GDPR (General Data Protection Regulation)
The GDPR is Europe's new framework for data protection laws. It will come into force from May 25th, 2018 across the EU. GDPR replaces the previous 1995 data protection directive, which current UK law (the Data Protection Act 1998) is based upon.
GDPR has been designed to harmonise data privacy laws across European nations as well as providing greater protection & rights to individuals.
After more than four years of discussion and negotiation, GDPR was adopted by both the European Parliament and the European Council in April 2016. The underpinning regulation and directive were published at the end of that month.
What does GDPR mean for Clove Technology and our customers?
The entire GDPR legislation is very complex. To explain it fully is not really possible in a concise form. However, we will outline and explain some key points below.
At its most basic, GDPR describes how businesses should process Personal Data and Sensitive Personal Data. How much data a business may have about you will vary greatly depending on their operations.
Your personal details
One important aspect about our compliance with GDPR is that we do not ask for, process, store or share any personal data that may be considered unnecessary to effectively carry out our business operations and run an online store. Legally speaking, we have a legitimate concern for all personal data we obtain and use and will not act in any unwarranted fashion in our business operations with regards to said data. This includes the sharing and storing of personal details with third parties in legitimate business operation(s) related to your order(s) with us.
Finally, you are always welcome to request a copy of the information we have stored about you. Where possible - in so much as does not interfere with other legal obligations - you can also request for stored personal details to be removed from ours and any third party systems we have shared it with.
As an independent online retailer, it is not feasible for us to operate entirely using our own technology & resources. There are a number of 3rd parties with whom your data may be shared & stored with in order for us to operate effectively. In the interest of transparency, we have listed these below.
UK Fast is our chosen web hosting service. The Clove Technology website is stored on servers managed by UK Fast. Customer account information and order details are stored as part of the website.
UK Fast employees require physical and direct network access to the servers that store the Clove Technology website in order to provide necessary maintenance, updates and data backup.
Online Retailing is our chosen web development team. The technology used to power the Clove Technology website and internal systems that access the 'back end' of the website has been developed by Online Retailing.
Online Retailing has access to the servers at UK Fast in order to provide necessary maintenance, updates and data backup.
WorldPay (WorldPay Group plc)
WorldPay is an internationally recognised payment processor that offers a payment gateway. When placing an order on the Clove Technology website and paying by credit or debit card, personal details required to make the transaction may be transferred to and stored with WorldPay in accordance with all relevant UK and EU laws regarding such transactions.
SagePay (Sage Group plc)
SagePay is an internationally recognised payment processor that offers a payment gateway. When placing an order on the Clove Technology website and paying by credit or debit card, personal details required to make the transaction may be transferred to and stored with SagePay in accordance with all relevant UK and EU laws regarding such transactions.
PayPal (PayPal Holdings, Inc)
PayPal is an internationally recognised payment processor that offers a payment gateway. When placing an order on the Clove Technology website you have the option to make payments via PayPal. Personal details required to make the transaction may be transferred to and stored with PayPal in accordance with all relevant UK and EU laws regarding such transactions.
Klaviyo (Klaviyo, Inc)
Klaviyo is a data management company used to store and manage our customer email address database. Many of the content-rich emails we send are delivered using Klaviyo's technology. When you place an order or sign up for notifications on the Clove Technology website, personal details may be sent to Klaviyo.
Relatively speaking, Clove Technology does not process large swathes of data. Most of what we process and store is simply a legitimate requirement of running an online store in the 21st century.
One area we do use customer data for that is not strictly 'necessary' is marketing communications. We regularly send emails to a database of email addresses captured through this site and other affiliated sites. These emails contain information on new product releases, price changes, stock information, competitions, news articles and other information we feel is relevant to our customer base.
Such marketing emails are treated differently to emails one would expect to receive as part of an online stores order, such as an Order Confirmation Email or Dispatch Confirmation Email.
Once GDPR is in place, businesses must obtain explicit consent to send marketing emails.
In order to ensure we are fully compliant with this requirement, Clove Technology will contact our existing database of customer emails up to May 25th, 2018 for their consent to be added to a new database. If you have placed an order with us in the past (or provided your email address for other reasons) and do not provide us with updated consent by May 25th, 2018, your email address will be erased from our marketing communications database.
By May 25th, 2018, all new customers will be asked for such consent when placing an order. These details will be added to the same new database mentioned above. Those who do not provide consent will not be sent marketing communications unless explicitly agreeing to do so in future communications with us.
All customers with an online account on our website will also have the ability to update their marketing preferences opting either out or in of marketing communications at any time.
Accountability & compliance
Once GDPR is in place, Clove Technology becomes fully accountable for the handling of personal information submitted and/or collected through this website.
Under GDPR, the "destruction, loss, alteration, unauthorised disclosure of, or access to" people's data must be reported to the host country's (UK) data protection regulator (the ICO) – where it could have a detrimental impact on those who it is about. This can include but is not limited to, financial loss, confidentiality breaches, damage to reputation and more.
The ICO must be told about any breach within 72 hours of Clove Technology learning of it and we must inform any individual whom such a breach may impact.
Access to your data
GDPR provides individuals with a lot more power to access the information that's held about them. Until GDPR is active, a Subject Access Request (SAR) allows businesses and public bodies to charge individuals 10 GBP to be given what's held about them.
Under GDPR, the SAR is no longer enforceable and companies must respond to information requests within one month (30 days) of the request being made. According to GDPR, everyone has the right to confirmation on whether we have any stored information about you, access to this and supplementary/related information.
Where it does not interfere with other legal obligations, you can also request information held about you be erased, should it no longer be necessary for its original purpose or you explicitly withdraw consent.
We cannot erase all data; for instance, UK law requires us to store information on financial transactions for a minimum of 7 years. So as an example you may be able to request the deletion of your online account information (and associated data) from the servers used to host our website, however we would still need to store the legally required minimum amount of information regarding orders made on our website, either on our website or via another secure method.
What about Brexit?
The UK government invoked Article 50 of the Lisbon Treaty on March 29th, 2017. This formally schedules the United Kingdom to leave the EU on March 29th, 2019. Until this date, the United Kingdom remains a member state of the EU and is subject to its regulations and directives, including GDPR.
As part of the process of leaving the European Union, the UK government has introduced the European Union (Withdrawal) Bill to Parliament. This is a complex piece of legislation covering many aspects of international law although one key component of it is that many, if not all, of the EU laws the UK has been subject to as a member state of the EU, will be converted to UK law.
On a related note, the UK government has introduced the Data Protection Bill to Parliament. This Bill covers all aspects of the GDPR and will be the relevant UK law concerning data protection issues following the UK's exit from the European Union.
Brexit concerns in summary
GDPR is enforceable under EU law from May 26th, 2018.
On March 29th, 2019 the United Kingdom leaves the European Union. GDPR is not enforceable on UK companies' operations from this date unless they have relevant operations within the EU that would force them to comply.
Once the Data Protection Bill is ratified into UK law, this will form the basis of UK companies' data protection obligations. This bill covers all aspects of the EU GDPR
If the Data Protection Bill is not ratified into UK law by March 29th, 2019 then aspects of GDPR that affect a business' operations may only be enforceable upon such operations as occured between May 25th, 2018 and March 29th, 2019; if such a circumstance is to occur, UK businesses will need to refer to the existing Data Protection Act 1998 for relevant concerns, unless an agreement is made between the UK and the remainder of the EU with regards to any additional "separation period" that might allow GDPR to continue to be relevant and enforceable in the UK whilst said separation period is in effect.