Introduction
The General Data Protection Regulation or GDPR is one of several bills or laws that are or have been implemented in various regions of the world geared towards protecting individuals privacy rights. Smile is aware of and adheres to this type of legislation to ensure the rights of our merchants and their customers is controlled where it comes to personal information.
Here's what we're covering:
What is GDPR?
The General Data Protection Regulation, or GDPR, is an European Union regulation that came into effect on May 25th, 2018. This regulation changed how companies collect, use, and process the personal data of European residents. To review the entire regulation, click here.
Smile worked hard to ensure we comply with the GDPR and continue to do so as we add new features to our platform. We have put together some detailed information about how the GDPR affects the Smile platform, and what we did to prepare prior to May 25, 2018.
How does GDPR affect Smile?
The General Data Protection Regulation (GDPR) is a broad regulation that reshapes the landscape of data usage for companies that operate globally. We have extensively evaluated how GDPR affects our business. The good news is that the law did not require us to change the services we provide - it just changes how we provide those services.
The GDPR affects Smile in the following ways:
It requires us to re-organize our privacy team, and to adequately document and keep records of certain privacy-related decisions made by us so that we are accountable for our privacy practices.
To make sure that we and our merchants are able to honor the rights of European merchants and customers over their personal data.
It requires us to make certain contractual commitments to our merchants, and requires us to get certain contractual commitments when we use a third-party subprocessor to provide our services.
What has Smile already done to prepare for GDPR?
Smile has been hard at work preparing for the GDPR in the following ways:
We appointed a Data Protection Officer to oversee our GDPR implementation plan.
We implemented a Data Protection Impact Assessment process, as required by the GDPR.
We started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design our products and business plans with privacy in mind.
We implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
We revised our Privacy Policies to include the disclosures required by the GDPR.
We have created on a more robust Cookie Policy to make sure that merchants have the information they need to get effective consent for us to place the cookies necessary to provide our platform.
We have created a Data Processing Addendum.
How does GDPR affect you?
All Smile users should consult with their legal professionals to understand their full scope of compliance obligations under the GDPR. As a general rule, if you are a store based out of the European Union, or have customers who live in the European Union, you need to be GDPR compliant.
There are a few GDPR checklists out there that we recommend looking at. While they are not replacements for legal advice, they are a great resource to get you started:
What do you need to know when using Smile?
Smile is a Data Processor which means that we process the data that you collect on your store, including Personal Data and Non-Personal Data. When creating or editing your privacy policy, you will need to disclose that your customer's data is being shared with Smile for the purpose of the rewards program, including what data is being collected. You can find what data we collect in our Smile & Privacy article.
How do I remove customer data from Smile?
Under the GDPR, Data Subjects have the "right of erasure". This means they can request that their data be removed at any point. As Smile does not collect data and process your existing customer accounts, the customer data should be removed within your eCommerce platform.
If you are using Shopify or Bigcommerce, when you remove the customer from your eCommerce platform, their data will also be erased from Smile.
If you are using a custom integration, you will send a customer/deleted event through our API to have the customer removed. You will also need to ensure that no further data is sent to Smile regarding this customer.
Should a customer reach out to us directly, we will refer them back to you to invoke this right.
The fine print: This GDPR Guide is for informational purposes only. It is not legal advice. Please reach out to your legal counsel to receive tailored guidance on how the GDPR may impact your business.
What's next?
Privacy and data collection
Learn more