What You Need to Know About This New Data Protection Law

What You Need to Know About This New Data Protection Law

iVend Retail and the General Data Protection Regulation (GDPR)


What is the GDPR?

General Data Protection Regulation is a data protection reform which will replace the current 1995 Data Protection Directive from May 25, 2018. It applies to all companies that collect, store or process data related to any EU resident and aims at unifying data protection for individuals within the European Union.


Key Principles

The key principles of GDPR include:


Right to access and to be informed  

You must obtain valid consent for data collection and clearly state processing purposes and use. Customers have a right to access their data at any time to check how it is being used and where it resides, which you need to provide within a month and free of charge.


Right to rectification 

In cases where personal data is inaccurate or incorrect, your business must make appropriate changes within 30 days.


Right to be forgotten 

A customer can request for their data to be deleted when they believe there is no compelling reason for continuous processing. This includes instances where “personal data is no longer necessary in relation to the purpose for which it was originally collected or when the individual withdraws consent”.


Breach notification 

In an event of a data breach, the relevant individual has to be informed within 72 hours. If unaddressed, it is likely to result in damage to reputation and financial loss to the data controller. GDPR will impact virtually any company that is either based in Europe or has any customers in Europe.


What does it mean for your business?

GDPR requires you to introduce stricter control on where personal data is stored and how it is used for transparency and in line with individuals’ rights for personal privacy. 


This means that software, systems and processes must be reviewed to ensure compliance. 


According to Information Commissioner’s Office (ICO) you should:


Educate everyone within your organization on the GDPR regulations.


Assess and document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit.


Update your internal policy and procedures to ensure your business is compliant.

Review your GDPR processes regularly to avoid unnecessary fines.


How can I prepare for GDPR?

Preparing for the GDPR doesn’t have to be complicated. The GDPR may seem complex, but when it’s stripped down, a large amount of the principles already exist in the UK’s Data Protection Act, so if you are following this fully currently, then you should not have a huge amount of work to do to comply with the GDPR. There are steps you take now to get your business complying.


The ICO explained “You are expected to put into place comprehensive but proportionate governance measures,” “Ultimately, these measures should minimize the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organizations, although many organizations will already have good governance measures in place.”


Storing Information

You should document what personal data you hold, where it came from and who you share it with. This needs to be organized and clear.


Education

Anybody processing data in your company needs to be educated about the GDPR and its implications.


Privacy Policy

You should review your current privacy notices and put a plan in place for making any necessary changes.


Individual’s Rights

You should check your procedures to ensure they cover all the rights that individuals have. This includes how you would delete data and how you would provide data, online and electronically.


Children 

Start thinking now whether you need to put systems in place that verify individual’s ages and assess whether obtaining a parental or Guardian consent for any data your business holds is necessary.


Consent

It’s important to review how you seek, record and manage consent and whether you need to make any changes.


Data Breaches

Make sure you have the right procedures in place to detect, report and investigate a personal data breach. You will have only 72 hours to report data breaches.


Data Protection Officer

Designate someone in the company to take responsibility for data protection compliance. Assess where this role will sit with your organization’s structure and consider formal designation.


International

If you operate in more than one EU member state (you carry out cross border processing) you need to determine your lead data protection supervisory authority.


Lawful Basis

You should identify your lawful basis for the processing of the data you do. This is vital, as under the GDPR individual’s rights will be modified depending on your claimed lawful basis for holding their information.


Design and Data Protection Impact Assessments. You should familiarize yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organization. 


https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/


How can iVend Retail help you to become GDPR compliant?

iVend Retail is an on-premise or private cloud deployed solution therefore Citixsys cannot be considered a Data Processor under GDPR definitions, the data is owned and controlled by the retailer. However, as part of your infrastructure, there are many areas that exist to enable you to be compliant as part of a full compliance plan, please see below for some examples:


API Encryption – 

Utilizing an SSL certificate to ensure that all data transmitted is encrypted and secure.


Being Forgotten – 

From iVend 6.5 Update 6 it will be possible to choose the option to be forgotten – Standard personal data is anonymised ensuring that data integrity is maintained whilst supporting the right to be forgotten.


Customer required to give consent – 

No longer is it acceptable to assume that it is “OK” to use the customer’s data. It is possible within iVend to create a User Defined Field (UDF) and make this mandatory to show that the customer’s consent has been gained or not.


Printing of a Privacy Policy –

It is possible to include the Privacy Policy on the receipt for new customers or alternatively, a simple web URL to refer all customers to the Privacy Policy can be included.


Data Access – 

Customer details and Sales history reports are available to service data access requests. 


However – there are areas outside of iVend Retail that need full consideration, all systems and processes need to be considered as one, for example:


System Backups – 

How and where are system backed up – if a customer has requested to be forgotten, then does their data remain in stored backups?


Data Usage – 

What if a member of staff uses a mobile number to send a SMS to a customer or they maintain customer Emails on their personal mobile phones. A data request to be forgotten applies to all systems.


Connected Systems –

ERP / eCommerce / CRM – Which system is the master? How are updates made to ensure Forgotten is Forgotten. A data request applies to all systems and a request to be forgotten applies to all systems.


Paper Trail — 

Do you keep paper copies of receipts with customer personal details?

 

It Is Your Responsibility!

GDPR is not a one-off compliance demonstration and requires a fundamental organizational transformation with regard to data and privacy.


While software vendors will help you comply with GDPR by releasing relevant updates, it is important to recognize that compliance is a shared responsibility. This might include reviewing your tools, processes and expertise and making changes based on those findings.


Failure to do so could prove costly – 

as companies that do not meet the requirements could face reputational harm and substantial fines of up to 20 million euros, or 4 percent of annual worldwide turnover, whichever is greater.


Further reading on GDPR

Do you need more information? Below are some links to helpful GDPR resources:

https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

http://www.eugdpr.org/gdpr-faqs.html

https://gdpr-info.eu/


    • Related Articles

    • What You Need to Know About This New Data Protection Law

      GDPR: What You Need to Know About This New Data Protection Law iVend Retail and the General Data Protection Regulation (GDPR) What is the GDPR? General Data Protection Regulation is a data protection reform which will replace the current 1995 Data ...
    • Not able to receive a Stock Transfer in SAPB1 ErrorMessage: Not enough data

      Environment : iVend 6.6 with SAP B1 Problem Statement : Not able to receive a Stock Transfer in SAPB1 ErrorMessage "Not enough data" Symptom: Specific computer are not able to receive the stock transfer in SAP. Resolution/Work Around : Clear the junk ...
    • Store Data missed on HO for specific date so need to be synced

      This KM is for Internal Purpose Only Environment: iVend 6.5.6 Problem Statement: Customer has been informed that HO database was corrupted and restored old database and because of store new data missed from specific date at HO so need to be inserted ...
    • Margin Protection in iVend Retail

      Margin Protection in iVend Retail In iVend Retail 6.5 and newer, users can define a minimum margin that each product must achieve. By using this feature, the Retailer can allow Store Staff to discount products at the Point of Sale whilst maintaining ...
    • Creating new SAP B1 database

      Query : The customer has decided to create a new SAP database. They will go through some data cleansing but all in all it will be a new SAP database. Then the question is do they need to run the Retail Initialization in SAP and create a new HO ...