GDPR

The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on the 25th May 2018.

What is Evance doing about GDPR?

We take our responsibilities under GDPR seriously. That’s why we’ve embarked on a programme to identify which measures we need to implement to be compliant with GDPR, and are working to implement them.

  • We have thoroughly researched areas of our product and how our business is impacted by GDPR. Following an audit, we created an internal roadmap to work towards compliance with GDPR.
  • Granular communication preference capabilities for Forms and checkout processes are now available.
  • Evance now tracks Privacy and Terms versioned consent allowing new agreements if either change when users access protected pages.
  • We have improved checkout processes to gain explicit Terms agreement and granular communication preferences. 

Please note this is a living article and may be updated without notice.


Understanding key definitions

Before understanding what you need to do it is important to understand some of the GDPR terminology and how it relates to you and to Evance:

Data subject

In Evance a "data subject" may be a visitor or a Contact. Evance stores personally identifiable information for various types of Contact.

Contacts are broken down into the following affected classifications:

  • User
    A user is an individual who registers a password protected account with your website either during checkout or as part of another registration process. A user is recognised by their email address, which must be unique across all user Contacts. Users have access to their account information where they may review and change their personal information as required. User information may include a range of personal information including first name, last name, email address, phone & mobile numbers, postal addresses. A full breakdown of information collected during processes and available settings is explored later in this document. 

  • Guest
    A guest is an individual who chooses not to create a password protected account at checkout, or whose information was added manually into Evance. Guests are added via a number of scenarios including but not limited to online checkout preferences, telesales orders, Contact imports from an existing CRM, supplier information etc. Guest information may include the full range of information accepted for a User.

  • Recipient
    A recipient holds the least amount of information on a data subject for the purpose of email marketing only. A recipient Contact is limited to First Name, Last Name and email address information.

At Evance we regularly review how data subjects are created and maintained by our platform. This will include the security and integrity of the data associated with all data subject types above. 

Data controller

It's you. As a tenant of Evance, you determine the purpose of your website and the use of facilities on our platform. You have control over the collection of personal data via checkout, newsletter subscriptions, registration processes or online forms. As such it is your responsibility to ensure data is collected and controlled ethically and in accordance with GDPR. Evance has a number of facilities to assist in your compliance.

Data processor

That's us (and any other third parties you use). We process information on your behalf. This includes implementing facilities for the collection, storage and backing up of all data including personally identifiable information. Much like our commitment to PCI Compliance we're committed to secure and ethical privacy practices. Evance may not be your only data processor and you should evaluate any apps, add-ons or plugins individually (e.g. Google Analytics, Hotjar etc.). 


Territorial scope

GDPR applies to all data subjects within the European Union. Evance will be adopting GDPR compliant requirements and practices for all data subjects, regardless of their location.

Consent

We have broken data subjects' "Right to be informed" down into the following sub-sections:

Contact permissions

GDPR and ePrivacy regulations require granular opt-in consent for using an individual's data in marketing campaigns and for each delivery method. 

We have added support for granular consent to Email (email marketing), Phone (telesales), SMS (text messaging) and Post (direct mail) based campaigns/lists. This differentiation is possible within Recipient List management features. However, displaying granular consent may vary depending on your website:

  • At checkout
    All types of consent will be displayed during checkout. This is because all associated fields are available including email, address, mobile and phone number.    

  • User registration
    We can only permit email based consent at registration because additional fields required for other options are unavailable at registration. 

  • Newsletter subscriptions
    Only email consent will be permitted as our newsletter subscription system is concerned only with email-based subscriptions. 

  • Forms
    Only email consent will be permitted in forms built using our Form Builder. This is because Form Builder is not yet able to determine whether an address block or mobile phone is associated with the form. Once this is possible we shall include SMS and Post consent as appropriate. In this event you may be required to update your Forms.

Cookie consent

Evance sets a number of cookies which are operational and do not require granular consent. You are required to inform visitors that such cookies are in use and that use of your website implies acceptance of these cookies. Evance includes a generic Cookie Consent bar on all version of Evance from version 4 and up (Evance Malachite (standalone) and Evance Cloud). However, our generic cookie consent bar is not capable of dealing with granular consent of non-operational cookies which identify individuals (not anonymous) for the purpose of marketing or advertising targeting. If you require such controls over your cookies then you should switch our generic cookie consent bar off and have your web developer implement appropriate functionality to accommodate your specific requirements. 

If you are using Google Analytics with re-marketing features turned off our generic Cookie Consent bar will suffice. However, if you have re-marketing tools turned on you may need to have a custom cookie consent facility. 

We use the different cookies to run Evance websites.

Feature use/recall

Evance stores a number of cookies exclusively to make feature use and recall a better experience on our websites. 

For example, we store recently viewed and saved cart information in cookies for user convenience ( ev-cart and EV_RECENT). Blocking these cookies will not prevent Evance sites from working but may reduce some site functionality. 

