Citrus-Lime and GDPR
Here at Citrus-Lime, we have appointed Citrus-Lime Team Member, Rebecca Clarke, as Data Protection Officer (DPO). Rebecca has collated the information needed for us to help our customers (you) to integrate technical information into their Terms & Conditions and Privacy Policies so as to be transparent with what, how and where we store and process data (on your behalf).
For extra clarity, we have completed the process of ensuring Citrus-Lime is GDPR compliant with the following :
- Data Audit (to establish current position)
- Privacy Statement (ie: “how we intend to use people’s data”)
Procedures - How will we react if someone wanted to have data deleted?
- Would our system help locate and delete?
- Who will make the decision about deletion?
- How would we react to a Subject Access Request?
- What procedures do we have to Detect, Report and Investigate a personal data breach?
Review of Consent - How do we seek consent?
- How do we record consent?
- How do we manage personal data?
- Data Protection Impact Assessment
Citrus-Lime's Privacy Statement
Read Citrus-Lime's updated Privacy Statement.
Citrus-Lime's Sample Data Processor Agreement
This is an example of a Data Processing Agreement that Citrus-Lime could provide to our customers :
Sample GDPR Data Processor Agreement
If you would like to know more, please contact our DPO, Rebecca, via privacy@citruslime.com or write to us via Citrus-Lime Limited, The Lantern House, The Ellers, Ulverston, Cumbria, LA12 0AA.
A Quick Overview of GDPR.
GDPR gives people more rights over their personal data, and it also defines what counts as Personal Data very broadly. GDPR gives people the right to access, update, amend, delete and/or restrict the processing of their data. GDPR sets out strict guidelines about how you need to get customers to agree that you can use their data (this is often referred to as "unambiguous consent"). This extends beyond the processing of orders and is especially important if you're using your customers’ personal data for marketing or advertising.
GDPR also makes it your responsibility to protect that data (even if you’re using a processor like Citrus-Lime to store that data on your behalf). It is your responsibility to make sure that your customers (and website visitors) can exercise all the rights they now have.
If someone from within the European Union contacts you and asks you to delete, for example, the history of their purchases from your store then you need to be able to comply.
Citrus-Lime is not able to offer legal advice, so our best recommendation is that you consult with your solicitor if you are not sure how this will impact your business. That said, information we have gathered as part of our own is shared below along with an overview of what we will implement to Citrus-Lime Ecommerce (before 25 May 2018) with regards to helping you gain unambiguous consent from your customers.
If you wish to take a deep-dive into GDPR, we recommend that you read the information available from the ICO :
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
What Qualifies as Personal Data?
If you collect or store any information that can be linked to an individual, then that is defined as personal data. If the creation of accounts is standard within your business (or you collect their email addresses), for example, both of those would count as personal data.
Direct Marketing?
Individuals have the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for direct marketing. Any individual can exercise this right, and if you receive a notice you must comply within a reasonable period.
Legitimate Interest?
The official GDPR documentation (item 47) describes the processing of personal data for legitimate interest reasons as :
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Suppressing Details
Individuals will often ask you to remove or delete their details from your database or marketing list. However, in most cases it is preferable to follow the marketing industry practice of suppressing their details. Rather than deleting an individual’s details entirely, suppression involves retaining just enough information about them to ensure that their preferences are respected in future.
The one identifiable area that is outside of your direct control is in the use of email addresses (gathered during an online transaction) for email marketing. All gathered email addresses are added to your marketing list and, whilst the recipient of any follow-up marketing is able to opt-out at any time, it is arguable that your current Terms & Conditions content may be insufficient to meet GDPR rules surrounding unambiguous consent.
To that end, Citrus-Lime Ecommerce (ahead of 28 May 2018) will be changed to include the following features (click the image to open a larger format in your browser) :
These features ensure that you are seeking unambiguous consent from a customer during Checkout or during Account Creation. We have adopted the suppression approach and Citrus-Lime Ecommerce will assume that consent for email marketing has not been provided unless this checkbox is set.
It is essential to the processing of an order placed online (or the creation of a Customer Account) that an email address is provided. It is not possible (or necessary) to avoid the collection of this data. However, whilst it may be in the legitimate interest of the customer to receive email marketing from you, the provision of an email address alone does not guarantee consent to further communications.
The suppression approach allows the customer to opt-in or opt-out at any point in their relationship with you. This is handled automatically by the Citrus-Lime Ecommerce platform and enables you to be compliant with GDPR rulings.
