StoreMaven & GDPR
Last updated: May 31, 2018
On May 25, 2018, the General Data Protection Regulation (“GDPR”) became fully applicable in the European Union (EU). StoreMaven has always taken privacy very seriously, which is why we have put this document together to provide an overview of what StoreMaven has done to get prepared for GDPR.
What has StoreMaven done in order to comply? This is a high level summary of what we have done so far:
- GDPR strategy.
- We retained outside counsel to help us understand the GDPR and prepare a GDPR compliance plan.
- We built an internal taskforce with members of different departments (security, sales, product development, and others) to implement the GDPR compliance plan internally.
- Data mapping. We mapped StoreMaven’s data collection practices, including the data we collect, where we store it, with whom we share it, etc.
- Data Processing Agreement with customers. We have prepared and published a Data Processing Agreement for customers who are subject to the GDPR and need a DPA. It can be found at www.storemaven.com/dpa. This agreement can be easily downloaded and signed so, please, if you are a customer subject to the GDPR download it and return it signed to us.
- Data transfers.
- Hosting. We host all the personal data with Google Cloud Platform (GCP) which has already announced that will comply with the GDPR and they are also registered with the EU-US Privacy
Shield (see: https://www.privacyshield.gov/list).
- StoreMaven’s staff. Our staff sits in Israel, which was declared by the European Commission as a country that offers adequate level of data protection (see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).
- Other service providers. We only share personal data that is subject to the GDPR with vendors and partners who have announced that will comply with the GDPR and have undertaken to do so. For example, we share personal data with Google, Intercom, and Slack.
- Data Processing Agreement with service providers. We executed Data Processing Agreements in accordance with Article 28 of the GDPR with all our service providers with access to personal data subject to the GDPR.
- Policy for handling data-subject rights. We implemented an internal policy for recognizing and handling requests and claims related to data-subject rights (such as the right of access, right to be forgotten, etc.). We reviewed the way we develop our products and ensured it follows the Privacy by Design and Privacy by Default principles required by the GDPR. Requests to exercise data-subject rights should be sent to email@example.com and will be processed promptly.
- Record keeping. StoreMaven keeps an updated file describing StoreMaven’s data-collection and data-processing practices. StoreMaven periodically reviews this file to make sure that it is always fully updated.
- Security measures. We reviewed our security measures and created a resource describing our actions to protect our clients’ data. You can read more about Security at StoreMaven here.
- Data breach protocol. We ensured our data breach protocol is in line with Article 29 Data Protection Working Party and Guidelines on Personal Data Breach Notification under Regulation 2016/679.
- Ongoing compliance. We are not approaching GDPR compliance as a one-time exercise. Therefore, we are committed to periodically review our roadmap and ensure ongoing compliance.
Who should be concerned about the GDPR?
Our recommendation is that all our customers assess carefully whether they are subject to the GDPR and, if so, to what extent. The consequences of breaching the GDPR are very serious and could include fines of up to 20 million Euro or 4% of the breaching company’s global turnover.
If I am a customer not based in the EU, should I still be concerned about the GDPR? Given the GDPR’s extraterritorial effect, our non-EU based customers are also encouraged to assess whether the GDPR applies to them or not. The GDPR will not only apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments) but also to companies that do not have any presence in the EU but offer goods or services to individuals in the EU and/or monitor the behavior of European individuals where their behavior takes place within the EU.
As a StoreMaven customer, where should you start your “GDPR journey”? If the GDPR applies to your company, we highly recommend conducting internal due diligence to map your specific data collection practices. This includes, among other matters, understanding what specific personal data (including sensitive personal data) of individuals protected by the GDPR your company is collecting (e.g. end-users, customers, employees, etc.), from whom is the data collected, where is it being hosted, for what purposes is it being used, with whom is it being disclosed, and whether the personal data is transferred outside of the European Union or European Economic Area. Then, if you are sharing personal data protected by the GDPR with us, please contact us via firstname.lastname@example.org.
Where can I learn more about GDPR? Additional information is available on the European Commission’s website here (http://ec.europa.eu/justice/data-protection/reform/index_en.htm).
I have more questions. Who should I contact? If you have any additional questions about the GDPR you are welcome to contact us at email@example.com / your client consultant.
Disclaimer: The information in this document may not be construed as legal advice about the interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law on their processing of personal data.