The General Data Protection Regulation (GDPR) is coming and we have put together some quick get-to-know facts about everything you need to know. This article will give you a basic glimpse what the GDPR is, whether it applies to you, how it affects data processing and how to comply your business processes to the GDPR by using products of Ektaco: CompuCash, CompuAccess or Argos.
What is the GDPR?
The General Data Protection Regulation (GDPR) will apply across the European Union on May 25th, 2018, which means that every entity that processes personal information must be ready to do it by the principles stated in the GDPR. Upcoming changes will redefine the data protection and concept of personal data to accompany the changes of the 21st century regarding the digitalization of personal data. Furthermore, data processing becomes transparent and controllable by both parties. In general, the collecting and use of the data must be fair, the data subject has control over their data and how it is used, and data must be protected from misuse and breaches depending on the sensitivity of the data.
Note that the GDPR only regulates handling the information of natural persons, not companies. A company does not have the right to be forgotten. (However, a company’s contact persons do.)
Rights and changes regarding personal data processing
The GDPR will also grant the customer rights over their data and processing.
- Any person has the right to be forgotten. The controller of the data must allow the data to be deleted or anonymized in case the customer asks for it and further data processing has no lawful claims to ignore the customer´s wish.
- Personal data is portable. The customer has right to ask a copy of the personal data and moves it to another controller. Learn more from here and see frequently asked questions here.
- Any person has right to take back the given permissions and to agree only for those purposes which are minimally required to get the service or goods.
- Automated decisions (profiling) can be objected in case it may have a huge impact on the rights of the customer. The customer has also a right to know how the decisions emerge from their data and, alternatively, a right to have a decision made using manual processing. Learn more from here.
- Inaccurate data must be corrected. The customer can request inaccurate or outdated data to be rectified under certain conditions. More details about conditions in the GDPR.
Data protection breaches and sanction rates
New data protection directive will also change how the sanctions are forced upon privacy breaches. The controller of parties, who have had any sort of privacy breach in which personal data has been damaged or leaked in any identifiable form, will have to report about the breach to local supervisory authority without undue delay in 72 hours after becoming aware of the breach and notify other involved parties about the breach. Learn more from here.
In case of failure to comply with the GDPR, the supervisory authority may apply fines up to 4% of global turnover or 20 M € or 2% of global turnover or 10 M € depending on the type of failure to comply. Overall, all monetary sanctions will increase ~80 times. Learn more from here.
Your company and Ektaco
Within the scope of the GDPR, Ektaco is a data processor. Ektaco provides a platform for storing customer information, but Ektaco itself does not acquire or process it on its own. Your organization is the data controller. See a more detailed definition of the two terms by European Commission here.
The employees of Ektaco have taken the responsibility with signing their employment contract and internal rules to keep confidential all information and data of Ektaco’s customers, incl. financial data, organisation of work, personal data, etc. It also includes personal data in the databases of Ektaco’s customers that are allowed to process only according to GDPR rules and copy, move only through encrypted channels.
What does the GDPR mean to CompuCash and CompuAccess clients of Ektaco?
The GDPR, in general, obliges companies to strict and regulate more the processing of the personal data. This means that the data controller (a company using CompuCash POS, CompuAccess or other Ektaco’s solutions) is responsible for the following and other defined in the GDPR:
- Personal data must reasonably be up to date and accurate. The processing of inaccurate data is prohibited under the GDPR. Keep that in mind while gathering data for loyalty cards from your customers and personal data of your employees.
- One can export from CompuCash loyalty cards reports the cards that are made earlier than … and send them a question via e-mail to check if their data is accurate.
- In CompuAccess and Argos you can keep the employees data up to date through the employees menu.
- Personal data must be collected and used according to agreed purposes, which the customer (data subject) has been informed of, and has given consent. If purposes change or new purposes appear, the permission must be asked again. Per sensitive data and direct marketing types, the usage must be exclusively asked the customer. All companies are required by the GDPR to go over their data and renew or delete customers data in case the customer permissions are not valid under the GDPR. Learn more from here.
