Shining a light on GDPR GDPR and what it means for your EPOS solution.
We have all heard that there is something coming in the distance, clouded in mystery. Here, we turn on the light to see what's ahead of us.
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, that’s the last Friday in May! The new EU regulation will bring considerable changes to the existing data protection law in the UK and across the EU for the first time in 20 years. GDPR’s ‘long Arm’ jurisdiction ensures companies processing data on EU citizens must comply with the new requirements.
The GDPR focuses on enhancements to existing individuals’ rights whilst creating some new ones, but before we go into detail it’s important to understand that organisations in breach of GDPR can be fined up to €20m or 4% of global turnover. Fines are staged depending on the seriousness of the infringement and with mandates that data breaches must be notified to the Information Commissioner’s Office (ICO) no later than 72 hours from the event, these penalties highlight that the new regulation is to be taken very seriously indeed.
Individual Rights
The basis of the legislation is that if you’re going to hold information on private individuals, then the individual must be informed of what use will be made of that information, whether that information will be shared with anybody else and, most importantly, they must have given you their permission to use their information in this way!
So, what does the GDPR cover in terms of processing data on individuals?
Below you will see the extent of how far it goes to protect EU citizens:
Subject Access. This area deals with confirming to the individual what data is being processed and giving them access to said data in a freely and timely fashion (unless “manifestly unfounded or excessive”). This is a dramatic change which gives individuals more transparency and power.
Right to Rectification. Individuals can request that personal data is rectified with undue delay if the data is incomplete or inaccurate which goes hand in hand with the right to access above. Any data held needs to be amended quickly.
Profiling and Automated Decision Making. The profiling aspect ensures individuals rights not to have decisions made against them are adhered to unless explicit consent has been specified. Clear affirmative action should be given, failure to de-select those ‘preticked’ boxes we often see will no longer constitute consent. More-so, bundled consents are no longer valid - instead separate consents for individual actions must be obtained, and for marketing purposes explicit opt in’s will be required.
Data Portability. This stipulates that personal data can be given to an individual or 3rd party in a “commonly used, and machine readable form” so any data held on a subject must be able to be extracted and supplied to the subject in a commonly-used file format such as ‘.xml’ or ‘.csv’.
Erasure. Perhaps the most daunting aspect of the GDPR otherwise known as the Right to be Forgotten. Individuals can request that electronic data is completely removed from your systems “without undue delay”. It also stipulates that data is not processed if the purpose falls outside the scope of what is was originally necessary to process for. This can seem a huge task to asses where a subjects data resides in the first place and whether or not it falls into or out of scope for this requirement; there are exceptions such as legal requirements (Finance institutions keeping data for 7 years), impossible to erase datasets and non electronically filed documents.
Restrict Processing is an alternative to the right to erasure but on an interim measure whereby data can be marked as restricted whilst there is an ongoing dispute or removal of consent from the individual.
Head over to the ICO website for an authoritative 12 step guide and deeper look of what GDPR covers and steps your business should be taking in preparation.
Cunninghams Epos Group have you covered Written by Daniel Tombs, Project Manager at Cunninghams Epos Group
One of the areas we’re engaged in at Cunninghams Epos Group is making sure our solutions are ready for GDPR; our EPOS solution provides core functionality enabling the collection and processing of individuals’ data for features such as customer loyalty, deposits and pre-ordering. These modules are a crucial part of our offering, delivering many benefits to your business including promoting positive customer experiences and creating a loyal customer base, so we recognise that it is important for us to ensure our EPOS solution provides the tools to help you on your road to GDPR compliance. Future enhancements to our software will ensure your data subject rights can be managed easily and efficiently whilst still providing the full functionality of your EPOS solution.
GDPR has presented an opportunity to increase security and protection of your users’ data. Yes, it’s a lot of regulation to digest but be assured that compliance will bring with it trust and respect between your business and end users - and with this new regulation, there is no opt-out so if you haven’t acted already, now is the time!
Find out how Cunninghams Epos Group can support you by calling us on 0330 024 5014 or email us with any questions.
(Reference material obtained from ICO website)