In recent months, there’s been a lot of discussion around GDPR. The various articles and videos you will have seen have been very much centered on what businesses are required to change in order to be GDPR compliant; you may even have seen our own take on what retailers need to know about GDPR.
As a service provider, it’s important that we help our customers in their preparations for GDPR, so in this article, we’re tackling an important question that our own customers have had for us - what is Brightpearl doing in response to GDPR?
What is GDPR?
But first, let’s ensure we’re all on the same page as to what GDPR actually is.
The General Data Protection Regulation (GDPR) is a new European privacy regulation which replaces the current EU Data Protection Directive. The GDPR aims to strengthen the security and protection of personal data in the EU and standardizes EU data protection law. It applies to any organization operating in the EU or processing the personal data of EU residents.
One of the key aspects of the GDPR is that it creates consistency across the EU for how personal data can be processed, used, and exchanged securely. Organizations need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
What is Brightpearl doing in response to GDPR?
We’re committed to being GDPR compliant before the effective date of May 25, 2018. This means we’ll be making changes to both the SaaS product we provide and to our internal business tools and processes.
1. Product changes
We’ve carried out a thorough analysis of our software, as we process data on behalf of our customers. We know that you’re all carrying out similar analyses of your tools and systems so we’re making changes to Brightpearl to support you through your own compliance activities in our role as data processor.
A key change under GDPR’s ‘Right to access’ is that data controllers are required to provide a copy of a data subject’s personal data on request. Brightpearl will be updated to allow merchants to very easily download a customer’s data in just a few clicks.
Another significant change is the ‘Right to be forgotten’, also known as data erasure. This entitles the data subject (i.e. consumer) to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data as well. Brightpearl will allow you to forget a contact, again with just a few clicks.
We’ll also be making further updates as the effective date approaches, such as updating our MailChimp integration to make use of their double opt-in process. More on this will follow on our help pages as these changes are implemented.
2. Business changes
We’ve also conducted an analysis of the tools and systems we use to do business, and are making further changes to ensure we’re compliant in our role as data controller, according to the principles contained in Article 5:
- Lawfulness, fairness and transparency - Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation - Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimization - Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy - Personal data shall be accurate and, where necessary, kept up-to-date.
- Storage limitation - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality - Personal data shall be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- Accountability - The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.
As mentioned, we’re intent on making each of these changes in advance of the GDPR effective date. To stay informed of exactly when these changes have been implemented, keep an eye on upcoming release notes.