The EU General Data Protection Regulation (GDPR) will become effective on 25th May 2018 bringing new global data protections for individuals of the European Union (EU). The GDPR will replace the EU Data Protection Directive and is intended to harmonise data protection laws throughout the EU with a single data protection law.
GDPR applies to all organisations established in the EU and any organisations that process the personal data of EU subjects in connection with offering goods or services in the EU.
In early 2017, ECOM began a full research process into GDPR and how it would affect ECOM and our customers. We consulted with internal and external counsel to understand the GDPR legal requirements. ECOM has also performed a Data Protection Impact Assessment to determine compliance with security requirements of GDPR.
Throughout 2017, ECOM made a number of product changes, policy updates and internal process changes in anticipation of GDPR. ECOM are committed to being GDPR complaint when it becomes enforceable in May of 2018.
Ensuring all ECOM employees continue to undertake mandatory data handling training. All ECOM employees are required to participate in the training program even if their role doesn’t require them to handle customer data.
Ensuring our vendors continue to adhere to the same high standards of security and privacy as ECOM.
Maintaining our no transfers out of the EU commitment for EU customers. ECOM does not transfer data out of the customer’s chosen geographical region. Data backups and redundancy sites all remain within the same geographical region.
ECOM operates as both a Data Controller and Data Processor when considering GDPR compliance:
ECOM is a controller in respect of individuals interacting with our business such as website visitors, customers and prospective customers of ECOM.
ECOM is also the processor in respect of our own data and that of our customers whose data we receive from users of our services. In some specific customer agreements, ECOM can also be a sub-processor.
If the Subject Access Request relates to data processed, stored or hosted within our services, ECOM will refer the Subject Access Request to our customer – the data controller. ECOM will assist with requests made by our customers in relation to such Subject Access Requests.
Subject Access Requests received in relation to ECOM’s business will receive a response within 30 days of receipt. Subject Access Requests can be made at firstname.lastname@example.org or in writing to:
Attn: Legal ECOM UK Limited 2-3 Hovefields Lodge Hovefileds Avenue, Burnt Mills, Basildon, Essex SS13 1EB
As a customer of ECOM, you are a data controller and ECOM is acting as a processor for your data. In preparation for GDPR you should consider undertaking the following steps:
• Perform your own research, modelling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
• Obtain an updated Data Processing Agreement which is available upon request from email@example.com
If you have any questions about GDPR, please contact firstname.lastname@example.org. If you are an employee of an ECOM customer, please contact your employer.