RomanCart.com Forum Homepage
Forum Home Forum Home > RomanCart > Integration
  New Posts New Posts
  FAQ FAQ  Forum Search   Register Register  Login Login

GDPR

 Post Reply Post Reply
Author
Message
teamsurv View Drop Down
Newbie
Newbie


Joined: 19 July 2017
Status: Offline
Points: 34
Post Options Post Options   Thanks (0) Thanks(0)   Quote teamsurv Quote  Post ReplyReply Direct Link To This Post Topic: GDPR
    Posted: 27 January 2018 at 6:50am
Hi,
What's the position regarding compliance of RomanCart with the GDPR regulations?
Is RomanCart already compliant or, if not, will it be by 25th May?
Many thanks,
Tim
Back to Top
Support View Drop Down
RomanCart Team
RomanCart Team


Joined: 16 March 2004
Location: United Kingdom
Status: Offline
Points: 10794
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 29 January 2018 at 8:54pm
Hi,
The main change we are making is providing the ability to be able to select whether your email list is opt in or opt out.
Please note that the data held in RomanCart is your data, not our data.
We do not use your data for anything ourselves, and we provide the tools for you to be able to manage the data as required.
Many Thanks
Support
Back to Top
softap View Drop Down
Senior Member
Senior Member


Joined: 28 December 2006
Status: Offline
Points: 313
Post Options Post Options   Thanks (0) Thanks(0)   Quote softap Quote  Post ReplyReply Direct Link To This Post Posted: 05 February 2018 at 4:35pm
When a customer places an order via the Romancart checkout, they currently have to tick a box to permit us to send them further emails. The answer to this question is then passed to our own mailing system by virtue of being included in the export of orders from the Sales Manager.

It strikes me that Romancart could be extremely useful in automatically handling the 2nd stage of the new opt-in process - i.e. to automatically email the customer as soon as an order has been placed, asking them to click a link to confirm that they are actually OK to receive further emails (the 2 stage opt-in as required by GDPR).

This would then take a huge burden of work away from the typical small business (e.g. us!).

Andy
Back to Top
Support View Drop Down
RomanCart Team
RomanCart Team


Joined: 16 March 2004
Location: United Kingdom
Status: Offline
Points: 10794
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 06 February 2018 at 8:50am
Hi,

This is a bit like the EU cookie law. We have heard many interpretations of the GDPR including that if a contract is in place between a merchant and a customer then you can still email them. (Don't take our word for this though - consult your legal experts!).

Also the most common issue which is raised is that you cannot email any existing email lists you have unless they were double opt in (which is unlikely in most cases) but one thing is clear is that you cannot email such a list asking if they want to be on your list.

It remains to be seen what effect the GDPR has in practice. Especially as the fines are 3% of turnover or £20million whichever is highest.

The main thing is that customers have the right to be removed from your database and to see any information you hold about them.
In addition it clarifies the roles of data processors and controllers.

I agree though that it would be a good idea to add double opt in options as well which is something we will look into adding before May. We want to give merchants as much choice as possible to meet their compliance goals.

Many Thanks
Support
Back to Top
teamsurv View Drop Down
Newbie
Newbie


Joined: 19 July 2017
Status: Offline
Points: 34
Post Options Post Options   Thanks (0) Thanks(0)   Quote teamsurv Quote  Post ReplyReply Direct Link To This Post Posted: 08 February 2018 at 2:43pm
Andy,
We use Zapier for something similar. We set up a mailbox in Zapier and include it int he list of recipients of the relevant email sent out by RomanCart, then parse the email and link it through to ActiveCampaign, Twitter, Facebook and our own services.
This works well except for some reason I haven't yet had time to examine, Zapier doesn't always manage to parse the emails correctly, and I've tried Parseur as an alternative for the parsing step with similar problems which suggests that there is something irregular (i.e. inconsistent as opposed to incorrect) in the emails sent out by RomanCart that gives both of these problems.
Back to Top
teamsurv View Drop Down
Newbie
Newbie


Joined: 19 July 2017
Status: Offline
Points: 34
Post Options Post Options   Thanks (0) Thanks(0)   Quote teamsurv Quote  Post ReplyReply Direct Link To This Post Posted: 08 February 2018 at 3:09pm
Whilst agree that the data itself is ours, there are still a number of requirements that RomanCart (like any other service provider) has to comply with, and if they don't then no organisation claiming to be GDPR compliant can use RomanCart.

As I understand it, these are:
- Contractual. A written contract needs to be in place between RomanCart as a service provider and each of its customers, setting out its GDPR compliance
- Documentation - RomanCart must have documented all of its data processing activities
- Data hosting: there are restrictions on moving the data outside of the EU, which may apply if, say, RomanCart decide to host their servers or use a cloud service in the US
- Privacy by design, i.e. RomanCart should have measures to ensure that no employees have access to their customer's data unless there is a very good reason. Also it must be held securely, protected against loss or damage etc
- Right to erasure: if we delete customer records at the request of a customer, then we have to know that RomanCart has deleted them fully, and they aren't still lurking somewhere in RomanCart's systems
- Data breaches. If anyone hacks into RomanCart, we need to know that, plus details of the breach and its extent, as we have to inform our customers as soon as possible, maximum within 72 hours
- Data protection officer - RomanCart may need to appoint one of these, in which case they should give contact details to their customers
- We need to carry out data protection impact assessments and compliance reviews, so we will need the necessary information from RomanCart to enable us to perform these

Note that, as a processor, RomanCart can be held liable for breaches in GDPR, in the same way as we can for being the data owners.

There's plenty more detail on the whole of GDPR on the ICO site.
Back to Top
richardpaulrussell View Drop Down
Newbie
Newbie


Joined: 06 March 2018
Location: UK
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote richardpaulrussell Quote  Post ReplyReply Direct Link To This Post Posted: 06 March 2018 at 11:54am
We have exactly the same concerns as you've raised below teamsurv. We attended a GDPR seminar which raised these exact points.

Originally posted by teamsurv teamsurv wrote:

Whilst agree that the data itself is ours, there are still a number of requirements that RomanCart (like any other service provider) has to comply with, and if they don't then no organisation claiming to be GDPR compliant can use RomanCart.

As I understand it, these are:
- Contractual. A written contract needs to be in place between RomanCart as a service provider and each of its customers, setting out its GDPR compliance
- Documentation - RomanCart must have documented all of its data processing activities
- Data hosting: there are restrictions on moving the data outside of the EU, which may apply if, say, RomanCart decide to host their servers or use a cloud service in the US
- Privacy by design, i.e. RomanCart should have measures to ensure that no employees have access to their customer's data unless there is a very good reason. Also it must be held securely, protected against loss or damage etc
- Right to erasure: if we delete customer records at the request of a customer, then we have to know that RomanCart has deleted them fully, and they aren't still lurking somewhere in RomanCart's systems
- Data breaches. If anyone hacks into RomanCart, we need to know that, plus details of the breach and its extent, as we have to inform our customers as soon as possible, maximum within 72 hours
- Data protection officer - RomanCart may need to appoint one of these, in which case they should give contact details to their customers
- We need to carry out data protection impact assessments and compliance reviews, so we will need the necessary information from RomanCart to enable us to perform these

Note that, as a processor, RomanCart can be held liable for breaches in GDPR, in the same way as we can for being the data owners.

There's plenty more detail on the whole of GDPR on the ICO site.


Edited by richardpaulrussell - 06 March 2018 at 11:55am
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.172 seconds.