- In order to anonymise client data in CompuCash delete the client’s name and replace it with smth. like firstname.lastname. Please delete the birth date, phone number and address of the client in case you have gathered that information.
- In CompuAccess and Argos you can keep the employees data up to date through the employees menu.
- The GDPR gives customers the right to request removal of their data. If such a request gets submitted, first ensure that the customer does not have any unpaid invoices or a non-zero balance. (A due balance is a valid reason for retaining all customer’s contact information.)
- Deleting the customer record means that the customer will lose their reward points and store credit (prepayments) if they have any. If the customer has purchased any gift cards, these will remain valid; a gift card in CompuCash does not need to be personalized. Deletion will not affect reports; sales made to that customer will still remain in CompuCash.
- An employee has the right to get acquainted with the data gathered about him/her and demand the non-accurate data to be removed or corrected. The Employer should guarantee that the data is processed according to GDPR.
- The data has shelf-life. The shelf-time can be either defined by date or condition. When the permission has been revoked by the customer or the lawful claim for personal data has been lost, the data must be deleted or anonymized. In case a defined date for data deletion cannot be applied, the regular review must be applied for the conditions.
- In CompuCash please find out the time of issuing the loyalty cards and time of the last purchase from the loyalty card report.
- In CompuAccess and Argos you can delete the employee data through employees menu.
- Any claims filed by the customers must be addressed in 30 days without unnecessary delay.
Companies are required to know where they are keeping the personal data and provide the necessary protection from possible data breaches even outside CompuCash. In CompuCash, the restaurants, shops, etc., are responsible for the data processing and for the data they store and manage in all CompuCash solutions.
Storing sensitive data (also called ‘special categories of personal data’ in the GDPR) in CompuCash is prohibited. This includes data about health, sexual orientation, racial or ethnic origin, opinions, beliefs, or trade union membership; or biometric data is used for identification purposes. Ektaco is offering an option to use fingerprints in CompuAccess. We use the technology provided by Suprema that for security reasons does not store any pictures of fingerprints, so it is impossible to recreate the same fingerprint from these combinations of numbers. In order to generate the code from the fingerprints of your employees please take care that you have a written permission from them to do so.
Whenever you extract data from CompuCash or CompuAccess, you take the responsibility for how the data is subsequently used. This includes:
- Downloading a customer export file;
- Retrieving a customer report;
- Retrieving or synchronizing customer records over API (to some other application).
Ensure that the downloaded files are only handled by trained employees, and deleted as soon as possible. When using the information, the process only those customer records for which you have obtained a reproducible proof of consent (for the given purpose).
Ensure that your e-shop uses up-to-date software, that it has been developed using best security practices and that it, too, only uses the data for purposes for which you have obtained consent. The e-shop should allow customers to complete their purchases as “one-time shoppers”. This means that customer’s information must be discarded after the order has been fulfilled.
The standard functionality of CompuCash is focused on sales and inventory. CompuCash does not provide bulk emailing (newsletters, offers) or telemarketing features. Neither does CompuCash actively collect personal information — we just provide facilities for you to enter and store it.
Your company might, of course, be sending newsletters or building customer engagement on your own, or with the help of third parties. It is your responsibility that you have got customers’ consents for these data processing purposes. One can tick the wishes of clients’ in CompuCash POS under client’s data and in Office: Sales Manager – loyalty cards – tick if the client wishes to get information and proposals via e-mail and /or SMS.
Your data is safe in Ektaco products
Ektaco stores its customers’ data in server centres of Telia (call A server room that are located in Estonia) cloud server (https://www.telia.ee/ari/it/serverid/pilveserver). Access to the services is only available to Ektaco’s maintenance personnel in order to serve a concrete customer and the access is provided with respective authorisation codes. The data exchange between Ektaco’s programme and the server room of Telia is encrypted. The backups are made into the central data storage (cloud storage) in the server room of Telia and it is possible to restore the situation maximum three months back from now.
IT security is the topmost priority of Ektaco. We do renew our tools constantly and take into usage up-to-date and more secure soft- and hardware.
Further data from: Rain Ruven, mobile +372 508 0090, phone +372 639 7944