General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a new European privacy law that takes effect on May 25, 2018. The GDPR is not limited to European companies. The regulation includes every company that can potentially process EU nationals’ data – so that’s basically every company in the world regardless of its location.
The GDPR gives people more rights over their personal data. Specifically, it provides the right to access, correct, delete, and restrict processing of consumer data, and sets strict guidelines for user consent. If you collect or store any information that can be linked to an individual, that counts as personal data.
We recommend consulting with a legal professional as every business is different. Some businesses may need more preparation than others to comply with the GDPR. This article provides a general overview of GDPR compliance and directs you to the most common requirements.
Steps to prepare for the GDPR
According to the GDPR, Acutrack merchants must comply with the regulation if they are based in the EU or sell to EU customers.
Acutrack collects and processes personal data in a compliant manner. However, it is your responsibility to comply with the GDPR requirements when you collect and process personal data from your EU customers. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person.
We recommend the following:
Get clear consent before collecting any data
To require your customers accept your terms of service before checkout, enable the Show "I agree with Terms & Conditions" checkbox at checkout checkbox in your website. This feature ensures all orders include a confirmation of consent. As it is impossible to place an order without agreeing to Terms and Conditions, the fact that an order is placed is a confirmation of consent.
Provide customers with the right to access their data
This means you must provide your customers with a copy of their personal data in an easily readable and portable format. You can access the customers' data right in your Acutrack Control Panel. If you need help with getting and providing the data, Acutrack can give you the information that it stores. You should also take into consideration any third party services you use who may have access to your customers’ personal data.
Provide customers with the right to delete, edit, restrict certain data uses
Along with access requests, Acutrack can help delete personal data that it stores on your behalf. However, basic requests (e.g., a customer asks you to delete their order) can be quickly managed inside your control panel. Again, remember any third party services who may have access to this data.
We recommend storing data digitally. Encrypted data protected with a password of minimum recommended strength – or protected by means of a password generator – offer a secure option compared to printed invoices.
Data breach notifications
Acutrack acts as a Data processor while our merchants (you) act as Data controllers. If your website is experiencing a data breach of any kind, you might be required to notify affected customers. Under the GDPR, a notification must be sent within 72 hours from the time you become aware of the breach. Data processors are also required to notify users as well as the Data controllers, immediately after becoming aware of a data breach.
What Acutrack has done to comply with the GDPR
Acutrack collects, stores and processes personal data based on GDPR guidelines and complies with GDPR requirements in the following ways:
we assigned the Data Protection Officer who is in charge of the Acutrack Data Protection Policy
we started to deliver GDPR-focused training to our key teams and personnel
we implemented a detailed procedure to deal with all data subject access requests, deletion requests, and government access requests
we work only with sub processors who provide an adequate protection of the personal data through robust technical and organizational measures
we developed a reliable method to detect, report and investigate a personal data breach
we established the necessary records of data processing activities
Our Vendors / Sub-Processors