With the new General Data Protection Regulation taking effect from the 25 May 2018, here we’ve shared some information on what it is, how it will affect you and what we are doing to support you.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
It was adopted on 14 April 2016 and, after a two-year transition period becomes enforceable on 25 May 2018. The GDPR replaces the 1995 Data Protection Directive.
GDPR aims to make data protection regulations:
Updating EU data protection standards to make them more suitable for today’s world
Remedying some of the perceived deficiencies of the current Data Protection Directive
Achieving a better, more harmonised standard of data protection throughout the EU
What does GDPR change?
GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.
While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes, and procedures.
On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.
Privacy by design
Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.
What is Lakeland doing about GDPR?
We take our responsibilities under GDPR seriously. Back in 2017, we embarked on a programme to identify which measures we need to implement to be compliant with GDPR, and are working to implement these into our systems and processes. Needless to say, up to and beyond the 25th May 2018, we will continue our efforts to ensure that the new regulation remains central to our operation.
Here's a summary of what we've done to date:
- We conducted a comprehensive GDPR audit and gap assessment. Following the gap assessment, we created an internal roadmap to work towards compliance across software development, support services, finance, and admin.
- Our software and support teams have identified necessary changes/improvements to our products and we are working hard to implement those including procedures to deal with some key data subject rights, like subject access requests and the right to request deletion.
- We conducted a comprehensive data encryption exercise that considered options for further securing data 'at rest' in your database and are in the process of finalising our rollout plan.
- We've carefully considered our existing workflows regarding the transfer of data backups, import spreadsheets, and other sensitive digital formats to our site. As a result, we have implemented a new 'Data Processing Register' so that we can log sensitive information into and out of our network whilst processing as part of a support request or as part of setting up a new customer site. This will also be governed by an additional internal audit.
- We've created secure internal storage 'sandboxes' to further limit access to customer data only to those who require access to it for the purposes of the job required. (E.g Data Import).
- We've added additional layers of encryption and password security for our Eureka™ online backup tool.
- We've committed to working in parallel with existing customer IT resources to perform 'belt-and-braces' checks on matters, including, but not limited to:
- Network Firewalls
- User Permissions
- O/S Security Patches
- Database Engine 'Discovery'
- Database User Access
- Can we (and should we) store customer loyalty email marketing preferences in Eureka™
There are two issues for consideration here. Firstly, there is the matter of having 'proof' that you have your customer's consent to email them marketing information such as new products, promotions, and events, etc. in the first place. Secondly, there is the matter of how you might use tools within Eureka™ to create market segments so as to allow you to address customers for whom your email content may be of genuine interest.
To deal with the first, we recommend you use the inbuilt functionality in your marketing tool (e.g MailChimp) to solicit and store the consent you need from your customers. This will inevitably include the I.P. Address they had when they gave their consent and the date and time it was given. MailChimp, for example, has also recently added support for GDPR-specific fields to help you get the right message across to your customers.
In respect to the segmentation you may do inside Eureka™ we are happy to add an additional field to your customer profile to allow you to mirror the permission that you have been granted and file within your email marketing tool. This then makes it more straightforward for you to respect the wishes of your customer when you are creating target segments for marketing purposes.
If you have any further questions regarding GDPR in the context of Eureka™ then please feel free to make contact with our GDPR Team and we will do our very best to get you the information you require.