General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulation sponsored by the European Commission that impacts how businesses collect and store customers’ personal data. This legislation took effect on May 25, 2018. It replaced the existing European data protection directive and touches nearly every company selling online, including Cleverbridge clients.
As a Germany-based company that has maintained a steadfast commitment to protecting the data of clients and customers throughout its history, Cleverbridge instituted some major changes to our platform and processes to ensure your ecommerce operations are compliant with GDPR:
- We moved to secure-only channels for data transfers. This change greatly enhances security and primarily affects order An agreement between a seller and a buyer to exchange goods and/or services for money. An order can: - contain multiple products and quantities; - have multiple financial transactions. A preorder authorization is considered an order. notifications, which are now transferred via SFTP, HTTPS, or encrypted email. For more information, see Manage Notifications.
- We de-personalized customer An individual or business purchasing your product or service by placing an order through Cleverbridge. The customer is the end user of this product, as they are not allowed to resell the purchased products or services.
A customer is unique per client. If a customer purchases products or services from two different clients, there are 2 separate records of said customer. IP addresses in notifications and key generation calls (i.e., the last number of the IP address is always replaced by .0). We also removed the ability to search for IP addresses in the Commerce Assistant (CA).
Note
These measures satisfy the GDPR requirement that only necessary personal information should be transferred during a purchase An order made by a customer and the records associated with it.. Per the GDPR, full IP addresses are considered personally identifiable information (PII). However, the remaining numbers of an IP address still provide useful information for common analytics functions, including geographic location.
- We configured transfers of customer street address, city (if collected), and postal code to clients on a per-client or per-product basis. Again, this is to ensure that only necessary PII is transferred to our clients.
- We reviewed tracking and analytics tools to determine whether they comply with GDPR. While Cleverbridge clients want to build detailed online profiles of customers and visitors, the GDPR is very strict regarding what information businesses can and cannot collect about website users.
Note
Fortunately, the GDPR’s requirements in this area are similar to the already stringent requirements of current German law, and Cleverbridge has been compliant with the latter since our inception. Achieving the right balance between your needs and regulatory requirements will be an ongoing process.
- We adapted the language of our Customer Privacy Policy (and a few items of our Terms & Conditions) to reflect GDPR requirements. Clients should notice no significant changes in this area.
The GDPR is here to stay, but Cleverbridge clients can count on our Compliance Team to ensure a compliant ecommerce and subscription experience.
However, be aware that once a customer completes an order and you receive our order notification and/or a key generation call, you become data owner of that customers’ information and must treat it with the same scrutiny as we do to ensure full compliance with the law.
If you have questions about GDPR and the steps we’ve taken to ensure compliance, contact Client Experience.