The General Data Protection Regulation (GDPR) outlines new rights for people residing within the EU. These rights concern the collection and use of personal data both within the EU and exporting this data outside of the EU.
The GDPR aims to simplify laws regarding data privacy and processing as well as giving EU citizens and residents greater control over their personal data.
These new rights are:
The right to access information a company has acquired about them, free of charge.
The right to be forgotten where, on request, all personal data is erased.
The right to be notified in the event of a data breach that may have compromised their personal data.
The right to only have their personal data used after providing unambiguous and clear affirmative approval.
By ensuring these rights for your customers, people will also have greater trust in purchasing from your store and sharing their data with your business.
Does the GDPR apply to my store?
The rights guaranteed by the GDPR apply to anyone residing within the EU at the time their data was processed. This includes non-EU citizens. If your store operates entirely outside of the EU and has no customers within the EU, then the GDPR should not apply to your store.
If your store does operate both within and outside of the EU, then the GDPR will apply to all of your customers.
Do I need to get everyone on my list to re-opt-in?
No. As long as they have already opted-in, then you do not need them to re-opt-in.
If they have not already opted-in but are on your list, then they need to opt-in as soon as possible as it is against our Terms of Service to have people on your emailing lists who haven’t opted-in.
What is ‘personal data’
Personal data is any piece of information that is, or can be, linked to an individual.
This includes data on a person’s professional and public lives, not just their private life.
Examples of such data include, names (including just first names and nicknames), email addresses, social media profiles, IP addresses, purchasing history, ect.
The list of what can constitute personal data is too long to list here, but consider any and all information you collect from an individual to be their personal data.
What data does SmartrMail hold?
SmartrMail only holds data synced from your e-commerce store plus engagement data from emails you have sent such as open and click-through-rates. Once a subscriber has been deleted from SmartrMail, all their data is deleted from SmartrMail’s systems too. If a customer requests a data deletion via your e-commerce platform, the platform sends SmartrMail a request to delete the data as well.
How do I provide subscribers with a copy of their personal data?
Should a subscriber request a copy of all the personal data you hold about them, you will need to also provide them with information stored on SmartrMail’s systems.
In order do you this, you simply need to go to your ‘Subscribers’ page on your SmartrMail account and search for the subscriber who has requested their data. Enter their profile page and export the subscriber
You will receive a csv file that contains all the personal information SmartrMail holds on this subscriber. Simply pass the CSV on to the subscriber.
How do I delete my subscriber’s personal data on request?
Deleting a subscriber’s personal data held with SmartrMail has been made simple, as now that whenever you delete a subscriber, all their personal data is erased from SmartrMail’s systems.
In order to delete a subscriber, simply go to the ‘Customers’ tab up the top of your SmartrMail account, and then search for the subscriber’s email in the search field in the upper right of the screen. By clicking on the relevant email, you will be sent to that subscriber’s info page where you’ll find a ‘Delete’ button in the upper right. Clicking on this will remove the user from the mailing list and erase all of their personal data stored on SmartrMail’s systems too. Subscribers will also have the ability to delete all their personal information automatically after unsubscribing from emails.
What does the right to be forgotten mean?
The right to be forgotten means that if requested, companies must erase all personal data related to that person. This essentially means that the company forgets that they have ever dealt with this person.
The GDPR guarantees this right for all citizens and residents of the EU. This means that should an EU citizen or resident requests you erase all data you have on them, you must comply.
What does providing unambiguous and clear affirmative action mean?
Under the GDPR, you can only process an EU citizen or resident’s personal data after they have given unambiguous and clear affirmative approval for you to use their data in the way you said you would.
This means that you must be upfront with how you intend to use the data.
The unambiguous action means that you cannot try to trick or deceive someone into giving permission. This rules out pre-ticked checkboxes or only offering opt-off options for data processing. The onus is on you to demonstrate that the person took a deliberate action to grant permission for their data to be used.
SmartrMail is ensuring this by implementing a double opt-in feature to all SmartrMail mailing list signup forms. With double opt-in when a user enters their email into the signup form and clicks submit, they will receive an email outlining how their personal data will be used and asking them to once again confirm that this is okay. You can learn more about double opt-in here.
How quickly must I give a customer a copy of their data, erase their data, or notify about a possible data breach?
The GDPR does not mandate an exact response window, but for ecommerce stores you should aim to satisfy the request within 72 hours. However, up to a week should be fine.
As long as you do not create any unnecessary delays, you should be fine.
A customer has just made a purchase and wants records of that sale erased. Do I have to comply?
If the person resides in the EU, then yes. Under the GDPR you will have to comply with the customer’s wishes.
Records of sales made to that person constitutes personal data. This includes the delivery address, billing information, email address, etc.
It's a best practice to add all the services that you use that have access to your customers personal data like names and email addresses. You can add the below text for SmartrMail:
We use the email distribution service provided by SmartrMail Pty Ltd based in Australia (https://www.smartrmail.com). SmartrMail assists us in creating, scheduling, and delivering our newsletters. SmartrMail acts as our data processor and it may have access to your name, email address, IP address, and cookie-related data, which is necessary for newsletter delivery and analytics purposes. To make sure that your personal information is properly protected, we have concluded a data processing agreement with SmartrMail that ensures the highest level of protection for your personal information.
You can also check out our blog post about the changes we’re making to ensure SmartrMail is compliant with the GDPR here
For a more detailed explanation of the GDPR: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
The European Commision have also created a great infographic explaining the GDPR: