Hello members, friends and vendors.
An important message around the The GDPR (General Data Protection Regulation) I hope that your service provider when it comes to credit card processing is keeping you well informed and up to date. If not you need to start asking questions based on the below information.
As you may or may not know The GDPR (General Data Protection Regulation) has a global reach even though it is a new law generated out of the European Union. Any customers or clients you process from the EU will fall under this new law. Even if you are operating outside of the EU you are subject to this law when processing and storing data from EU related credit cards, payments and correspondence.
The GDPR is a new set of regulations designed to give consumers more power over there personal data. This will allow them to review and update their data, restrict processing of there data, and sets out strict user-consent guidelines. The GDPR has a global impact, affecting all Europe-based merchants, plus every company that either sell or rents to customer in Europe or track activity of European residents. Meaning if you rent to a European client and process there payment you are subject to this law.
Actions to take:
- Revise your terms and conditions to include information on how you are going to store and use their personal information.
- Ensure you have a “by checking this box you agree to (your companies) terms and conditions at check out.
- Make checking that box mandatory to check out of your site.
- Provide clients with the right to access their data by request. Your service provider for taking orders and processing credit cards should have this available to you as the operator anyway. If they do not and will not by May 28th 2018 you should start looking at another provider.
- You must be able to edit their personal data after the rental period is over. If the client from the EU requests certain items to be removed, deleted or modified, you must be able to do this and provide the client with proof that this has been complied with.
- Start a data base of clients with name, date and email. If a data breach occurs with your processor or provider you are required to inform all of your clients within 72 hours.
Yes it sounds like more work than you are used to, however providers like Ecwid are ahead of the game and this is easily able to do within their system.
You can also look at a CRM (Customer Relationship Management) software to track your clients and it will automatically track your emails into the system. Of course if you are using a 3rd party software program this needs to be stated in your Terms and Conditions.