The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It will take effect from May 2018.
At Carts Guru, we’ve been working hard to prepare for GDPR, to ensure that we fulfil its obligations and maintain our transparency about customer messaging and how we use data.
As Carts Guru's first dedicated compliance hire, I’ve been working with our teams and lawyers to figure out how to convert GDPR legal provisions into tangible actions. We’ve been asking lots of questions, and our customers have been asking us questions.
Here’s an overview of GDPR, and how we are preparing for it at Carts Guru:
The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It will be a single set of rules which govern the processing and monitoring of EU data.
Does it affect me?
Yes, most likely. If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not.
How is Carts Guru preparing for GDPR?
Our teams have been working to define our GDPR roadmap. This is a massive overhaul of processes and data models to make sure we’re meeting our legal obligations, and doing the best thing for our customers while still letting us move fast, scale and build great products.
Here are the main things we’ve been doing to ensure we’re setting up ourselves and our customers up to meet GDPR obligations:
We’re building new features
Since day 1, Carts Guru have created a dedicated report (contact report) where you can directly check information collected to an individual user, update the opt-in related to channels. In addition, our teams are building the necessary features that will enable our customers to easily and fully manage user informations:
- Check information collected to an individual user.
- Update the opt-in for a specific channel to an individual user.
- Delete all data linked to an individual user.
- You will be able to import and export anytime a list of OPT-IN and OPT-OUT users.
- Activate synchronization of OPT-IN and OPT-OUT consents based on ecommerce platform.
Directly through an dedicated API.
Also, you will have more control to synch your opt-in and opt-out list.
These features will be released in April 2018.
Carts Guru can help you meet your data portability requirements for GDPR, you can easily export all of your data or granular subsets linked to an individual.
We’re updating our Data Processing Agreements (DPAs):
Strong data protection commitments are a key part of GDPR’s requirements. Our updated data processing agreement shares our privacy commitments and sets out the terms for Carts Guru and our customers to meet GDPR requirements. This is available for customers to sign upon request.
We’ve certified for International Data Transfers:
The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data.
We’re coordinating with our vendors
We’re reviewing all our vendors, finding out about their GDPR plans and arranging similar GDPR-ready data processing agreements with them.
We’re taking new security measures
Security is a priority for us. We have regular external audits, pentests and bug bounties. We’ve built a robust security framework over the past couple of years, achieving International Compliance standards (SOC2, CSA and Privacy Shield) and reviewing our internal access design to ensure the right people have access to the right level of customer data.
We’ll keep sharing information on our progress, and we’ll also help our customers and prospective customers be compliant. Some steps you can take are:
- Get familiar with the GDPR requirements and how they affect your company.
- Map out everywhere you process data and carry out a gap analysis.
- Consider how you can leverage Carts Guru to help with your GDPR compliance. Our audit reports, pen tests and security docs are available to customers on request.
- Chat to your lawyer about what your company needs to do to.
- Keep an eye on the developing guidelines from the GDPR Article 29 Working Party
Feel free to reach out to us if you have any questions about GDPR - we’d be happy to chat to you about it.