What is the GDPR?
General Data Protection Regulation is a data protection reform which will replace the current 1995 Data Protection Directive from May 25, 2018. It applies to all companies that collect, store or process data related to any EU resident and aims at unifying data protection for individuals within the European Union.
The key principles of GDPR include:
Right to access and to be informed
You must obtain valid consent for data collection and clearly state processing purposes and use. Customers have a right to access their data at any time to check how it is being used and where it resides, which you need to provide within a month and free of charge.
Right to rectification
In cases where personal data is inaccurate or incorrect, your business must make appropriate changes within 30 days.
Right to be forgotten
A customer can request for his/her data to be deleted when they believe there is no compelling reason for continuous processing. This includes instances where “personal data is no longer necessary in relation to the purpose for which it was originally collected or when the individual withdraws consent”.
In an event of a data breach, the relevant individual has to be informed within 72 hours. If unaddressed, it is likely to result in damage to reputation and financial loss to the data controller.
Need more info?
GDPR will impact virtually any company that’s either based in Europe, or has any customers in Europe.
What does it mean for your business?
GDPR requires you to introduce stricter control on where personal data is stored and how it is used for transparency and in line with individuals’ rights for personal privacy. This means that software, systems and processes must be reviewed to ensure compliance. According to Information Commissioner’s Office (ICO) you should:
Educate everyone within your organisation on the GDPR regulations.
Assess and document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Update your internal policy and procedures to ensure your business is compliant.
Review your GDPR processes regularly to avoid unnecessary fines.
How can I prepare for GDPR?
Preparing for the GDPR doesn’t have to be complicated. The GDPR may seem complex, but when it’s stripped down, a large amount of the principles already exist in the UK’s Data Protection Act, so if you are following this fully currently, then you shouldn’t have a huge amount of work to do to comply to the GDPR. There are steps you take now to get your business complying.
The ICO explained “you are expected to put into place comprehensive but proportionate governance measures,” “Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
- Storing Information.You should document what personal data you hold, where it came from and who you share it with. This needs to be organised and clear.
- Education. Anybody processing data in your company needs to be educated about the GDPR and its implications.
- Individual’s Rights. You should check your procedures to ensure they cover all the rights that individuals have. This includes how you would delete data and how you would provide data, online and electronically.
- Children. Start thinking now whether you need to put systems in place that verify individual’s ages and assess whether obtaining a parental or Guardian consent for any data your business holds is necessary.
- Consent. It’s important to review how you seek, record and manage consent and whether you need to make any changes.
- Data Breaches. Make sure you have the right procedures in place to detect, report and investigate a personal data breach. You will have only 72 hours to report data breaches.
- Data Protection Officer. Designate someone in the company to take responsibility for data protection compliance. Assess where how this role will sit with your organisation’s structure and consider formal designation.
- International. If you operate in more than one EU member state (you carry out cross boarder processing) you need to determine your lead data protection supervisory authority.
- Lawful Basis. You should identify your lawful basis for the processing of the data you do. This is vital, as under the GDPR individual’s rights will be modified depending on your claimed lawful basis for holding their information.
Design & Data Protection Impact Assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
How can iVend Retail help you to become GDPR compliant?
iVend Retail is an on-premise or private cloud deployed solution therefore Citixsys cannot be considered a Data Processor under GDPR definitions, the data is owned and controlled by you the retailer. However, as part of your infrastructure, there are many areas that exist to enable you to be compliant as part of a full compliance plan, please see below some examples.
- API Encryption – Utilising an SSL certificate to ensure that all data transmitted is encrypted and secure.
- Being Forgotten – From iVend 6.5 Update 6 it will be possible to opt to be forgotten – Standard personal data is anonymised ensuring that data integrity is maintained whilst supporting the right to be forgotten.
- Customer required to give consent – No longer is it acceptable to assume that it is OK to use the customer data. It is possible within iVend to create a User Defined Field and make this mandatory to show that the consent is either gained or not.
- Data Access – Customer details and Sales history reports are available to service data access requests
However – there are areas outside of iVend Retail that need full consideration, all systems and processes need to be considered as one, for example
- System Backups – How and where are system backups – if a customer has requested to be forgotten – yet the data is stored in backups?
- Data Usage– What if a member of staff uses a mobile number to send a SMS / WhatsApp to a customer, customer emails on personal mobile phones? A data request / request to be forgotten applies to all systems
- Connected Systems – ERP / eCommerce / CRM – Which system is the master? How are updates made to ensure Forgotten is Forgotten. A data request applies to all systems / request to be forgotten applies to all systems.
- Paper Trail D — Do you keep paper copies / receipt copies with personal details?
It’s Your Responsibility!
GDPR is not a one-off compliance demonstration and requires a fundamental organisational transformation with regard to data and privacy.
While software vendors will help you comply with GDPR by releasing relevant updates, it is important to recognise that compliance is a shared responsibility. This might include reviewing your tools, processes and expertise and making changes based on those findings.
Failure to do so could prove costly – as companies that do not meet the requirements could face reputational harm and substantial fines of 20 million euros, or 4 percent of annual worldwide turnover, whichever is greater.
This document should not be relied upon as legal advice on how to comply with GDPR. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.
This document covers the GDPR compliance for iVend Retail and does not include iVend eCommerce and iVend Loyalty Customer Portal. A separate document will be released for it as both these applications are consumer facing.
Further reading on GDPR
Need more information? Below are links to some helpful GDPR resources: