What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

It was adopted on 14 April 2016 and, after a two-year transition period becomes enforceable on 25 May 2018. The GDPR replaces the 1995 Data Protection Directive.

Source: Wikipedia

GDPR aims to make data protection regulations:

More relevant

Updating EU data protection standards to make them more suitable for today’s world.

More comprehensive

Remedying some of the perceived deficiencies of the current Data Protection Directive.

More unified

Achieving a better, more harmonised standard of data protection throughout the EU.

What does the GDPR change?

GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.

Demonstrable compliance

While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes, and procedures.

Enhanced rights

On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.

Privacy by design

Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.

What is The EPOS Bureau doing about the GDPR?

From as far back as 2017, we embarked on a programme to identify which measures we needed to implement to be compliant. We have already added a number of new procedures and processes to address things like data handling and storage and we have ensured that the new regulation remains central to our operation long past the 28th May 2018.

Here's a summary of what we've done to date:

We conducted a comprehensive GDPR audit and gap assessment. Following the gap assessment, we created an internal roadmap to work towards compliance across software development, support services, finance, and admin.
Our software and support teams have identified necessary changes/improvements to our products and we are working hard to implement those including procedures to deal with some key data subject rights, like subject access requests and the right to request deletion.
We conducted a comprehensive data encryption exercise that considered several robust options for further securing data 'at rest' in your database and are in the process of finalising our rollout plan.
We have carefully considered our existing workflows regarding the transfer of data backups, import spreadsheets, and other sensitive digital formats, to our site. As a result, we have implemented a new 'Data Processing Register' so that we can log sensitive information into and out of our network whilst processing as part of a support request or as part of setting up a new customer site. This will also be governed by an additional internal audit.
We have created secure internal storage 'sandboxes' to further limit access to customer data only to those who require access to it for the purposes of the job required. (E.g Data Import).
We have added additional layers of encryption and password security for our Online Backup module.
We are also committed to working in parallel with existing customer IT resources to perform 'belt-and-braces' checks on matters, including, but not limited to:
- Network Firewalls
- User Permissions
- O/S Security Patches
- Database Engine 'Discovery'
- Database User Access
We have updated our Privacy Policy to ensure it is GDPR compliant as well as using more clear, concise and transparent language about how we process personal data.

FAQ

Can we (and should we) store customer loyalty email marketing preferences in Eureka™?

There are two issues for consideration here.

Firstly, there is the matter of having 'proof' that you have your customer's consent to email them marketing information such as new products, promotions, and events, etc. in the first place. Secondly, there is the matter of how you might use tools within Eureka™ to create market segments so as to allow you to address customers for whom your email content may be of genuine interest.

To deal with the first, we recommend you use the inbuilt functionality in your marketing tool (e.g MailChimp) to solicit and store the consent you need from your customers. This will inevitably include the I.P. Address they had when they gave their consent and the date and time it was given. MailChimp, for example, has also recently added support for GDPR-specific fields to help you get the right message across to your customers.

In respect to the segmentation you may do inside Eureka™ we are happy to add an additional field to your customer profile to allow you to mirror the permission that you have been granted and file within your email marketing tool. This then makes it more straightforward for you to respect the wishes of your customer when you are creating target segments for marketing purposes.

Further Questions?

If you have any further questions regarding GDPR, in the context of Eureka™, then please feel free to make contact with our GDPR Team and we will do our very best to get you the information you require.

Additional Resources

Here are a number of links to more information relating to the GDPR which you may find useful.

General Data Protection Regulation