Preferences

These cookies allow our websites to remember information that changes the way the site behaves or looks, such as your preferred locale. Blocking such cookies may make the website experience less functional but should not prevent it from working.

Session state

We collect information about how users interact with a website. This may include the pages a user has visited and whether users get error messages such as bugs on certain pages. We use session state cookies to help us improve Evance.

Security

We use security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorised parties.

For example, we use cookies called ev-sid, ev-uid and ev-csrf which contain tokens relating to securing user access.


We use various domains to set cookies:

  • evance.me
  • *.evance.me

Your own preferred domain will also be used to set cookies. 

Terms & Conditions acceptance

Agreement to terms may either be implied by clicking the "continue" to payment button, or explicit by including an "I agree to the Terms & Conditions" switch at the Summary page. We strongly recommend you create a Terms page and configure it within your Legal Settings. 

ePrivacy Statement acceptance

This applies to checkout and Forms where granular control for communication preferences may be configured at required.


Right to access

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format (if requested).

Evance Users have access to their account information, however Guests aren't currently able to obtain such information without your assistance. We do not have any planned changes to accommodate this functionality yet. 


Data portability

GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller. 

Currently, there are no planned dates to accommodate export of all data on data subjects. This must be done manually upon request until further notice. 


Right to be forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. 

Marketing lists

Evance's opt-out functionality is adequate for Recipients who wish to be forgotten. This functionality is already available. If you are using Evance's email sign-up functionality you must provide an opt-out link in your emails. We are reviewing all automated emails that apply. 

Guests and/or users

Currently, we do not have self-service facilities in place for Guests or Users to be forgotten. We are still evaluating the impact on operational requirements for e-commerce orders, receipts and shipments. However, your visitors may request you soft-delete their information from within Evance. When a Contact is deleted their order history will remain archived however their details cannot be processed. 


Privacy by design

Both security and privacy are high on our agenda. Because we handle financial data, Evance regularly undergoes security reviews and scans to ensure we maintain PCI Compliance. This meets with or exceeds GDPR compliance. 


Data breaches & notifications

At Evance we take security extremely seriously. We break down data breaches into the following:

User

A breach limited to a single User.

This applies to Users of your website with a password protected account that has been compromised. 

Whilst we regularly review security to protect Users at a technical level, users must take responsibility for using your website securely.

A User's account may be breached through a number of attack vectors such as social engineering, saving passwords on a shared computer, or via malware.

You should assist a User as appropriate in the event of such a breach but do not need to report it.

Account

A breach limited to your tenant Account with Evance. 

This applies to Users with administrative access to Evance.

We regularly review Account integrity and security protocols at a technical level to ensure Accounts are safeguarded against cross-account security and integrity violations. However, it is the responsibility of Tenants to ensure each User with administrative access to your Account is doing so securely and responsibly. An administrative User's account may be breached through the same attack vectors a User faces, but may also deliberately or accidentally compromise data.

A breach of your Account compromises the privacy of all data subjects directly associated with your Account. 

In the event an Account breach has been identified, it is the responsibility of you as our Tenant to:

  • inform Evance as soon as possible - we will assist you with investigating and handling an Account breach. 
  • notify the supervisory authority in accordance with GDPR article 55 if the breach could affect individuals adversely. This may include loss of control over their data, identity theft/fraud, financial loss, damage of reputation or loss of confidential/sensitive data. In the UK the supervisory authority for GDPR breaches is the ICO
  • inform all affected data subjects without undue delay. 

Platform

The most serious type of breach is at a Platform level affecting all data subjects across one or more tenant Accounts. This may be the result of a technical fault or a vulnerability exploit.

Security and privacy are of utmost importance to Evance. We regularly review and maintain Evance security from infrastructure to software.

Our team does not have direct access to information on data subjects within Accounts, unless you have invited a member of our team to access your Account with administrative privileges. 

In the event of a Platform breach it is our responsibility as your data processor to:

  • inform all affected Tenant Account owners of the breach without undue delay. 
  • notify the UK ICO of the breach where the breach could affect individuals adversely. 



FAQs

As part of you own compliance you'll have some questions for us which may include:

  • Where does Evance store customer data?
    We use a data hosting provider (HA247) with servers located within the UK to host our online services. 
  • How does Evance comply with EU data export restrictions?
    All data is located and processed within the UK. When we need to export data in other territories, like the United States, we ensure "appropriate safeguards" are in place prescribed by GDPR. This may include entering into the European Commission's Standard Contractual Clauses with trusted partners where data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to the US based organisations). 
  • What security measures do you have in place to protect data?
    Security is of paramount concern to Evance. We regularly review, monitor and update security from our infrastructure through to our software. We do this to ensure we meet or exceed the requirements of GDPR and PCI Compliance.