A Practical Guide to the General Data Protection Regulation
The General Data Protection Regulation (GDPR) is going to affect all companies: large wholesalers and home restaurants alike. A lot has been written on this topic, but many articles are overwhelming or leave your questions unanswered.
In this post, we will explain what kind of requests you may expect from your customers, and how to protect customers’ information in Erply. Here is our previous overview of GDPR.
The goals of GDPR
The regulation has been put in place with the following goals in mind:
- Less private information should be stored in information systems.
- Information that is stored should have a clear purpose.
- Businesses must ensure customer data is stored securely.
- Companies should use better tools and practices to prevent data leaks.
The scope of the regulation
The GDPR applies to businesses of all sizes as long as they have customers or staff in the European Union.
If your company operates in the European Union, note that GDPR grants equal rights to all your customers, including non-EU customers.
What counts as customer data processing?
Data processing begins with entering a customer’s data into Erply and ends with deleting that customer’s records.
Everything in-between counts as data processing too, including:
- Viewing a customer’s record
- Modifying a customer’s record
- Taking a piece of customer information and using it as a purposeful task
How do I collect customer consent? How do I inform customers about data processing?
There are two important requirements which will likely require you to update your membership application forms (paper or electronic), and your service terms and conditions:
1. The customer must be informed of how their data will be processed.
Before collecting any personal information, you must explain to the customer what purposes their data will be used for. This is a great opportunity to explain how your customers can benefit from data processing.
You must also keep a list of all sub-processors, or companies whom customer data is shared with. Customers may request a list of companies processing their data. Erply, naturally, is among those. If you use a webshop or use custom integration, there may be more parties involved.
Explain who is responsible for the customer’s data and how it is kept secure.
Full requirements for disclosure are listed in GDPR Article 13.
2. The customer must give their consent for each data processing purpose.
List your data processing purposes. These are likely specific to your company. It is important that these purposes are described in plain language and in a straightforward manner. Customers should not need a legal advisor to understand your data processing purposes.
For each data processing purpose, the customer must give their consent by ticking a box. On an electronic form, the boxes must not be ticked by default.
Your company must store the paper forms or the electronically submitted information, to be able to refer to these consents later if needed.
Erply does not provide data fields for storing these consents, other than an “Email opt-out” checkbox on customer form. Data processing purposes are specific to each company and we do not know what your exact purposes are or how many different purposes there might be.
What other rights do customers have?
GDPR grants individuals a number of rights. Privacy-minded customers will certainly find these new opportunities welcome, so be prepared to answer the following questions.
Note: Always require the customer to show a proof of identity. Disclosing or modifying the information of the wrong person is a serious offense.
1. What information is being stored about me?
Full information about a customer can be found on the customer card in the back office. Review it as needed:
2. I want to have a copy of my data.
Under GDPR, individuals may request a copy of their customer card and their transaction history. An electronic file containing this information can be downloaded from customer card:
3. I don’t want my information to be used for …
Consent is not permanent. Allow customers to easily take back their consent.
4. I want to update or remove my information.
Upon request, update information that is out of date.
Customers can also ask their personal information to be removed from your system. In that case, make sure that they do not have any unpaid invoices.
Set up internal processes to handle these requests. Instead of deleting a customer card entirely, you may want to only clear the respective fields requested to be cleared. Be proactive about data changes and have cashiers ask customers to confirm their phone numbers and email addresses at least once a year.
What personal information is stored in Erply?
Personal data, which you might have stored in Erply, may include:
- Name, gender, date of birth
- Contact information: email address, phone number, Skype username etc…
- Postal address
- A list of contact persons for a customer
- Customer group
- Loyalty card number
- Webshop username and password
- Name of employer
- Any additional information manually stored in attributes, notes, on customer’s orders etc.
Three important rules apply when becoming GDPR compliant:
- Be careful with storing personal information in the “Notes” field, or in attributes. This applies to all documents, such as the “Notes” field of a Sales Order. These may be difficult to find and you cannot easily comply with customer’s request if they want their personal data to be removed from your system.
- Do NOT store personal information of children, unless you have collected a parent’s consent. The minimum age at which a person can themselves give consent varies by country; check your local legislation.
