The General Data Protection Regulation (GDPR)
is coming and we have put together some quick get-to-know facts about everything you need to know. This article will give you a basic glimpse what the GDPR is, whether it applies to you, how it affects data processing and how to comply your business processes to the GDPR by using the solutions provided by Erply.

What is the GDPR?

The General Data Protection Regulation

 (GDPR) will apply across the European Union

on May 25th, 2018
, which means that every entity that processes personal information must be ready to do it by the principles stated in the GDPR. Upcoming changes will redefine the data protection and concept of personal data to accompany the changes of the 21st century regarding the digitalization of personal data. Furthermore, data processing becomes transparent and controllable by both parties. In general, the collecting and use of the data must be fair, the data subject has control over their data and how it is used, and data must be protected from misuse and breaches depending on the sensitivity of the data.

Territorial changes in the GDPR

The GDPR principles will apply to all data controllers in EU economic area. Furthermore, the GDPR intends to expand the data protection concept to non-EU data controllers processing data of the natural persons from the EU economic area.

The new framework will apply to all personal data collected and processed in the EU economic area.
This is regardless of whether the data subject is EU employee, citizen or not — the protection will apply to all people equally.
 The GDPR also regulates the data processing between the parties engaging in mutual economic activity whether the companies are engaging in a corporate activity or are processing the data on behalf of the data controller. All parties engaging in mutual processing must be GDPR compliant and companies in joint collaboration must define the responsibilities of each other.

What does the GDPR mean to Erply retailers?

The GDPR, in general, obliges companies to strict and regulate more the processing of the personal data. This means that the data controller (a company using Erply services) is responsible for the following and other defined in the GDPR:
Retailers are required to know where they are keeping the personal data and provide the necessary protection from possible data breaches even outside Erply. In Erply, the retailers are responsible for the data processing and for the data they store and manage in all Erply solutions.
 
Storing sensitive data (also called 'special categories of personal data' in the GDPR) in Erply is prohibited.
This includes data about health, sexual orientation, racial or ethnic origin, opinions, beliefs, or trade union membership; or biometric data is used for identification purposes.

Rights and changes regarding personal data processing

The GDPR will also grant the customer rights over their data and processing.

Data protection breaches and sanction rates

New data protection directive will also change how the sanctions are forced upon privacy breaches. The controller of parties, who have had any sort of privacy breach in which personal data has been damaged or leaked in any identifiable form, will have to report about the breach to local supervisory authority without undue delay in 72 hours after becoming aware of the breach and notify other involved parties about the breach. Learn more from here
.

 In case of failure to comply with the GDPR, the supervisory authority may apply fines up to 4% of global turnover or 20 M € or 2% of global turnover or 10 M € depending on the type of failure to comply. Overall, all monetary sanctions will increase ~80 times. Learn more from here

Your company and Erply

Within the scope of the GDPR, Erply is a

data processor
. Erply provides a platform for storing customer information, but Erply itself does not acquire or process it on its own. Your organization is the

data controller
. See a more detailed definition of the two terms by European Commission here

 Here are three things to keep in mind:
 
The GDPR gives customers the right to request removal of their data.
If such a request gets submitted, first ensure that the customer does not have any unpaid invoices or a non-zero balance. (A due balance is a valid reason for retaining all customer's contact information.)
 There are two alternatives for fulfilling the request. Indicated contact information — eg. an email address, phone number, or a birthday — can just be removed from customer card. However, if the customer record does not need to be retained (the customer is not a loyal customer, does not have a loyalty card), it can also be deleted.
 Deleting the customer record means that the customer will lose their reward points and store credit (prepayments) if they have any. If the customer has purchased any gift cards, these will remain valid; a gift card in Erply does not need to be personalized. Deletion will not affect reports; sales made to that customer will still remain in Erply.
 Note that the GDPR only regulates handling the information of
natural persons
, not companies. A company does not have the right to be forgotten. (However, a company's
contact persons
do.)
 
Whenever you extract data from Erply, you take the responsibility for how the data is subsequently used.
This includes:
Ensure that the downloaded files are only handled by trained employees, and deleted as soon as possible. When using the information, the process only those customer records for which you have obtained a reproducible proof of consent (for the given purpose).
 Ensure that your webshop uses up-to-date software, that it has been developed using best security practices and that it, too, only uses the data for purposes for which you have obtained consent.
 The web shop should allow customers to complete their purchases as "one-time shoppers". This means that customer's information must be discarded after the order has been fulfilled. As the easiest solution, let the webshop mark the order with an appropriate comment (eg. "One-time shopper") and after you have shipped the order and printed an invoice, delete the customer record from Erply.
 
Erply's standard functionality is focused on sales and inventory.
Erply does not provide bulk emailing (newsletters, offers) or telemarketing features. Neither does Erply actively collect personal information — we just provide facilities for you to enter and store it.
 Your company might, of course, be sending newsletters or building customer engagement on your own, or with the help of third parties. Since Erply does not know about the exact nature of these operations, we cannot collect or store customers' consents for these data processing purposes. This is the responsibility of your company.

Upcoming solutions in Erply

Over the next few months, Erply back office is going to be updated with a few new features, which will mainly reduce the unnecessary display of personal information, and will help manage the data.
 Here are a few examples:
On some Erply accounts, the option to remove customer's name from receipt printout already exists. As an alternative to names, you can also use customer card codes. (However, keep in mind that if your stores are using the National ID as a loyalty card code, this, too, is classified as personal data.)
This comes from the fact that customers will have the right to data portability. A customer can request the information they themselves have provided and must be able to transfer it to a different processor. (We'll note that even though the GDPR encourages interoperability between data processors, there is currently no common standard to automatically transfer a customer record from one system to another. The customer must forward it to another service provider themselves.)

Your data is safe in Erply

Under the GDPR the safety of the data and maintaining the privacy of the data subject is at the top of the priority list. The GDPR expects from the data controllers and processors to implement protection with risk-based approach; Erply has already taken care of all the above.
 Erply does not make cuts at the expense of the security. All retailers upon acquiring Erply will be provided with a safe and private environment for their data. Erply does not utilize any cheap hosting providers or shared physical servers using virtual server technology. Instead, after the comprehensive selection process, only the providers that are up to our standards will be selected. Erply believes in strict hardware policies — all the retailers are always provided with physical server space which is renewed at fixed intervals. Each piece of hardware, including hard drives and server equipment, are renewed regularly to assure the retailer that Erply does not wait until something breaks and that the data trusted to Erply is always safe and sound. Even more, all the data in Erply is backed up by a duplicate server in real time. In case of a hardware failure, the retail software is automatically switched to the backup server meaning that no data is lost or process halted meanwhile.
 Apart from hardware, Erply also invests highly in top-grade security measures. Nearly 50% of Erply´s budget is spent on diverse safety measures. These include 24/7 traffic monitoring and human controlled data systems, high-security physical locations for data centers, control over physical equipment, encrypted data transfers, detailed auditing, quick-action checklists, strict backup procedures, and acquiring and training of high-level personnel in the field of security.
 The data centers we use, are always in the same region where our clients operate. By default, there are no cross-continent data transfers and all the transfers between Erply and the retailer are safe. Transferred data is always encrypted to avoid any malicious activity during the data transfer. Also, Erply allows authorized data transfers only by the retailer in all our solutions and the temporary session access provided upon authorization is frequently updated rendering the possible authorization breach from the retailer´s side useless to malicious activities in no time.