GDPR and Shedul – How the Upcoming EU Regulation Affects You

Updated 25 May 2018

Starting on 25 May 2018, the EU General Data Protection Regulation (GDPR) will become effective across all European Union member states. The GDPR is the biggest reform in data protection legislation in the past 20 years, and creates new responsibilities for how businesses (like you) and data processors (like us) handle personal data. If your company is based in the EU, or if you store data of EU citizens, you’ve no doubt been curious about how the upcoming regulation affects your business.

Shedul has always maintained a policy of respect for our user’s data – our user’s data is our user’s data, and we do not sell customer data to any third parties.

With the announcement of GDPR, we at Shedul have been moving towards making sure our user’s data is secure, and we have adopted numerous policies towards ensuring our compliance with the requirements of GDPR.

Overview of GDPR

The GDPR is the biggest reform in data protection regulation since the 1995 Data Protection Directive. GDPR affects any business that is either based in the European Union or that stores data of EU citizens, and grants EU citizens certain rights regarding how their data is stored and handled. The requirements of GDPR that affect our users the most are:

  • Right of consent: Businesses have an obligation to make sure customers understand how their data is stored and processed before capturing it
  • Right of access: Customers must be able to request what data is being stored and with whom their data is shared, and receive a response within 30 days
  • Right of rectification: Customers must be able to request that incorrectly stored data is corrected within 30 days
  • Right of erasure: Customers must be able to request that their personal data be removed (“pseudonymized”) from the record of a business within 30 days

What Shedul is Doing to Become GDPR Compliant

In order to fulfill the obligations of GDPR and ensure our users in the EU may continue to use our system, we have taken many steps towards ensuring we will become compliant with GDPR by the 25 May 2018 deadline. Some steps we have undertaken include:

  • We have reviewed our relationships with our suppliers and third-party technology vendors to ensure their compliance with GDPR
  • We have mapped out all points of how data is captured, stored, and processed within our organization
  • We have reviewed our internal policies for data access and processing, including tightening who in our organization can access data and under what circumstances
  • We have implemented new product features to ensure compliance with GDPR and enable our merchants to respond to requests for data access, rectification, or erasure.
  • We have updated our Privacy Policy and Merchant Agreement to make sure our data protection policies are fully compliant with GDPR and other applicable regulations and law

Where Your Data is Stored

Here at Shedul, we are hard at work to make sure our hosting providers and other cloud service providers are themselves GDPR compliant. Before 25 May 2018, all data of EU citizens on Shedul will be stored in either:

  • the European Economic Area; or
  • in a country which the European Commission has determined provides an adequate level or protection (including via Privacy Shield agreements); or
  • to service providers who have an agreement with us compliant with the Model Contract Clauses (as defined by the European Union)

What More You Can Do

Since GDPR is such a major and comprehensive regulation, the good news is that there are plenty of additional resources online that can help you better understand how GDPR affects your business. We recommend you research appropriate guideline documents and consult with a lawyer or advisor as you deem appropriate for your business.

Although Shedul is working towards ensuring GDPR compliance, this does not automatically make your business compliant by default. For example, if an employee accesses your client data and sends an SMS to all clients regarding his new Instagram page, this becomes a breach of data privacy. Businesses should have processes to make sure that does not happen.

As a business owner, here are some additional steps you can take to become GDPR compliant:

  • Contact any suppliers or other technology companies you work with that handle your customer’s data, and make sure they are or are taking steps towards becoming GDPR compliant
  • Review permission levels of each of your staff members on Shedul, and make sure that customer data is accessible only as necessary
  • Inform your staff about the upcoming regulation. An overarching theme of GDPR is that customer data can only be used to the minimum amount necessary, so make sure your staff do not use customer data inappropriately
  • Carry out a review of how you are currently handling personal customer data, and note down what changes will need to be made in order to comply with the new standards
  • Understand where customer data is stored in the system, and be ready to respond to requests for data access or rectification
  • Keep record of the steps you have taken towards meeting GDPR requirements, and make sure you share processes with your users in writing

If you have further questions about GDPR, we advise you to reach out to a lawyer or a regulatory compliance consultant to review your processes and see what else needs to be done for GDPR compliance.

Feedback and Knowledge Base