Education, GDPR, General Data Protection Regulation, Tip of the Week

GDPR and Running Your Business

We at RISC Management and Consulting have our online store through Shopify and use a multitude of applications (apps). We’ve always managed our business in a transparent and ethical way. However, with the GDPR’s forthcoming effect tomorrow, we want to help you take steps to assure merchants your apps are GDPR compliant!

General Data Protection Regulation or GDPR is the EU Regulation 2016/679. This regulation deals with the “protection of natural persons with regard to the processing of personal data and on the free movement of such data”.  It will be applicable as of May 25th, 2018 in all member states to integrate data privacy laws across Europe. The regulation came into force on May 24th, 2016. If you serve sellers, retailers, and businessperson, that could have customers based in Europe, then this regulation will affect you.Coming soon

Key Issues of the GDPR

  • Consent
  • Data Protection Officer
  • Email Marketing
  • Encryption
  • Fitness/Penalties
  • Information Obligations
  • Order Processing
  • Personal Data
  • Privacy by Design
  • Privacy Impact Assessment
  • Records of Processing Activities
  • Right of Access
  • Right to be Forgotten
  • Third Countries

Shopify apps

Be mindful of data request and permissions needed

When merchants are deciding to connect your app to their store, it’s important for them to be clear on which parts of your store they’re giving you access to when they install your app.

if you request any permissions that don’t seem to align with what your app provides, we recommend that you:

  • Update your app listing to be clear on why your app requires permission to that/those piece(s) or data
  • Consider if your app does indeed actually require that permission, and disconnect from that API endpoint if it doesn’t

Merchants know that apps often need access to certain pieces of data in order to carry out certain actions or features. However, it’s important to remember that asking for permission to data that doesn’t seem necessary for your app to access can erode merchant trust.

Communicate your use of data through a privacy policy

Beyond letting merchants know what information you’ll be accessing, GDPR also requires that you provide all users of your product (i.e. your app) with detailed information about how exactly your app uses the personal information it collects. One simple but in-depth way to do this is through your app’s privacy policy. 

Ensure you have a secure, organized system for storing data

One of the most important data rights that GDPR specifies is the right all individuals have to access, correct, or have their personal data erased. This means that not only do you need to have a process for retrieving and deleting merchant data upon request, you also need to be able to easily delete your merchant’s customer’s data from your app as well. The first step in being able to do this is to ensure that all personal data you collect is stored in a secure and organized way.

We included the Fact Sheet from the European Commission where they addressed several improvements to execute with data protection violations in the future.