General Data Protection Regulations: DT’s Actions, Payments & What You Need to Know about Your Data
For a small independent information-based/passionate-tribe-serving business like Discover Tenkara, the legal implications of not treating your data correctly are simply not an option. Part of that will be us signing up our payments to the Information Commissioner’s Office as required by law for any of our dealings with UK/EU customers and subscribers.
Here’s what you need to know (the first part I recently sent out via email to all subscribers – the second part shows the flow of personal data that I’ve had to audit as part of the compliance activity). Long story short in terms of your own actions – if you do not wish to grant us permission to contact you via email for any reason, please unsubscribe from any updates service from within those notification emails.
If we get it wrong it opens us up to fines of up to 10 million Euros! So as the first step – IF YOU DO NOT WANT TO GRANT US PERMISSION TO CONTACT YOU BY EMAIL with either lessons, updates, subscriber offers or product launches (or anything else we get up to), please unsubscribe now (there’s a link that you can click at the bottom of every one of our notification emails to do exactly that).
Unsubscribing from other platforms
If you’ve also downloaded anything from Gumroad (the third party platform that we often use to deliver digital content) you would need to unsubscribe from receiving notifications/updates from there too if you no longer wish to be contacted through their messaging system. To do this, go to any update email from Gumroad, scroll to the bottom and click the “Unfollow” link.
Exactly the same process applies if you no longer want to receive updates from us through expertise.tv (the webinar platform that we’ll be using to coach and run Q & A sessions with “Patreon” supporters in the near future.
The same process applies if you want to unsubscribe from Patreon updates too – of course.
In future we are looking to use a more sophisticated email delivery system which will help to reduce the amount of messages that are not 100% relevant to you. The same process would apply if you changed your mind about wanting to receive updates (and bear in mind that you might have been added to more than one sequence of lessons – so you might have to unsubscribe from more than one list)
The personal data we hold
The main focus of GDPR is about your personal details that we hold and may need to process as part of what we do with our business and our free lessons. Although, legally, it applies to European and UK users, we want to extend the same level of protection to anyone – regardless of where you come from.
As a top-line message – for all online transactions we NEVER get to see your credit card number or credit card details.
Part of the new GDPR law now means that organisations can no longer charge people to see what personal data they hold on them – and to make things as easy as possible, I can show what personal data of yours that we receive in the following cases:
Signing up to email lists/lessons/updates/offers
- We can see your email address and the system automatically uses that to deliver your content
- We can see the name that you enter when you register
- For email-confirmed subscriptions the email system estimates a nearby city location
When you confirm a subscription by clicking a button within an email, the system sends us an email with the name you entered, the email address you entered and an estimated nearest city location that you signed up from (based, as I understand, on the internet server that the subscription was processed through).
Buying products with payments processed by PayPal (Including credit card transactions via the website shopping cart as well as PayPal buttons).
Personal data that we see and use in these cases are:
- Your email address
- Delivery Address
- Name
This information is used to get your products to you and it’s all held by PayPal and are made accessible to us when we log in to our PayPal account.
We DON’T get to see your credit or debit card details.
Buying products through Gumroad or Kartra (the same applies to becoming a Patreon Donor)
We can access and use the following data to deliver your products/items/bonuses and information:
- Name (as entered)
- Delivery Address (where entered for physical products/items/bonuses)
Other than addressing products for delivery – we do not pass on any of your personal details to third parties. This includes the fact that we remove any personal data (email address, name, delivery address) from any accounting material that we send to accountants and/or book-keeping services.
Where we keep records of sold products (other than those maintained on secure, password protected external services like PayPal, Gumroad, GetResponse, Kartra etc.), those data are stored on encrypted, password-protected external drives.
We will also remove/destroy notification emails for subscriptions that become older than three years (so that we do not store your email contact details from those notifications indefinitely).
So – I realise that this isn’t the most amazingly exciting message in the world but it is extremely important for you to understand how we treat your data and also how hard we’ll be working to comply with GDPR standards for everyone that we deal with.
As part of that compliance, we will have to pay a subscription fee/tax to register with the ICO (Information Commissioner’s Office), so – again – it is something that we’re taking very seriously.
And the big ask from me, once more, is that if you’re not 100% happy to receive email communications from us on the subjects, lessons, product launches, bonus offers and activities that we’d like to keep you updated on
PLEASE UNSUBSCRIBE!
If you’re staying with us, then you are incredibly welcome and I hope that you have a clearer idea of how carefully we treat your data.
