The General Data Protection Regulation (GDPR) is coming and we have put together some quick get-to-know facts about everything you need to know. This article will give you a basic glimpse what the GDPR is, whether it applies to you, how it affects data processing and how to comply your business processes to the GDPR by using the solutions provided by Erply.
What is the GDPR?
The General Data Protection Regulation (GDPR) will apply across the European Union on May 25th, 2018, which means that every entity that processes personal information must be ready to do it by the principles stated in the GDPR. Upcoming changes will redefine the data protection and concept of personal data to accompany the changes of the 21st century regarding the digitalization of personal data. Furthermore, data processing becomes transparent and controllable by both parties. In general, the collecting and use of the data must be fair, the data subject has control over their data and how it is used, and data must be protected from misuse and breaches depending on the sensitivity of the data.
Territorial changes in the GDPR
The GDPR principles will apply to all data controllers in EU economic area. Furthermore, the GDPR intends to expand the data protection concept to non-EU data controllers processing data of the natural persons from the EU economic area. The new framework will apply to all personal data collected and processed in the EU economic area. This is regardless of whether the data subject is EU employee, citizen or not — the protection will apply to all people equally.
The GDPR also regulates the data processing between the parties engaging in mutual economic activity whether the companies are engaging in a corporate activity or are processing the data on behalf of the data controller. All parties engaging in mutual processing must be GDPR compliant and companies in joint collaboration must define the responsibilities between each other.
What does the GDPR mean to Erply retailers?
The GDPR, in general, obliges companies to strict and regulate more the processing of the personal data. This means that the data controller (a company using Erply services) is responsible for the following and other defined in the GDPR:
- Personal data must reasonably be up to date and accurate. The processing of inaccurate data is prohibited under the GDPR.
- Personal data must be collected and used according to agreed purposes, which the customer (data subject) has been informed of, and has given consent. If purposes change or new purposes appear, the permission must be asked again. Per sensitive data and direct marketing types, the usage must be exclusively asked the customer. All retailers are required by the GDPR to go over their data and renew or delete customers data in case the customer permissions are not valid under the GDPR. Learn more from here
- The data has shelf-life. The shelf-time can be either defined by date or condition. When the permission has been revoked by the customer or the lawful claim for personal data has been lost, the data must be deleted or anonymized. In case a defined date for data deletion cannot be applied, the regular review must be applied for the conditions.
- All the processing – looking, creating, changing, deleting, transferring etc. must be logged either in Erply or outside Erply to provide the transparent processing of the personal data. For data processing that happens in Erply applications, Erply will handle the logging. Personal data should be processed only when it is necessary. Learn more from here.
- The customer must be always be presented with information on data collecting like contact details, purposes, storage period, rights as data subject etc. More detailed requirements are presented in the GDPR.
- Privacy must be designed and provided by default. All data involving processes and technical means must be designed in a way which provides necessary protection for the data and privacy of the customer. This means that all custom and external services outside Erply and business processes must provide an adequate level of privacy protection by its implementation and do it by default.
- Any claims filed by the customers must be addressed in 30 days without unnecessary delay.
Retailers are required to know where they are keeping the personal data and provide the necessary protection from possible data breaches even outside Erply. In Erply, the retailers are responsible for the data processing and for the data they store and manage in all Erply solutions.
Storing sensitive data (also called ‘special categories of personal data’ in the GDPR) in Erply is prohibited. This includes data about health, sexual orientation, racial or ethnic origin, opinions, beliefs, or trade union membership; or biometric data is used for identification purposes.
Rights and changes regarding personal data processing
The GDPR will also grant the customer rights over their data and processing.
- Any person has the right to be forgotten. The controller of the data must allow the data to be deleted or anonymized in case the customer asks for it and further data processing has no lawful claims to ignore the customer´s wish.
- Personal data is portable. The customer has right to ask a copy of the personal data and moves it to another controller. Learn more from here and see frequently asked questions here
- Any person has right to take back the given permissions and to agree only for those purposes which are minimally required to get the service or goods.
- Automated decisions (profiling) can be objected in case it may have a huge impact on the rights of the customer. The customer has also a right to know how the decisions emerge from their data and, alternatively, a right to have a decision made using manual processing. Learn more from here
- Inaccurate data must be corrected. The customer can request inaccurate or outdated data to be rectified under certain conditions. More details about conditions in the GDPR.
Data protection breaches and sanction rates
New data protection directive will also change how the sanctions are forced upon privacy breaches. The controller of parties, who have had any sort of privacy breach in which personal data has been damaged or leaked in any identifiable form, will have to report about the breach to local supervisory authority without undue delay in 72 hours after becoming aware of the breach and notify other involved parties about the breach. Learn more from here.
In case of failure to comply with the GDPR, the supervisory authority may apply fines up to 4% of global turnover or 20 M € or 2% of global turnover or 10 M € depending on the type of failure to comply. Overall, all monetary sanctions will increase ~80 times. Learn more from here.
Your company and Erply
Within the scope of the GDPR, Erply is a data processor. Erply provides a platform for storing customer information, but Erply itself does not acquire or process it on its own. Your organization is the data controller. See a more detailed definition of the two terms by European Commission here.
