There are new regulations coming in to force from May 2018 with regards user data.
Has anyone (especially Nitrosell) put thought as how to apply this on a practical level to their data, and what changes need to be made to the Nitrosell site and the way you store their data?
Hi Chris,
We have general processes in place for handling of personal data. In terms of who is the data controller, because we are POS-integrated, NitroSell is legally a data processor and the retailer is the data controller.
Should you need to delete a personâs data under âright to forgetâ, you can delete their record from the POS, and can request that we erase order history and any web records through a ticket. As a policy, we only retain data at a retailerâs request, and data is only retained as long as you are a NitroSell customer.
In terms of breach protection, we have extensive security measures in place in order to meet and maintain PCI-DSS Level 1 compliance. We have a comprehensive compliance process, and many industry standard security measures in place, and all of these are checked annually with an on-site audit, annual penetration testing, weekly internal and external security scans, and managed intrusion detection systems. Our compliance provider is Trustwave, the leader in the space.
Finally, with regards to âopt inâ for personal data collection, we do not yet have a standardised message to be displayed at registration or checkout, and a checkbox for same. Once we have come up with a standardised message that meets the standard, we would be happy to add this as a config option that can be enabled. If you would like us to add one in the meantime, please open a ticket, and it can be done easily.
If you have any other queries or concerns, please let me know.
Regards,
Donogh
Thanks @donogh - does this mean Recently-Viewed can selectively be disabled for specific customers who do not want to be tracked?
Hey Todd! No, use of the site will still be conditional on consent to cookies; they wonât be able to opt out of specific features. (Guest checkout, which already exists, will stop the store from creating a customer account, and mailing lists will be explicit opt-in, as opposed to implicit / opt out by default.)
Thorough as everâŚthank you Donogh!
Hi Donogh,
Many thanks for the above. We are in the process of putting together our âGDPR Compliance Folderâ as sourcing Data Processing Agreements / Documents to prove compliance from our 3rd party data processors for the following reasons:
âWhere processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.â
Please could you direct me towards a document that shows that we have guarantees from Nitrosell that data is being processed in line with the regulation.
Look forward to hearing from you.
Regards,
Joe
Hi Joe,
This is covered by our licence agreement. We will be providing an update in advance of May 25th. However, it is still well covered by the existing agreement.
Again, it would be best if we supplied this document by ticket because this is a public forum. If you can open a ticket on this topic, we will give you a copy of the agreement, which you will already have agreed to/signed prior to the go live of your webstore.
Regards,
Donogh