This post doesn’t constitute legal advice. If you want advice on what your business requires to be GDPR compliant, you should consult a lawyer.
This is our second post regarding the GDPR! The first post gives you a general overview of what the GDPR is and why it's important. This post will go into further details as to Art of Where's role as both a web-based business and on-demand manufacturer, and our responsibilities to our customers concerning data collection, information processing, and other obligations under the GDPR.
Everything Art of Where does to make our online manufacturing work for you.
Obviously this would be a never ending post if we told you everything we do to make Art of Where live! So we simplified it as much as we could into this chart:
In the chart, our main service is processing and shipping orders placed online to both our customers as well as our customer's end users (via drop shipping). Above all, our job is to serve our customers. We do this primarily by fulfilling orders, but also by maintaining a fully functional website. This involves things like hosting your designs, providing customer service across various platforms, utilizing multiple postal services and softwares, communicating with you, maintaining servers, developing new products, and processing payments.
So where's the data transfer happening?
This is exactly what the GDPR is concerned about and that it's happening in an informed, respectful, and secure way. When you sign up for an account with Art of Where (mandatory for drop shipping), we need basic information like you name and email. To ship orders, we need addresses and contact information. To process payments or keep a credit card on file, we need you to input your payment info. To provide the government with proper reporting, we need accurate and detailed invoicing. We collect the minimum amount of data we need to provide our services.
Note! Credit card info is never stored on our server. We only keep a token which authorizes our processor who holds the info to process your orders.
When you order with us, you are allowing us to use your info to provide our services.
As our customer you can:
- Decide to receive or not to receive our newsletters. Opt in or out in your account or unsubscribe at the bottom of our emails.
- Edit your basic account information at anytime from your login.
- Have full control over your designs. Create and delete them as you please.
- Decide if you want to have a public account in the Art of Where stores, or keep your account private.
- Deactivate your public store without seeking permission first.
- Request your info be edited or updated in our system
- Request your account be deleted and your info removed from our system. In this case we will keep only what is necessary legally for government records/accounting.
- Decide to integrate or not with 3rd party services like Shopify, Big Cartel, or Etsy to automate your order flow.
This last one is very important to look further at!
Remember! The statement below is detailed but has not passed inspection by a lawyer yet! Always have your privacy policies or other legally binding statements on your website reviewed by a qualified lawyer.
Example GDPR Statement:
To produce some of my products, I work with a 3rd party manufacturer ("Maker") to make and ship my printed _________________. To produce the product, all information required to complete your order including name, address, and the products ordered will be transferred to the Maker. This transfer occurs over an encrypted connection using the HTTPS protocol. Your data will be stored with the Maker as long as is reasonably legally required for their records. They may use the order data internally for appropriate measures including related customer service (ex. I need to check on where your order is) and statistical analysis. Reasonable steps are taken on the Maker's part to ensure secure storage. My Maker complies with the GDPR.
The point of any GDPR related statements regarding data is clarity and thoroughness. What information are you collecting? Why are you collecting it? Do you need it to perform your contract with your customer? Are you taking appropriate steps to secure the information? Are you sharing the information with someone who should not have it? Ask yourself these questions, and write down the answers and you're on a good path to completing your GDPR responsibilities!
A few other things you need to consider:
If your company has employees, make sure that staff have only the minimum amount of customer's personal information that they need to perform their duties.
You'll want to check with any other makers, fulfillers, platforms, or services you use that they are GDPR compliant.
Keep your privacy statements up-to-date as your business grows.
The GDPR requires that you report a breach of privacy within 72 hours including informing all those effected by the breach that it has occurred. Are you prepared/ready to do this?
Is your contact information easily found on your website especially contact info concerning privacy issues. Can you respond to information requests/updates/erasure within a reasonable time frame (the GDPR specifies 30 days)?
That's probably a bit of info overload so we'll leave it there for now! Let us know if there's anything you'd like us to expand on more in the comments!!
Keep in mind, the GDPR aims to build trusting and transparent relationships between buyers and sellers which is a good thing for everyone! Now that so much of the world is online, guidelines for how information is used will benefit everyone.