The General Data Protection Regulation (GDPR) is an 88 page long document with more than 50,000 words so we thought you might appreciate some guidance to help make sure you are complying
You can read the full GDPR here and it becomes law in the UK on 25th May 2018 so you do need to make sure you are compliant fairly quickly. The UK government has also confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR’s focus is the protection, collection and management of personal data, (i.e. data about individuals) and it applies to all businesses who hold or otherwise process personal data (including sole traders) of people in EU Member States.
The good news is that by using Gateway OMS you already tick a lot of the boxes needed
Custom Gateway customers broadly fit into the GDPR in the following ways
- Gateway Sites Users are classified as data controllers – they say how and why personal data is processed
- Gateway CPP & Gateway OMS users are generally data processors – they act on the controller’s behalf
- In most cases Custom Gateway are classified as software providers offering services to either data controllers or data processors
- In some cases Custom gateway may purchase from suppliers on behalf of licensors – suppliers are then our data processors
GDPR places more stringent legal obligations than its predecessor the Data Protection Act (DPS). You are now required to maintain records of the personal data collected and your processing activities and have significantly more legal liability if you are responsible for a breach so security is important (we can help here). These obligations are now a requirement for your processors too – so a contract is an important thing to have in place for any data processor – see example contract
GDPR empowers your customers to control exactly how their data is used and means to be compliant you can’t assume what your users want you have to show how you comply with the principles for example by documenting the decisions you take about a processing activity. .
Detailed below is our 10 point action plan that you can you use as the basis of your compliant – this is not an exhaustive legal document so you should take further advice if you are unsure about the regulations
- Have a contract with any data processor – your dropship suppliers – see our standard contract
- Only collect the data you need to process an order – no unnecessary data
- Confirm your data is secure – if you use Gateway OMS see our security statement
- Document how you process personal data and confirm where it is stored – again if using Gateway OMS you should be covered this article confirms the key facts
- Only share what with processors what they need to do their part of the job – do not share a phone number if not needed
- Introduce a deletion policy for personal data – this is now a standard feature in Gateway OMS
- Write to your customers if you hold order details online to explain that you are doing this
- Introduce more secure user and password management – delete old user names and ensure password guidelines followed
- Do not use tick boxes to ask for permission on websites not clear enough – GDPR is all about being transparent
- Make your data & GDPR policies public
This all may seem quite daunting but if you are a small businesses (under 250 staff) and you are open, honest & sensible about your data management the data commissioners and regulators will work with you on any problems that might arise.
In fact you could consider GDPR a good opportunity to promote your business and your open, responsible and transparent attitude to personal data