General Data Protection Regulation (GDPR)

What Is GDPR?

GDPR stands for General Data Protection Regulation. It is a strict European regulation intended to strengthen and unify data protection for all individuals within the European Union. The primary goal is to give citizens and residents back control of their personal data. The GDPR became enforceable on 25 May, 2018.

Why Is GDPR Important?

Incorrectly gathering and processing personal data could result in high fines, though this shouldn't be your main motivator for GDPR compliance. The most important thing is to be aware that your company is handling personal data so you can protect it like you would your own personal information.

The regulation will drastically change the way companies process and protect the data entrusted to them. If your company operates a webstore, it will mean new responsibilities and liability for secure data processing.

Important Changes from a GDPR Perspective

  • Improved / more strict definition of "personal data"

  • Improved rights of the person whose data it concerns

  • Privacy by default and by design are explicitly added to the text

  • Security and transfer of "personal data" is further determined

  • Fines could be upward of €10-20 million (or 2-4% of Gross Global Company Revenue)

  • A Data Protection officer can be mandatory

  • Records must be kept of all data processing and data breaches

How Does GDPR Affect Your Business?

One of the prerequisites of the GDPR is that all businesses must keep records of all data processing within the company. You need to know what you're storing, how you're storing it and why you're storing it. Under GDPR, businesses are only allowed to store data as long as it's useful - this counts for everything from order histories to warranties.

Securing and managing structured data will always be easier than unstructured data. As such, most GDPR projects begin with discovering where data is being stored within the company and how it can be structured.

How Can Sana Help with GDPR?

To start with: Sana does not prevent the shop owner from becoming fully GDPR-compliant. Sana will continuously monitor which privacy improvements could be relevant for Sana users and will make these available with its future releases.

As a software provider, Sana can help you by ensuring our software and our implementation is as privacy-friendly as possible. Even more importantly, Sana Commerce's unique ERP integration means it only stores limited personal data.

The most important data will remain centralized in your ERP. Luckily, your ERP is already secure, and the connection between Sana and your ERP is secure; Sana itself also uses secure SSL to encrypt data. Storing most of your data in the ERP is advantageous because it keeps everything structured and makes it easier for your company to secure it.

Right to Rectification

If shop owners want to allow their customers to edit certain personal data in the webstore, the shop owner can make certain profile fields visible and editable for the customers. The shop owner can use the Profile fields settings in Sana Admin for this purpose. For more information, see Customer and Prospect Profiles.

Right to Be Forgotten

If a customer wants to be forgotten from the webstore, the customer can notify the shop owner about this request. The shop owner can delete the relevant shop account from Sana Admin (see here for more information). Deleting the shop account will permanently erase the shop account's data from the Sana database. Please, keep in mind that administrative data, such as order data, will not be deleted, only the customer record in the shop accounts table will be deleted.

If a customer wants to be unsubscribed from the newsletter in Sana as well, the customer or the shop owner can unsubscribe the customer’s email using the following page: [SHOPURL]/newsletter/unsubscribe (see example).

For more information about newsletter subscriptions and how to add the Unsubscribe for newsletter page to your webstore navigation, see Newsletter Subscriptions.

Secure with Microsoft Azure Hosting

The Microsoft Azure Cloud is used for the limited data storage that does occur within Sana Commerce. Microsoft Azure is one of the most secure hosting environments out there and has ISO 27001 certification, in addition to other certifications.

This is all to ensure that your company can continue operating your e-commerce platform without worrying about data, so you can spend more time and energy on maximizing your online potential!

Using Add-ons in Connection with Sana Commerce Cloud

Sana Commerce Cloud could be used in combination with certain add-ons. The use of these add-ons makes Sana Commerce Cloud very powerful. Please, be aware that some of these add-ons might send personal data from Sana Commerce Cloud to external services (such as dotdigitalMailchimp, etc.). It is the shop owner's responsibility to be aware of the data usage policies and behavior of these third-parties they choose to use.

This article is provided as a resource, but does not constitute legal advice. We encourage you to contact a legal advisor in your country to learn how the GDPR may affect your organization and which specific requirements apply.