- Do NOT store sensitive personal information in Erply. This is prohibited by law.
Sensitive personal information includes:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic or biometric data;
- Health information;
- Sex life or sexual orientation.
Review and minimize the amount of data your business stores
As a first step, make an inventory of all personal data you hold and ask the following questions:
- Why are we holding it?
- How did we obtain it?
- Why was it originally gathered?
- How long will we retain it?
- Do we share it with third parties, or store it in other processors’ systems?
Amount of stored personal information should be minimal. Keep only what you actually need (and have lawfully acquired) and delete the rest.
Tip: if you are working with corporate customers, you can refer to the companies’ contact persons by their job position, not by their name. This way, the phone numbers and emails stored in Erply cannot be used to identify an individual, and will thus not be personal information.
Anonymize customer information
An “anonymized” customer record is one that contains no personally identifiable information:
Since you can identify the customer by their loyalty card number, there is no particular need to store their name or email address.
This way, the customer can remain anonymous, if requested, and will still retain reward points balance, personalized coupons, loyal customer pricing, and other benefits. And you still have their detailed purchase history.
Does Erply log data processing activities?
Yes and no.
Yes — for everything that you do in Erply, we keep a log. Just like the regulation requires.
We cannot, however, track customer processing that takes place outside of Erply.
For activities outside of Erply, you need to:
a) Keep a separate log elsewhere
b) Write these data processing activities into Erply’s log using an API call
This includes all cases where:
- Customer information is exported from Erply
- Customer information is synchronized to another system, over API.
If you use any of the following services, you may want to check if they provide the necessary logging. If not, you may need to implement a logging solution yourself.
- Any others.
Note: Customers themselves do not have the right to request a copy of their log. Logs are kept only for the — hopefully unlikely — case where a customer files a complaint. This can result in your local supervisory authority launching an investigation and asking for your business to provide the relevant logs. In that case, we will help you.
Important safety measures you should implement
Here are our recommendations for keeping your customers’ data safe:
1. Do not keep customer information on your computer.
If you must export customer information to Excel, be sure to delete the data immediately once it is no longer needed.
2. Do not use personal computers or devices for doing work.
Instruct employees to never use their personal devices to log into Erply or any other service in which you keep customer data. Ensure that office computers are configured securely, and are free of viruses and malware.
3. Use strong passwords.
Your customers’ data is protected by the password that you use for logging into Erply. If a breach occurs, your business is liable. A password should be sufficiently long and consist of random characters, digits, and special symbols.
4. If a customer files a request, ask for their ID.
Make sure to identify the customer before you disclose any personal data to them. Only disclose data once you have confirmed the recipient is who they claim to be.
5. Map your internal processes.
It is easier to plan your data protection measures if you make a list.
- Which are the processes in our company that touch customer information?
- Which employees are involved?
- What data is accessed?
- What is the data processing purpose?
- Where do we store this data (at which processor) and what is our legal basis for storing it?
6. Train your employees.
Share this article with all your employees or colleagues. For employee onboarding, we have a solution — see below.
7. Report data leaks.
In case of data leaks, unauthorized access, or any security breaches involving possible access to personal data, your business is responsible for informing local authorities no later than 72 hours after detecting the breach. You are obligated to inform all parties to the data about the incident, including the customers whose data was compromised.
8. Verify your third-party processors.
Make sure that the third-party processors that you use comply with GDPR. You, as the Controller, are solely responsible for assessing the adequacy of your authorized processors.
We strongly recommend to set up an onboarding process and make sure that employees get a proper training and an overview of data protection principles before they are granted access to customer information.
The solution (which is available in the Erply app store) is as follows:
- Ask Erply customer support to enable a data protection module on your account.
Erply’s data protection module will display an informative pop-up to each user and will ask for their confirmation before they can proceed:
Alternatively, you can enter the confirmations manually on employee form.
- Confirm employee’s access to customer data:
- When all employees have been onboarded, enable restrictions from the Settings → Configuration page:
These suggestions will help you lay a solid groundwork for GDPR compliance. We hope you have found them helpful, and that you now have an idea of next steps that need to be taken to become GDPR compliant.
We are planning to offer a few more GDPR-related features in Erply. Stay tuned!