When (and where) will the GDPR Checkbox display?
During Checkout, the GDPR Checkbox will only display to First Time Customers (ie. a customer checking out with details that are not already contained within the Ecommerce database). To meet compliancy rules, the GDPR Checkbox will be unset by default. If the Customer opts in to receive marketing messages ("opts in" = sets the checkbox active), then the GDPR Checkbox will not be presented during checkout in subsequent visits.
However, a Customer can, at any time, revise their checkbox status by visiting the My Profile page within the Account section.
Other (possibly) useful information
Fewer than 250 Employees
If you have fewer than 250 employees, GDPR means you must hold internal records of your processing activities, where the data being processed could risk somebody's rights and freedoms, or where that data relates to criminal convictions and offences.
http://www.itpro.co.uk/data-protection/29123/gdpr-for-small-businesses-what-it-means-for-you
Mailchimp
For anyone using Mailchimp to deliver email marketing campaigns, the company has published their own information regarding GDPR compliancy, which can be read here : https://blog.mailchimp.com/gdpr-tools-from-mailchimp/
Transactional Email vs. Marketing Email
You don't need consent to send invoices and other transactional emails to your customers. What the difference would be between a transactional email and a marketing email is not defined.
Published 24 October 2017 on https://www.reallysimplesystems.com/blog/gdpr-faq/
Customer Rewards and Automated Transaction Emails
Customer Rewards is a feature of your existing system and not a separate software solution requiring separate consent. It is not possible to complete a transaction without generating rewards points and the personal data is stored within the same cloud system as all other customer and transaction data.
The legal guys said we have to point out that if you decide not to opt in to news, offers and competitions, you may still receive service messages from time to time, i.e. giving your Subcard® points balance or notifying you that you have reached the maximum allowable points balance, as per the terms and conditions of the programme.
Note : The content above was extracted from a recent email sent by the Subway® company.
Do I need consent to store data in a CRM system?
No. You only need consent from a person to communicate electronically with them – by email, SMS, fax or telephone. You don’t need consent to send them physical mail.
Published 24 October 2017 on https://www.reallysimplesystems.com/blog/gdpr-faq/
How long can I retain data for?
If you only hold a modest amount of personal data, you may not need a formal data retention policy. You must still comply with the law, of course, so it is good practice to conduct a regular audit, and to check through the records you hold to make sure you are not holding onto personal data for too long, or deleting it prematurely.
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-retention/
Note : There does not appear to be a definition of what exactly constitutes "too long" for data retention, but it is clear that "indefinitely" is not an option.
If the data is captured for the purpose of direct marketing, it seems reasonable that the duration over which personal data is retained is relative to how long after completing a purchase can the individual be considered a customer?
A recent study illustrated that "90% of returning customers have repurchased from a company or brand within 50 months".
Study conducted by Epilson Abicus in July 2017
So, in principle, it seems that your data retention policy could state at least 50 months. Logically, anyone who purchases again within that time period resets the 50 months on your retention policy (and do so every time they make a purchase).
Google Analytics Data Retention
The Google Analytics Data Retention controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers. These settings will not take effect until May 25, 2018.
https://support.google.com/analytics/answer/7667196
Cookies
Cookies are mentioned once in the GDPR, in Recital 30 :
Natural persons may be associated with online identifiers [...] such as internet protocol addresses, cookie identifiers or other identifiers [...] This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
What this essentially tells us it that cookies, where they are used to uniquely identify the device, or in combination with other data, the individual associated with or using the device, should be treated as personal data. This position is also reinforced by Recital 26, which states that where data can reasonably be used, either alone or in conjunction with other data to single out an individual or otherwise identify them indirectly, then it is personal data.
Use of pseudonymous identifiers (like strings of numbers or letters),which is what cookies typically contain to give them uniqueness, still makes them personal data.
So under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data. This will certainly cover almost all advertising/targeting cookies; lots of web analytics cookies; and quite a few functional services like survey and chat tools that record user ids in cookies.
https://www.cookielaw.org/blog/2016/5/13/the-gdpr,-cookie-consent-and-customer-centric-privacy/
All new Citrus-Lime Ecommerce projects (after 28 May 2018) will have the option to include a clear and persistent request for Consent to Cookies to be given. If consent is given, then a cookie will be placed and the feature will not be presented again for the equivalent of 50 months or at a subsequent visit (should the user clear cookies from their device manually).