GDPR: What it is & what Brightpearl is doing in response to it

In recent months, there’s been a lot of discussion around GDPR. The various articles and videos you will have seen have been very much centered on what businesses are required to change in order to be GDPR compliant; you may even have seen our own take on what retailers need to know about GDPR.

As a service provider, it’s important that we help our customers in their preparations for GDPR, so in this article, we’re tackling an important question that our own customers have had for us – what is Brightpearl doing in response to GDPR? 

What is GDPR?

But first, let’s ensure we’re all on the same page as to what GDPR actually is.

The General Data Protection Regulation (GDPR) is a new European privacy regulation which replaces the current EU Data Protection Directive. The GDPR aims to strengthen the security and protection of personal data in the EU and standardizes EU data protection law. It applies to any organization operating in the EU or processing the personal data of EU residents.

One of the key aspects of the GDPR is that it creates consistency across the EU for how personal data can be processed, used, and exchanged securely. Organizations need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.

What is Brightpearl doing in response to GDPR?

We’re committed to being GDPR compliant before the effective date of May 25, 2018. This means we’ll be making changes to both the SaaS product we provide and to our internal business tools and processes. 

1. Product changes

We’ve carried out a thorough analysis of our software, as we process data on behalf of our customers. We know that you’re all carrying out similar analyses of your tools and systems so we’re making changes to Brightpearl to support you through your own compliance activities in our role as data processor.

A key change under GDPR’s ‘Right to access’ is that data controllers are required to provide a copy of a data subject’s personal data on request. Brightpearl will be updated to allow merchants to very easily download a customer’s data in just a few clicks.

Another significant change is the ‘Right to be forgotten’, also known as data erasure. This entitles the data subject (i.e. consumer) to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data as well. Brightpearl allows you to forget a contact, again with just a few clicks.

We’ve also updated our MailChimp integration to make use of their double opt-in process. You can learn more about the Brightpearl product within our help documentation.

2. Business changes

We’ve also conducted an analysis of the tools and systems we use to do business, and are making further changes to ensure we’re compliant in our role as data controller, according to the principles contained in Article 5:

• Lawfulness, fairness and transparency – Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Purpose limitation – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data minimization – Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy – Personal data shall be accurate and, where necessary, kept up-to-date.
• Storage limitation – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Integrity and confidentiality – Personal data shall be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organizational measures.
• Accountability – The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.

May 2018 Update

We’ve updated our Privacy Policy and Ts & Cs to reflect the changes we’ve made due to GDPR.

And we now have new features in Brightpearl:

• Forgetting a contact 
• Double opt-in for MailChimp 

To stay informed of more product changes being implemented, keep an eye on upcoming release notes.