General Data Protection Regulation is a data protection reform which will replace the current 1995 Data Protection Directive from May 25, 2018. It applies to all companies that collect, store or process data related to any EU resident and aims at unifying data protection for individuals within the European Union.
The key principles of GDPR include:
You must obtain valid consent for data collection and clearly state processing purposes and use. Customers have a right to access their data at any time to check how it is being used and where it resides, which you need to provide within a month and free of charge.
In cases where personal data is inaccurate or incorrect, your business must make appropriate changes within 30 days.
A customer can request for their data to be deleted when they believe there is no compelling reason for continuous processing. This includes instances where “personal data is no longer necessary in relation to the purpose for which it was originally collected or when the individual withdraws consent”.
In an event of a data breach, the relevant individual has to be informed within 72 hours. If unaddressed, it is likely to result in damage to reputation and financial loss to the data controller. GDPR will impact virtually any company that is either based in Europe or has any customers in Europe.
GDPR requires you to introduce stricter control on where personal data is stored and how it is used for transparency and in line with individuals’ rights for personal privacy.
This means that software, systems and processes must be reviewed to ensure compliance.
According to Information Commissioner’s Office (ICO) you should:
Educate everyone within your organization on the GDPR regulations.
Assess and document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit.
Update your internal policy and procedures to ensure your business is compliant.
Review your GDPR processes regularly to avoid unnecessary fines.
Preparing for the GDPR doesn’t have to be complicated. The GDPR may seem complex, but when it’s stripped down, a large amount of the principles already exist in the UK’s Data Protection Act, so if you are following this fully currently, then you should not have a huge amount of work to do to comply with the GDPR. There are steps you take now to get your business complying.
The ICO explained “You are expected to put into place comprehensive but proportionate governance measures,” “Ultimately, these measures should minimize the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organizations, although many organizations will already have good governance measures in place.”
You should document what personal data you hold, where it came from and who you share it with. This needs to be organized and clear.
Anybody processing data in your company needs to be educated about the GDPR and its implications.
You should review your current privacy notices and put a plan in place for making any necessary changes.
You should check your procedures to ensure they cover all the rights that individuals have. This includes how you would delete data and how you would provide data, online and electronically.
Start thinking now whether you need to put systems in place that verify individual’s ages and assess whether obtaining a parental or Guardian consent for any data your business holds is necessary.
It’s important to review how you seek, record and manage consent and whether you need to make any changes.
Make sure you have the right procedures in place to detect, report and investigate a personal data breach. You will have only 72 hours to report data breaches.
Designate someone in the company to take responsibility for data protection compliance. Assess where this role will sit with your organization’s structure and consider formal designation.
If you operate in more than one EU member state (you carry out cross border processing) you need to determine your lead data protection supervisory authority.
You should identify your lawful basis for the processing of the data you do. This is vital, as under the GDPR individual’s rights will be modified depending on your claimed lawful basis for holding their information.
Design and Data Protection Impact Assessments. You should familiarize yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organization.
https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
iVend Retail is an on-premise or private cloud deployed solution therefore Citixsys cannot be considered a Data Processor under GDPR definitions, the data is owned and controlled by the retailer. However, as part of your infrastructure, there are many areas that exist to enable you to be compliant as part of a full compliance plan, please see below for some examples:
Utilizing an SSL certificate to ensure that all data transmitted is encrypted and secure.
From iVend 6.5 Update 6 it will be possible to choose the option to be forgotten – Standard personal data is anonymised ensuring that data integrity is maintained whilst supporting the right to be forgotten.
No longer is it acceptable to assume that it is “OK” to use the customer’s data. It is possible within iVend to create a User Defined Field (UDF) and make this mandatory to show that the customer’s consent has been gained or not.
It is possible to include the Privacy Policy on the receipt for new customers or alternatively, a simple web URL to refer all customers to the Privacy Policy can be included.
Customer details and Sales history reports are available to service data access requests.
However – there are areas outside of iVend Retail that need full consideration, all systems and processes need to be considered as one, for example:
How and where are system backed up – if a customer has requested to be forgotten, then does their data remain in stored backups?
What if a member of staff uses a mobile number to send a SMS to a customer or they maintain customer Emails on their personal mobile phones. A data request to be forgotten applies to all systems.
ERP / eCommerce / CRM – Which system is the master? How are updates made to ensure Forgotten is Forgotten. A data request applies to all systems and a request to be forgotten applies to all systems.
Do you keep paper copies of receipts with customer personal details?
GDPR is not a one-off compliance demonstration and requires a fundamental organizational transformation with regard to data and privacy.
While software vendors will help you comply with GDPR by releasing relevant updates, it is important to recognize that compliance is a shared responsibility. This might include reviewing your tools, processes and expertise and making changes based on those findings.
as companies that do not meet the requirements could face reputational harm and substantial fines of up to 20 million euros, or 4 percent of annual worldwide turnover, whichever is greater.
Do you need more information? Below are some links to helpful GDPR resources:
http://www.eugdpr.org/gdpr-faqs.html