GDPR Compliance plan

1.     All employees of Mossy Earth are briefed and aware of the new rules imposed by GDPR

2.     Mossy Earth Collected Data Map

  1. Customer Data:
    1. Through Shopify
      1. First Name
      2. Last Name
      3. Personal Email
      4. Email of person receiving the gift
      5. Name of the person receiving a gift
      6. Address Details
        1. Billing Name
        2. Billing Street
        3. Billing Address1
        4. Billing Address2
        5. Billing Company
        6. Billing City
        7. Billing Zip
        8. Billing Province
        9. Billing Country
        10. Billing Phone
        11. Shipping Name
        12. Shipping Street
        13. Shipping Address1
        14. Shipping Address2
      7. Received by email
        1. First Name
        2. Last Name
        3. Corrected Email address
        4. Email of person receiving the gift
        5. Name of the person receiving a gift
  • Stripe
    1. Card ID
    2. Card Last4
    3. Card Brand
    4. Card Funding
    5. Card Exp Month
    6. Card Exp Year
    7. Card Name
    8. Card details
      1. Card Address Line1
      2. Card Address Line2
      3. Card Address City
      4. Card Address State
      5. Card Address Country
      6. Card Address Zip
      7. Card Issue Country
      8. Card Fingerprint
      9. Card CVC Status Card AVS Zip Status
      10. Card AVS Line1 Status
      11. Card Tokenization Method
    9. Email
  1. PayPal
    1. Name
    2. Email Address
    3. Shipping Address
    4. Address Line 1
    5. Address Line 2/District/Neighborhood
    6. Town/City
    7. State/Province/Region/County/Territory/Prefecture/Republic
    8. Zip/Postal Code
    9. Country
    10. Country Code
    11. Balance Impact
  2. Business Outreach
    1. Linked In
      1. Profile link
      2. First Name
      3. Middle Name
      4. Last Name
      5. Title
      6. Company
      7. Company Profile
      8. Company Website
      9. Twitter
      10. Location
      11. Industry
    2. Email

 

3.     Data Permissions & Consent

  1. Customer Data
    1. The customer is informed of all the gathered data in the privacy statement
    2. The customer will always have to consent or can say no to sharing their data
  • Email consent is obtained through a double opt-in registration
  1. Business Outreach Data
    1. All sourced data is pattern matched from publicly available information and verified against the server
    2. All data sourced relates to business contact information
  • All data sourced and subsequent contacts are contacted only for business inquiries

4.     Data Storage & Protection Measures:

  1. Existing Data
    1. All existing unencrypted data in hard drives and folders is to be moved to a secure location or permanently deleted
    2. All existing data has to be moved to a new google folder, protected under Google’s strict GDPR rules
  1. Ensuring future compliance
    1. All data required for processing will be used and then either deleted or added to a protected folder

5.     Mossy Earth’s Lawful basis for processing data

  1. Payment Data (Paypal, Stripe, Shopify): required to process all the payments correctly
  2. Contact information (Shopify, Mailchimp, Reply): required for the delivery of the service, an email containing media and information the customer requested.
  3. Business Outreach data: its is public information which Mossy Earth will use for business contacts

6.     Individual’s rights

  1. the right to be informed;
  2. the right of access;
  3. the right to rectification;
  4. the right to erasure;
  5. the right to restrict processing;
  6. the right to data portability;
  7. the right to object;
  8. the right not to be subject to automated decision-making including profiling

 

When thinking about customer data all employees should ensure that they can find and erase any and all data relevant to an individual

7.     Roles & Obligations

  1. All employees will disclose what data they handle
  2. Director Duarte de Zoeten will be responsible for the overall compliance of Mossy Earth employees

8.     Actions taken

  1. Secure all data
  2. Update Privacy Terms
  3. Ensure lawful basis for data processing is made clear
  4. Create new Mailchimp subscription form with double opt-in consent
  5. Immediate transaction email to secure consent from Shopify
  6. Modify delivery process for gifts

 

Additional information:

https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf

https://blog.mailchimp.com/gdpr-tools-from-mailchimp/

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/