On the 25th of May 2018, a European privacy law, the General Data Protection Regulation (GDPR), is due to take effect. The GDPR imposes new rules on companies, government agencies, non-profits, and other organisations that offer goods and services to people across the European Union (EU), or that collect and analyse data tied to EU residents. The GDPR applies no matter where you or your organisation are located.
This initiative sets a new standard globally for the treatment of PERSONAL information held on citizens of the EU. At the time of writing this document, Great Britain is part of the EU.
The full text of the GDPR regulation can be found here.
Does the GDPR regulation relate to my business?
If you control or process the personal data of any EU citizens; whether they be your employees, employees of suppliers, customers, or prospective customers, the answer is yes!
Regardless of what system or 3rd party provider processes or manages your personal data files the onus is on you to enforce GDPR compliancy.
What are the implications for my business?
In a nutshell GDPR significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. Businesses are required to be fully transparent about how they are using and safeguarding PERSONAL data, and they must demonstrate accountability of their processing activities.
The GDPR regulation gives data protection authorities more robust powers to tackle non-compliance, including significant administrative fining capabilities of up to €20m (or 4% of total annual global turnover, whichever is greater) for the most serious infringements.
The GDPR also makes it considerably easier for individuals to bring private claims against data controllers (i.e. businesses, public authorities etc) when their data privacy has been infringed, and allows data subjects who have suffered non-material damage as a result of an infringement to sue for compensation.
What steps should I take to make my business GDPR compliant?
The table below outlines our interpretation of the rights of individuals under the GDPR regulation and what organisations will be required to do to facilitate compliancy.
Important Note: Organisations required to appoint a DPO include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. If you believe your organisation to require a DPO, please seek appropriate legal advice.
The Data Protection Commissioner have recommended that organisations take the following 12 steps to ensure their business is GDPR ready for the May 25th deadline. These steps are briefly described below.
- Becoming Aware – Review and enhance your organisation’s risk management processes – identify problem areas now.
- Becoming Accountable – Make an inventory of all data you hold. Why do you hold it? Do you still need it? Is it safe?
- Communicating with Staff and Customers – Review all your data privacy notices and make sure you keep your customers fully informed about how you use their data.
- Personal Privacy Rights – Ensure your procedures cover all the rights individuals are entitled to, including deletion and data portability.
- Access Requests – Plan how you will handle requests within the new timescales – requests must be dealt with within 1 month.
- Lawful Basis for Processing Personal Data – Are you using consent, legitimate interests or legal entitlement to collect and process the data? Do you meet the standards of GDPR?
- Consent – Review how you seek, obtain and record consent, and whether you need to make any changes to be GDPR ready.
- Processing Children’s Data – Do you have adequate systems in place to verify individuals ages and gather consent from guardians?
- Data Protection by Design and Data Protection Impact Assessments – GDPR enshrines the principles of ‘privacy by design’ and ‘privacy by default’ in law. This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset.
- Reporting Data Breaches – Are you ready for mandatory breach reporting? Make sure you have the procedures in place to detect, report and investigate a data breach.
- Data Protection Officer – Find out if you will be required to appoint a DPO. If so make sure it’s someone who has the knowledge, support and authority to do the job effectively.
- Cross Border Processing – GDPR includes the one stop shop mechanism, which will be in place for organisations that are engaged in cross-border processing. Identify where your main establishment in the EU is located to identify your lead supervisory authority.
To find out more about GDPR compliancy and the 12 steps noted above we would urge you to visit the Data Protection Commissioners website on the topic http://gdprandyou.ie/ (Ireland) and www.ico.org.uk (UK)
B2B & GDPR
Needless to say – all business to business transactional information must be stored for tax and audit purposes.
When it comes to marketing to individuals that you do not have a business relationship with, there are some things to consider. The new regulation says marketers have to get prior consent before they start marketing to them i.e. someone has to confirm they’ve agreed to your marketing communications before marketing are allowed to send them any emails or text messages. Which is a tough ask. Particularly for those sales teams that rely on outbound marketing to drive new leads to their pipeline.
It has been commented on by many in the legal system that having an OPT OUT option will cover you against GDPR in a b2b context. This does however assume that when you collected the data from the individual that they were offered an opt in / out of your newsletter or other marketing materials.
What role should my business management/ERP software provider play?
Your business software provider should facilitate GDPR compliancy but only you can make your business GDPR compliant.
This is an extremely important point. Your software provider should assist you in meeting your GDPR obligations, however the regulation puts the onus on each business to ensure all employees are enforcing GDPR compliancy as they input, access, manage and store personal data of EU citizens; whether that be in electronic or paper format.
What are Intact Software doing to help our customers meet their GDPR obligations?
Whilst Intact is committed to GDPR compliance across all our products, services and ways of working as a business in our handling of personal information it must be remembered that a piece of software cannot enforce GDPR compliancy. Only you & your employees can make your organisation GDPR compliant. Intact Software will however provide you with the tools to assist you in this endeavour.
The Intact team have been making the necessary development changes to your Intact Software system (listed below) to ensure you can facilitate compliance with the new GDPR regulation for the 25th of May or shortly thereafter depending on individual company requirements.
Your Intact system will assist you in ensuring your staff are dealing with members of the general public who are EU citizens in a GDPR compliant fashion.
Business to Business transactions must be retained and recorded in line with revenue requirements, however as noted above business contacts and general business contact information are not considered to be PERSONAL data and fall outside the scope of the current GDPR regulation. This only applies if you record information solely for business purposes.
In the interest of transparency Intact recommends that all businesses should produce a document that informs all of your customers of how your organisation handles and processes data.
Intact Software GDPR Compliancy Features
The following GDPR compliancy features will be included in our upcoming software release
- GDPR Protect – Within all Intact Software products you can configure specific data retention policies for your organisation. For example, you can configure prompts to be activated at the point of sale where your staff are prompted to confirm that they have given customers your GDPR policy. You can also include prompts for cash customers where you ask would they like their personal data to be saved, if they wish their data to be purged after a certain period and whether they wish to opt-in to receive marketing communications.
- Obfuscate Personal Data – Where customers refrain from providing consent your Intact Software system will store the transaction but all of the personal data related to the data subject will be deleted and replaced with the statement GDPR protected.
- Export Data – Individuals have a right to request a copy of the personal data you hold on file for them. Within your Intact Software system there will be an Export Data option for each personal data record. By pressing this button it will present the user with the option to print, email or export to a file – all the personal data that is stored on that record.
It should be noted that all data contained within all Intact Software products is protected by username and password at the application layer i.e. only employees of the company can access this information and only when afforded access to it by management.
The above noted GDPR compliancy features will be made available in our next software release for all Intact Software customers. Customers will be informed of this release date shortly. To support this release, we will send out an explainer video which will demonstrate where these GDPR features can be found and how they can be used.
If you are not an Intact customer it’s time to speak to your current software provider and ask them to demonstrate how their software facilitates GDPR compliancy before the regulation comes into force on the 25th of May.
Disclaimer
This document regarding GDPR is as Intact Software interprets it, as of the date of publication.
GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning.
As a result, this document is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. All organisations that process data need to be aware that the General Data Protection Regulation will apply directly to them. The responsibility to become familiar with the Regulation and comply with its provisions from 25th May 2018 onwards therefore lies with the organisation. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.
INTACT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS ARTICLE.
This article is provided “as-is”. Information and views expressed within, including references, and may change without notice.