GDPR and POS

Some of the GDPR regulations are a little vague to say the least and often open to interpretation, so we have put this article together so that you have at least one other view of them to help you weigh up how the changes may affect you and your business. You should first visit the ICO website and read the regulations yourself as ultimately it is your decision how you interpret them and implement changes to meet them.

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that defines guidelines for the collection and processing of personal data relating to individuals within the European Union. Its aim is to ensure that we as businesses only collect and process data that is required, have a valid legal reason for collecting it, look after it while we have it and only process it in agreed ways. The regulations also seek to further define and enforce the rights of data subjects to be both as informed and in control of data held by others as possible.

What is meant by "personal data"?

Applies to personal data (as opposed to data pertaining to a business or organization) meaning any information relating to an identifiable person, for example: a name, address, identification number or online identifiers like IP addresses, etc.

What is meant by the "processing" of data?

The term "processing" is very broad indeed and basically means anything that is done to, or with, personal data including the acts of collecting it, storing it and sharing it.

Which role do you play?

You have different responsibilities dependant on which of the two roles referred to in the guidelines you play. The two roles are Controller and Processor, though you can be both or indeed neither. Deciding which role you play is therefore a very important consideration.

A Data Controller is basically the person/entity that decides to collect/process the data (for example asking a shopper for their contact details in a store so that you can send them promotions) and usually also decides the method used to process the data. If you are running a physical shop or online shop that processes personal data you will take the role of Data Controller as it will be your decision to harvest and process that data in the course of successfully running your business.

A Data Processor is a person or entity that is instructed or allowed by the Controller to receive, gain access to, or do something with that data. A Data Processor is only allowed to process data in accordance with a legal agreement between them and a Data Controller. An example of a Data Processor therefore may be a marketing firm employed by a Data Controller to contact customers.

How may it affect retailers?

In a modern retail store it is almost impossible to avoid processing personal data through your chosen POS system or e-commerce website.

E-commerce channels, Loyalty schemes, Customer Store Accounts and Gift Cards requiring registration will all usually entail processing customers’ data. Additionally many businesses routinely request customers’ contact details for promotional use.

Not utilizing essential features, such as those mentioned above, would be giving away a big advantage to your competition. Rather than allowing the changes to hinder your business we recommend embracing the new regulations and using the fact you have done so as another feather in your cap.

How can POS help?

To make it easier for you to comply with the new regulations we have added some new features to our POS and Back Office software offerings.

These include: Encryption of data held in databases used by the software, Password protection of databases used by the software, SSL encryption of our linked e-commerce offering, GDPR notices on our linked e-commerce offering and features relating to the deletion/anonymising of certain data.

We have also put together some advice highlighting existing features and best practices that may assist you in your efforts.