There’s a new law coming into force on 25th May 2018 called the ‘General Data Protection Regulation’ (GDPR). It applies to anyone in, or selling to customers in, the European Union – and the UK post Brexit. The main ideas are the same as those in current data protection law, however there have also been some new elements so organisations around the world are doing things differently. If you want to find out more about GDPR, please see the guidance here.
Here at Music Glue we’ve always put protection of sensitive data at the core of our business – from the privacy by design approach our developers take, to the industry-leading organisational security measures embraced by our team.
Now, with GDPR coming into force, we would like to highlight the following legal changes. We've also put together a GDPR FAQ (not a legal document, just intended to help).
Key legal changes
GDPR requires that you have a Data Processing Agreement in place with us, and so we’ve incorporated it into the Merchant Terms and Conditions as a Data Processing Addendum. We've also expanded the section (11) on data protection.
What is ‘GDPR'?
GDPR stands for 'General Data Protection Regulation'. It is an EU law on data protection and privacy for individuals in the EU. It applies to any company processing personal data of EU citizens. It aims to give EU citizens more control over their personal data.
What is ‘Personal Data’?
Anything that can be used to identify an individual. Typically on Music Glue this will be your customers’ name, email, address and any online identifiers if you’re using Google Analytics or other tools.
How should I use Personal Data?
Personal data should only be used for the specific purpose for which it was intended and according to a specific legal basis. Here is a detailed list of the legal bases, the ones most likely to apply to you as a vendor on Music Glue are below – but please remember it’s your responsibility to ensure you have an appropriate legal basis for processing data:
- Fulfilment of a contract – For example, a customer buys something from you, you need their name and address to send it to them.
- Legitimate business purposes – For example, you want to analyse data to improve the products you offer or plan campaigns.
- Consent – The data subject (e.g. a fan) gives you their permission to use their data. For example, they actively opt in to your mailing list to receive news and offers. They can withdraw this permission at any time. Consent must be freely given, informed, specific and unambiguous. On Music Glue, data capture widgets (such as signing up to mailing list at checkout or on your site) ensure that consent is captured in this way.
What’s the difference between a controller and a processor? Which am I?
A data controller determines the purpose and how personal data is processed. A data processor does that processing on behalf of the controller. For example, when you set up a store on Music Glue to sell products or tickets, you’re outsourcing your e-commerce to us. You’re deciding the purpose (to sell your products) and you’re deciding how to process that data (you’ve outsourced elements of it to us). As data controller you have a responsibility to ensure you are compliant with GDPR. In some instances, Music Glue is a data controller too. For example, if we process personal data to enable us to improve our products and features, or if customers engage with the Music Glue platform beyond those relating to your store.
What obligations do I have as a data controller?
- Please see the ICO guidance for full details.
- Controllers must help data subjects (for example your customers) exercise their rights. If your customer bought from you via Music Glue, you can do this by forwarding requests you receive to Music Glue via firstname.lastname@example.org. You generally have 30 days to respond to the data subject – so we recommend you send it to us straight away, certainly within 2 working days.
- Keeping personal data secure. See below how we do this with the data processing we do on your behalf.
What obligations does Music Glue have as a data processor?
Please see our Data Processing Addendum for full details. Key points:
- We must get your consent to use "subprocessors" (third party providers who we use as part of providing our services to you), and ensure they meet standards to protect personal data. You do this when you sign up for our service as it’s incorporated into our Data Processing Addendum.
- We must notify you of any data breach. We have the internal incident response systems in place to do this.
- We must notify you if any of your data subjects contact us to exercise their rights, and support you to respond if you receive one too. We have the internal processes in place to do this.
- We must ensure our team and systems keep personal data secure. We already do this, and you can read more about the approach our developers take to security here. We give our team information security training in line with our internal information security policy and regularly review our processes. Most importantly, we foster a culture where data security is front and centre of what we do – so that any team member that spots a problem feels confident to raise it.
What rights does a data subject have?
As above, if you receive any of the below requests from a customer who has bought from you via Music Glue, forward it to email@example.com. Of course, please first verify that the person requesting the data is in fact the data subject!
- Erasure – To have their personal data deleted.
- Portability – To receive an export of their data in a commonly used format, such as a csv.
- Rectification - To correct incomplete or inaccurate personal data.
- Automated decision-making – To object to processing based solely on automated decision making that has a legal effect on the data subject or otherwise significantly affects them. Music Glue does not currently engage in this.
Who can I contact for more information?
See here for a collection of documents regarding Music Glue’s compliance with GDPR. The ICO website (linked to above) also provides helpful guides. If you have further questions about how Music Glue is GDPR compliant, please contact firstname.lastname@example.org. For advice on how you can ensure you are GDPR compliant, please seek professional data security or legal advice.