Basic description of my process:
I am a Sole Trader, making knitted baby clothes from home.
I am Tania Dunkley : Current address on request
Tel 073 7722 9890
I sell on Etsy https://www.etsy.com/shop/CraftyStuffBabyHats
on Facebook https://www.facebook.com/Craftystuffsa/
and my own Shopify website www.craftystuffbabyknits.co.uk
I make a sale online, receive payment via PayPal, I print out a copy of the order/ invoice, make the outfit, ship to the address provided, clip proof of shipping from the Post Office or Courier to the order/ invoice. This gets filed in a drawer and kept for 5 years for HMRC for tax purposes. The customer is only emailed/ SMS for confirmation of receipt of the order, to request additional information (if applicable and necessary), and confirmation of shipping of the order. This is done automatically by either Etsy or my Shopify store. The postal address and email of the customer are only used to enable me to ship their order
Detailed Process for each Shop:
My Etsy shop :
Etsy have their own GDPR policies, which protect all information that they process. https://help.etsy.com/hc/en-gb/articles/360001027628-General-Data-Protection-Regulation-GDPR-
When I receive an order from Etsy, via email, I print the order page with Name, email and postal address on it, which in turn goes into my production file. Once the order is fulfilled, I clip the proof of shipping slip from the Post Office to the order. This gets filed away for tax purposes for 5 years. Thereafter the paperwork is shredded.
I do not collect the names, emails or addresses in any kind of data base of my own, these remain on the Etsy site only, which is secured by their own policies.
Shopify : www.craftystuffbabyknits.co.uk
I have my own Shopify shop at the above address. I am a sole trader, and the only person, other than Shopify, with access to the information.
Customers are not required to create an account on the site, they can check out as a guest. Information required is name, address, email or phone number. The customer is notified that the order has been placed, and shipped via either email or sms, via the Shopify automated system. I do not contact the customer outside of the 2 emails or sms other than to confirm details of an order, if necessary. Emails are not automatically collected for a mailing list.
When I receive an order from Shopify, via email, I print the order page with Name, email and address on it, which in turn goes into my production file. Once the order is fulfilled, I clip the proof of shipping slip from the Post Office to the order. This gets filed away for tax purposes for 5 years. Thereafter the paperwork is shredded.
Shopify 3rd party Apps:
I use BOLD Commerce to assist with my Shopify theme, and to provide customers with a Multi-Currency, so that they can see the prices in their home currency.
I have a Facebook group and Facebook page where I market my shops. I occasionally get a customer ordering directly, via comment on one of my posts. An order will then be placed via PayPal invoice and sent to the email that they provided.
There is a Facebook app attached to my Shopify store that hosts a Facebook store on my page. Anyone who clicks on a link in the Facebook store are directed to the Shopify store, and an order is placed there.
All payments for all orders are directed to PayPal, for my Etsy shop, Shopify shop and any orders that I may receive via Facebook or Facebook Messenger.
I use PayPal as it is secure, and I do not see any banking, credit card or payment information that a customer supplies to PayPal in order to pay their order.
I do not collect or store any information other than name, address and proof of shipping of an order.
Accounting System for HRMC
I use Quickbooks by Intuit for my book-keeping for HMRC for tax purposes. When I receive a payment from PayPal I transfer the funds for each invoice individually, to my bank account. The amount only is recorded by Quickbooks, but I do not supply them with any further information, names, emails etc. The only link to the invoice is within PayPal, and is not supplied to Quickbooks.
Quickbooks privacy policies can be found here https://security.intuit.com/index.php/privacy
The printed copy of invoices and proof-of-posting slips that I keep for HMRC for tax purposes are kept in a locked filing cabinet. I am the only person with access to this, and it is stored securely in my home office.
HMRC require that I keep any documents relating to my income and expenses for 5 years for tax purposes. After the 5 years the documents will be shredded. During the 5 years, the invoice and proof of posting slip are kept in a locked cabinet.
Electronic security :
I use my personal laptop and personal phone to access my Etsy shop, Shopify shop, PayPal and Facebook accounts for managing my store. I have a password on my phone, and on each app on the phone.
I have a Microsoft account on my laptop, which requires a password to access the computer, and there are passwords on each of my accounts.
My home WIFI for internet access is with SKY broadband, via a router with a long password comprising alphabetical and numerical digits, that I do not share with anyone other than members of my household.
I have Avast Free Antivirus protection on my computer and AVG Antivirus protection on my phone. These both run continuously.
I have MalwareBytes free version on my laptop, which I run once a week to scan for any malware.
I receive emails from Etsy, Facebook and Shopify notifying me of new orders or conversations from customers. My email is via Gmail, which downloads to my computer. These emails are deleted on a regular basis, once I am sure that I will not require the information on an order that has been shipped.
Plan for removal of Data if requested:
Should a customer request that I remove any electronic information of theirs, this would depend on where they placed the order.
If an order was placed through my Shopify store, then I can manually delete the customer account information.
If an order was placed through Etsy, I can request that Etsy remove the information.
I am required to keep copies of an invoice until the 5 years, required by HMRC have passed.
Data Breach Process:
The only information that I keep regarding my customers are :
- The order showing what items they have purchased
- Name of the customer
- Email and/ or phone number of the customer
- Address that the order it to be shipped to
- Proof of shipping, showing the postal code
In the event of a data breach, I would immediately notify the customer, and the ICO (Information Commissioners Office), and PayPal/ ETSY or Shopify immediately. I would immediately change all passwords that apply to my computer, phone, apps and stores.