Here are three things to keep in mind:
The GDPR gives customers the right to request removal of their data. If such a request gets submitted, first ensure that the customer does not have any unpaid invoices or a non-zero balance. (A due balance is a valid reason for retaining all customer’s contact information.)
There are two alternatives for fulfilling the request. Indicated contact information — eg. an email address, phone number, or a birthday — can just be removed from customer card. However, if the customer record does not need to be retained (the customer is not a loyal customer, does not have a loyalty card), it can also be deleted.
Deleting the customer record means that the customer will lose their reward points and store credit (prepayments) if they have any. If the customer has purchased any gift cards, these will remain valid; a gift card in Erply does not need to be personalized. Deletion will not affect reports; sales made to that customer will still remain in Erply.
Note that the GDPR only regulates handling the information of natural persons, not companies. A company does not have the right to be forgotten. (However, a company’s contact persons do.)
Whenever you extract data from Erply, you take the responsibility for how the data is subsequently used. This includes:
- Downloading a customer export file;
- Retrieving a customer report;
- Retrieving or synchronizing customer records over API (to some other application).
Ensure that the downloaded files are only handled by trained employees, and deleted as soon as possible. When using the information, the process only those customer records for which you have obtained a reproducible proof of consent (for the given purpose).
Ensure that your webshop uses up-to-date software, that it has been developed using best security practices and that it, too, only uses the data for purposes for which you have obtained consent.
The web shop should allow customers to complete their purchases as “one-time shoppers”. This means that customer’s information must be discarded after the order has been fulfilled. As the easiest solution, let the webshop mark the order with an appropriate comment (eg. “One-time shopper”) and after you have shipped the order and printed an invoice, delete the customer record from Erply.
Erply’s standard functionality is focused on sales and inventory. Erply does not provide bulk emailing (newsletters, offers) or telemarketing features. Neither does Erply actively collect personal information — we just provide facilities for you to enter and store it.
Your company might, of course, be sending newsletters or building customer engagement on your own, or with the help of third parties. Since Erply does not know about the exact nature of these operations, we cannot collect or store customers’ consents for these data processing purposes. This is the responsibility of your company.
Upcoming solutions in Erply
Over the next few months, Erply back office is going to be updated with a few new features, which will mainly reduce the unnecessary display of personal information, and will help manage the data.
Here are a few examples:
- Methods that will help you to review stored customer information and identify the data that is no longer needed. Note that such reviews must be conducted regularly.
- Sales reports (eg. Sales By Customer, Sales By Invoice) will no longer display a natural person’s name, only their anonymous identifier.
- A setting to display only a customer’s anonymous identifier on a receipt printout, or no customer information at all.
On some Erply accounts, the option to remove customer’s name from receipt printout already exists. As an alternative to names, you can also use customer card codes. (However, keep in mind that if your stores are using the National ID as a loyalty card code, this, too, is classified as personal data.)
- Changes to prevent unprivileged users from unnecessarily or accidentally browsing personal data and contact information. (Note that even just seeing the information classifies as an act of data processing, too.)
- Ability to export a customer card in a machine-readable format from Erply back office.
This comes from the fact that customers will have the right to data portability. A customer can request the information they themselves have provided and must be able to transfer it to a different processor. (We’ll note that even though the GDPR encourages interoperability between data processors, there is currently no common standard to automatically transfer a customer record from one system to another. The customer must forward it to another service provider themselves.)
Your data is safe in Erply
Under the GDPR the safety of the data and maintaining the privacy of the data subject is at the top of the priority list. The GDPR expects from the data controllers and processors to implement protection with risk-based approach; Erply has already taken care of all the above.
Erply does not make cuts at the expense of the security. All retailers upon acquiring Erply will be provided with a safe and private environment for their data. Erply does not utilize any cheap hosting providers or shared physical servers using virtual server technology. Instead, after the comprehensive selection process, only the providers that are up to our standards will be selected. Erply believes in strict hardware policies — all the retailers are always provided with physical server space which is renewed at fixed intervals. Each piece of hardware, including hard drives and server equipment, are renewed regularly to assure the retailer that Erply does not wait until something breaks and that the data trusted to Erply is always safe and sound. Even more, all the data in Erply is backed up in a duplicate server in real time. In case of a hardware failure, the retail software is automatically switched to the backup server meaning that no data is lost or process halted meanwhile.
Apart from hardware, Erply also invests highly in top-grade security measures. Nearly 50% of Erply´s budget is spent on diverse safety measures. These include 24/7 traffic monitoring and human controlled data systems, high-security physical locations for data centers, control over physical equipment, encrypted data transfers, detailed auditing, quick-action checklists, strict backup procedures, and acquiring and training of high-level personnel in the field of security.
The data centers we use, are always in the same region where our clients operate. By default, there are no cross-continent data transfers and all the transfers between Erply and the retailer are safe. Transferred data is always encrypted to avoid any malicious activity during the data transfer. Also, Erply allows authorized data transfers only by the retailer in all our solutions and the temporary session access provided upon authorization is frequently updated rendering the possible authorization breach from the retailer´s side useless to malicious activities in no time.