How does the GDPR affect Shopify?
The General Data Protection Regulation (GDPR) is a broad regulation that reshapes the landscape of data usage for companies that operate globally. We have extensively evaluated how GDPR affects our business. The good news is that the law does not require us to change the services we provide - it just changes how we provide those services.
The GDPR affects Shopify in the following ways:
- It requires us to re-organize our privacy team, and to adequately document and keep records of certain privacy-related decisions made by us so that we are accountable for our privacy practices.
- To make sure that we and our merchants are able to honor the rights of European merchants and customers over their personal data.
- It requires us to make certain contractual commitments to our merchants, and requires us to get certain contractual commitments when we use a third-party subprocessor to provide our services.
What has Shopify already done to prepare for the GDPR?
Shopify has been hard at work preparing for the GDPR in the following ways:
- We appointed an experienced Data Protection Officer to oversee our GDPR implementation plan.
- We implemented a Data Protection Impact Assessment process, as required by the GDPR.
- We started to review our contractual arrangements with subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.
- We began the process of applying for approval of Binding Corporate Rules to support our data processing operations.
- We started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design our products and business plans with privacy in mind.
- We implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
What's next in Shopify's preparation for the GDPR?
There is still more for us to do before May 25, 2018, and we are continuously re-evaluating our data protection program as new guidance and interpretations of GDPR are released. We are working on completing some of the following projects:
- We are creating informational materials about our data protection program for merchants who are looking to conduct due diligence and make sure that Shopify can support their data protection needs.
- We are preparing an online Data Processing Agreement for merchants who use our platform subject to our standard online Terms of Service
- We are revising our Privacy Policies to include the disclosures required by the GDPR.
Will Shopify enter into Data Processing Agreements with its merchants?
For Shopify Plus merchants, we already have a template Data Processing Agreement that we can enter into, to cover our processing of personal data. For merchants who use our services subject to our online Terms and Conditions, we are working on making an online Data Processing Agreement available.