Here's how SamCart is addressing new privacy regulations mandated by the European Union.
GDPR is new legislation passed in the European Union that regulates how to protect an individual’s PII (Personally Identifiable Information).
PII includes all data that could potentially be used to identify an individual. Thus, organizations must enforce GDPR compliance, which includes, e.g., implementing the new principles for user consent such as informed and unambiguous consent per purpose; the right to be forgotten; and many other requirements.
GDPR also states that software which is used to handle PII must follow the principles of Security by Design (SbD) and Privacy by Design (PbD). Both are in the process of being formally defined.
A software application or a SaaS service only can provide the foundation for others to become GDPR compliant. There just is no such thing as GDPR compliant software.
SamCart is in the process of documenting and building features that will enable our customers to remain GDPR compliant. The following items are available to SamCart customers as of May 25, 2018:
- The ability to request as a SamCart customer to have your PII removed from our system.
- The ability to request on behalf of your customers to have their PII removed from our system.
- A published privacy impact assessment.
- A published data breach notification procedure.
- A mapping on SamCart’s interactions with PII data.
- An updated privacy policy to include the following: data portability; the right to be forgotten; the right to prevent profiling; the right to object to processing; the right to rectification and erasure; subject access requests (“SARs”).
- The ability to create checkbox custom fields - allowing you to require consent from your users for any marketing or other activities.
- We are educating our internal staff and updating our staff handbook to make sure we have communicated to employees what their obligations are for GDPR.
- We include language in our service agreement and make available a standardized processor agreement to our customers.
- We have conducted an audit of our data processors to ensure those processors have the necessary agreements and are updated to account for GDPR.
- We include a modal clause in our service agreement to support customers transferring data out of the European Union.
GDPR is a developing field, and we will continue to monitor its progress to ensure you are able to be in compliance with its regulations.