Personal Data Flow Mapping Audit
Personal data is received (and may be subsequently processed by us by 4 primary means:
Voluntary sign-up to email newsletter information and offers
This occurs typically via “double opt-in” using a web sign-up form (and subsequent clicking of confirmation link within an email that the subscriber wishes to receive our content) using the services GetResponse and, in the near future Kartra. Additionally, advertising campaigns run on Facebook or other platforms may be added directly to an email distribution list via single opt-in where the advert and form completion process makes clear the content and its method of delivery that subscribers can expect.
The information submitted is the name supplied by the subscriber and their email address, the email subscription platform (e.g. GetResponse) may supply the approximate location of the server used to complete that registration (to the nearest city level). That information is not always provided. When such information is generated and supplied, it may be transmitted by email (for double opt-in subscribers) or merely added to the subscriber database within the email subscription platform.
- Any emails notifying us of a subscription are deleted after 3 years.
- Subscribers are notified prior to subscription and at multiple points during receipt of email content that they can unsubscribe from any list by clicking the link provided with each and every email communication that is automatically delivered
Voluntary Registration for a Webinar Broadcast
In order to receive the private link to a webinar, registrants submit their preferred name and an email address to a third party platform (i.e. expertisetv.com). While those email addresses are stored and maintained by expertisetv.com, it is possible for Double Badger media Ltd. (when logged in to the Expertisetv.com platform) to both contact and also see the email addresses registered for the purposes of attending that webinar and receiving relevant updates and offers related to it. The landing page used by attendees to sign up to that service makes clear the nature of information that they can expect to receive and that completion of the form constitutes consent to be contacted by those means. Double Badger media does not transfer those email address details to other storage locations and simply uses the automated email contact facility provided by the expertiseTV.com platform.
Purchase of a Product Via Online Platforms (including our own websites and the third party platform Gumroad.com)
The fulfilment and attendant customer service pertaining to online purchases may involve the receipt of a customer’s address (for delivery of physical goods), email address and phone number (for customer service and, in the case of email address, may also include delivery of download links and discount codes for digital products).
Payments that are processed on our own webpages are processed via Stripe or PayPal. Delivery addresses and contact details for the purposes of fulfilling those orders and/or resolving issues are maintained by PayPal and made available for vendors, such as ourselves, to access and process. Those details are periodically transferred from PayPal’s secure servers to our own system for accounting and customer service functions. When such transfers are made, those data reside on password-protected computers and encrypted, password-protected external drives. Personal data details are removed from records prior to being forwarded to accounting and book keeping third parties.
In the instances where we adopt Stripe as a payment processor, personal data that is made available to us from Stripe will be treated in the manner described for PayPal.
The Gumroad.com platform maintains email addresses and user-provided names of customers who have downloaded a product and/or have voluntarily opted to receive updates by being a “follower” of a particular Gumroad vendor page. Gumroad.com informs users that they can opt out of notifications at any time and they are undertaking their own GDPR compliance activities as a third party provider. The facility to have Gumroad.com email customers and followers on our behalf is the most typical method that we use to issue notifications of updates to existing products and news of new products. This does not involve us processing personal data as message delivery is automated from within the Gumroad.com platform.
Delivery of the small number of physical products we offer via Gumroad.com involves the copying the delivery address (displayed when logged in to Gumroad’s secure platform) by hand onto packaging labels. For customer service, we may copy and paste a customer’s email address directly into the recipient’s address field within a personal email account that is separate from Gumroad to provide a more personalised experience.
Voluntarily becoming a “Patron” via Patreon.com (i.e. patreon.com/tenkara)
When donors decide to support our creative efforts by signing up for a monthly payment via the Patreon.com platform they enter their email address and preferred name/nickname as well as their payment card details. While the payment card details are not passed on from Patreon.com, the individual email addresses of supporters are visible within the login-secured “Creator” area of the platform. We do not exercise an option to transfer those personal details outside of the Patreon Platform and, instead, use the automatic communication mechanisms within the platform to communicate with Patreon.com supporters of our work.
We will continue to revisit, revise and re-publish updates to this data-flow mapping audit,
Paul Gaskell and John Pearson
Discover Tenkara
(Part of Double Badger Media Ltd.)
Just finishing our GDPR at work . What a ball ache!!
I’m a yank but I also run the IT department for and Int. non-profit. And as someone who spent over a year working on GDPR, I just want to say great work. It will be interesting to see the evolution of this important piece of legislation.
Thanks Marc, it was quite a task to do all the research to get up to speed with GDPR while trying to keep everything else in the business afloat, but all very necessary. It means a lot that someone like yourself thinks we did a good job, so thank you.
Paul