDPR. As such, we did a Q&A session with Aaron, our Head of Insights, to get full transparency into the updates we’ve made and to provide details of how both our clients and their customers may be affected by the new regulation.
The updates to our bluCommerce frontend fall into two categories: feature updates and fulfilling customer rights, and the internal updates into four: policy updates, infrastructure, security, and data clean up. We covered all of them in our Q&A session to get the best insights possible.
Q. How did blubolt approach GDPR?
A. Lots of research was our first port of call; we had to look at the situation from two different angles.
We conducted extensive research into GDPR and its eventual implications as well as the future changes we would have to make. This provided us a solid foundation of understanding on which to build and implement new processes. We looked at the full extent of the changes to be made, in all areas of the business, and how we handle and store personal data, a fundamental aspect of GDPR.
Q. How did you provide customers with transparency for mailing list sign ups?
A. Following the ICO’s guide on Direct Marketing, we have activated double negative opt in for email sign ups. Furthermore, our clients now have the ability to inform their customers of mailing list intent, and to link to any relevant 3rd party documentation. Lastly, there will be the option to display current mailing list preferences at checkout for both registered and guests users, providing the opportunity to amend these as desired.
Q. Do clients have the ability to provide proof of mailing list sign-ups if necessary?
A. Yes – We’ve included a full subscription audit history in the customer download, including the current subscription status, subscription location, and date/time of the change.
Q. Will new regulations reduce clients mailing list subscriptions?
A. There is no way to tell for certain, however we’ve developed new functionality to place a sign-up call to action on the ‘Thank You Page’. This is a customisable area to provide a customer with a final subscription offer after making a purchase.
Q. What about Abandon Basket and Product Review emails?
A. While we are not in a position to provide legal advice on this, we’ve ensured that all email templates contain the ability to provide appropriate content to inform the user of email intent.
Q. Do clients’ cookie policies need to be updated?
A. Yes. All clients will have received an updated list of cookies supplied by bluCommerce with the aim of removing all personal data from the cookies.
Q. How will sensitive personal data be handled?
A. Sensitive personal data has been defined by the ICO as: relating to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences. bluCommerce will no longer be storing sensitive personal data. Updates have been provided to clients affected by this.
Q. Are third party data channels secure?
A. As of 25th May 2018 when the GDPR officially comes into effect, bluCommerce will no longer accept data transferred through insecure channels. This means that all web services will be required to have appropriate security certification and all FTP transfers will be required to connect through SFTP/FTPS (secure FTP). FTP passwords have also been reviewed; any deemed to be insecure must be updated.
Q. How will it work with data storage consent and the bluCommerce Refer A Friend feature?
A. Referred friends’ details will no longer be stored unless they have provided explicit consent stating this. Friends will be provided with a secure URL to create an account to access specific benefits. More details to follow.
As part of GDPR, we have created new processes within blubolt and bluCommerce to ensure the following customer rights are upheld:
The right to erasure
The right of access
The right to data portability
Q. How will you uphold a customer’s right as an individual to request personal data to be erased from a company and any subsequent processors?
A. We have developed new internal processes to make this possible and scaleable with each customer request. bluCommerce clients need only raise a support ticket with their customer ID and we’ll take care of the rest. In addition, we’ve provided each client with an integration list covering each 3rd party we transfer data to, meaning they can follow the data lifecycle between suppliers to ensure data is removed.
Q. How will you uphold a customer’s right as a data subject to have access to a copy of the data held on them and to have it provided to me in machine-readable format?
A. New tooling has been developed to allow a full export to all of the data bluCommerce holds on an individual. The download is provided as a JSON file, which is included within the permitted, machine-readable formats. This functionality is available to clients to use, meaning the data controller can fulfil each customer request.
A. We’ve introduced a new clear desk policy. Paper should not be present on desks, regardless of content. All employees will receive lockable drawers for sensitive information as well as shredders on each floor for safe disposal of physical data.
Q. How is physical data disposed of?
A. Once the shredders are full and unused hardware is finished with, we ensure these are properly disposed of using a specialist 3rd party company who destroy it immediately.
Q. And what about onscreen data?
A. We’ve also implemented a safe computer policy. Computers are automatically locked when not in use.
Q. How does blubolt monitor building access?
A. We’ve installed CCTV on all floors where hardware is stored. This is in line with ICO guidelines regarding CCTV operation within a business. In addition, we have implemented a guest book that all visitors must sign upon entry into the building.
Q. How long do you retain order/customer data for?
A. Currently, data is retained indefinitely unless we are instructed otherwise. We are happy to dispose of old data as necessary, but this will only be upon request and is the responsibility of each data controller.
Q. Is your business protected against new GDPR regulations?
A. Our business indemnity insurance has been reviewed to ensure adequate cover for GDPR.
Q. What is the process in the case of an urgent incident/data breach?
A. We have updated our incident response plan and included detailed information on what happens in the case of a data breach. We will also be holding regular internal incident training workshops, as well as simulated incidents.
A. What visibility is there into 3rd party systems?
Q. How does your internal infrastructure ensure safe handling of personal data?
A. We’ve made positive changes to our infrastructure concerning the storage and processing of personal data, especially data backups. Personal data included in backups are now stored for no more than 14 days, after which they’re deleted. Backups without personal data are stored for up to 12 months. Further to this, we’ve improved the handling of servers which store and process personal data, ensuring improved security.
Q. How can we know if our is data being downloaded?
A. You can restrict who has access to your data through access permission settings within bluCommerce, ensuring only staff who need access to download data can do so. We’ve also extended the audit log to track any data exports to ensure these are correctly captured, this includes all clients and blubolt team members, meaning any download is tracked.
Q. How can clients ensure that access to personal data is secure through authorised channels?
A. We have made several changes regarding this matter:
A. Not anymore! We’ve conducted extensive reviews of ‘old data’ and taken appropriate steps to remove any unwanted data. This includes data from unused systems and old branches. New policies are now in place to prevent the storage of personal data by these systems. In addition, we will be conducting a regular clean up exercise.
If you have any questions regarding any of the updates we’ve made related to GDPR or any of the information featured in this Q&A session, then please feel free to get in touch. We’d be more than happy to provide more information.
Hi, can you help with my eCommerce store?
Yes! We provide beautiful, powerful, reliable eCommerce solutions for fast growing brands. Click below to get started.