GDPR Compliance plan
1. All employees of Mossy Earth are briefed and aware of the new rules imposed by GDPR
2. Mossy Earth Collected Data Map
-
Customer Data:
-
Through Shopify
- First Name
- Last Name
- Personal Email
- Email of person receiving the gift
- Name of the person receiving a gift
-
Address Details
- Billing Name
- Billing Street
- Billing Address1
- Billing Address2
- Billing Company
- Billing City
- Billing Zip
- Billing Province
- Billing Country
- Billing Phone
- Shipping Name
- Shipping Street
- Shipping Address1
- Shipping Address2
-
Received by email
- First Name
- Last Name
- Corrected Email address
- Email of person receiving the gift
- Name of the person receiving a gift
-
Through Shopify
-
Stripe
- Card ID
- Card Last4
- Card Brand
- Card Funding
- Card Exp Month
- Card Exp Year
- Card Name
-
Card details
- Card Address Line1
- Card Address Line2
- Card Address City
- Card Address State
- Card Address Country
- Card Address Zip
- Card Issue Country
- Card Fingerprint
- Card CVC Status Card AVS Zip Status
- Card AVS Line1 Status
- Card Tokenization Method
-
PayPal
- Name
- Email Address
- Shipping Address
- Address Line 1
- Address Line 2/District/Neighborhood
- Town/City
- State/Province/Region/County/Territory/Prefecture/Republic
- Zip/Postal Code
- Country
- Country Code
- Balance Impact
-
Business Outreach
-
Linked In
- Profile link
- First Name
- Middle Name
- Last Name
- Title
- Company
- Company Profile
- Company Website
- Location
- Industry
-
Linked In
3. Data Permissions & Consent
-
Customer Data
- The customer is informed of all the gathered data in the privacy statement
- The customer will always have to consent or can say no to sharing their data
- Email consent is obtained through a double opt-in registration
-
Business Outreach Data
- All sourced data is pattern matched from publicly available information and verified against the server
- All data sourced relates to business contact information
- All data sourced and subsequent contacts are contacted only for business inquiries
4. Data Storage & Protection Measures:
-
Existing Data
- All existing unencrypted data in hard drives and folders is to be moved to a secure location or permanently deleted
- All existing data has to be moved to a new google folder, protected under Google’s strict GDPR rules
- Stripe, PayPal, Mailchimp, Reply and Shopify all have GDPR compliant data protection policies for their customers (in this case Mossy Earth)
-
Ensuring future compliance
- All data required for processing will be used and then either deleted or added to a protected folder
5. Mossy Earth’s Lawful basis for processing data
- Payment Data (Paypal, Stripe, Shopify): required to process all the payments correctly
- Contact information (Shopify, Mailchimp, Reply): required for the delivery of the service, an email containing media and information the customer requested.
- Business Outreach data: its is public information which Mossy Earth will use for business contacts
6. Individual’s rights
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- the right not to be subject to automated decision-making including profiling
When thinking about customer data all employees should ensure that they can find and erase any and all data relevant to an individual
7. Roles & Obligations
- All employees will disclose what data they handle
- Director Duarte de Zoeten will be responsible for the overall compliance of Mossy Earth employees
8. Actions taken
- Secure all data
- Update Privacy Terms
- Ensure lawful basis for data processing is made clear
- Create new Mailchimp subscription form with double opt-in consent
- Immediate transaction email to secure consent from Shopify
- Modify delivery process for gifts
Additional information:
https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf