GDPR: What it means for B2B companies, and how Aphix is ensuring compliance
GDPR - The General Data Protection Regulations, came into effect on Friday, May 25th. As a B2B company are you prepared?
One of the most far-reaching pieces of legislation in the history of the European Union, the General Data Protection Regulations, came into effect on Friday, May 25th. Our piece gives a rundown of what GDPR is, the implications for B2B and wholesale companies, and what Aphix is doing to ensure customers on our B2B-dedicated eCommerce and mobile apps platform are adequately protected.
The goal of the EU’s General Data Protection Regulations is to protect personal information, i.e. data that can be associated with a living person.
-
Short term imperatives of GDPR for all B2B or wholesale companies
Given all of the specific instances and articles of legislation outlined below, there are a number of short-term imperatives for B2B and wholesale companies, including customers of Aphix Software.
B2B customers need to follow these or risk being non-compliant - with all the significant penalties that apply (amounting to 4% of global turnover or €20 million, whichever figure is greater… Yikes.)
In the first instance, when any individual registers to use a business’s system, the business needs to explain what personal data will be captured, for what purpose it will be used.
For this reason, a Privacy Section on the site is absolutely necessary. Similarly, they should point to the privacy policy sections of their sub-processors. In the case of an Aphix customer, those sub-processors could include Aphix Software, our data centre partners, your ERP software provider and any other third-party sub-processors being utilised.
Secondly, B2B companies must also put procedures in place which will mean they are able to respond to requests for information from the individual.
In this instance, since Aphix is a “Data Processor”, we need to be in a position to respond to requests from our merchants, providing them with the relevant information when they in turn have received a request from an individual.
This means that in order to satisfy a data request from someone, our customer will have to provide both the data they hold and get a copy of any data we hold.
At its most basic level, every company will need a number of well-defined procedures and processes:
-
Staff training – this need not be onerous, but should emphasise that people are required not to disclose information and must be careful of any personal data that may be in their possession.
-
Security – all laptops containing personal data should have full-disk encryption, and similarly all USBs containing personal data should be encrypted.
-
Data gathering - How to gather all the data for a user, which includes how to contact their data processors like Aphix for data requests.
-
Data removal - How to delete data for a user, including which data have to be retained, and how to pass on this request to their data processors.
-
Data breaches - A detailed procedure outlining the action steps in the case of a data breach (hacking, loss of data, etc.)
-
What happens if Companies don’t bother?
If they don’t take these steps, the theoretical penalties are extremely severe. Fines up to 4% of turnover or €20 million (whichever is higher) should be a rather strong incentive to get this right.
In reality, given that the legislation has stirred up phenomenal levels of commentary and discussion right around the world (not just in the EU), the suspicion is that as long as a company can prove that they’re on the journey to being compliant, the massive penalties may not apply in the short term.
However, it is a minefield for all organisations all over the world, and it is essential that the steps are taken sooner rather than later to achieve compliance.
In particular, staff training and procedures around data breaches and responses to data requests are vital.
Possibly just as punishing as any financial penalty will be the loss of confidence in the business caused by falling foul of the Data Protection Commissioner. Over and above any potential fines, perhaps more of a concern should be the possible reputation damage that a breach of the law and the related adverse publicity could bring.
-
Is Aphix Software prepared for GDPR?
We are happy to report that we have already taken a significant number of steps in this process and are well along the road to being fully compliant.
Our actions taken so far include:
-
The company has appointed a Data Processing Officer
-
We have put in place a data breach procedure
-
We are reviewing security with a view to maintaining security protocols that are as robust as anyone in the business
-
We are in the process of updating our website with a precise description of how we process data.
-
We are also reviewing all data we collect to ensure that this capture of data is appropriate and necessary for the business.
If you have any queries or require further details please contact our support team.
The devil is in the detail
The protection of personal data is defined by several articles within the GDPR legislation.
Below we outline a list of the most pertinent articles within the legislation and what they mean for all businesses - including B2B and wholesale companies, whether they’re inside or outside the Aphix ecosystem.
Article 13
This part of the legislation covers the information that must be provided where personal data is collected from the data subject.
The basics
Whenever you are collecting personal data, you must tell people...
-
Who you are
-
That you’re collecting their data
-
Why you’re collecting their data.
Other uses of the data
You must also declare other uses beyond whatever the obvious ones are. For example, for marketing purposes.
In other words, unless you explicitly state that you will be using the data for that purpose, you may not afterwards decide to use these data for another purpose without once again getting the user’s permission!
And everything else!
Your policies must also cover…
-
How long you’re going to keep the data or, if that’s not possible, how you determine this period.
-
If you are collecting sensitive information (i.e. data over and beyond things like contact information), you really do have to have a good reason, such as in a medical practice or employment agency.
-
Things like IP addresses and other data that tags along with everything else.
Clarity of language
The rule is that this information must be presented “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
Article 14
This part of the legislation covers information to be provided where personal data has not been obtained from the data subject.
This article effectively covers B2B companies.
It is similar to Article 13, with the addition that relevant companies must inform people that their registrations are owned by the merchant. All the other items in Article 13 apply here too.
Article 15
This is where it starts getting interesting! Article 15 covers right of access by the data subject.
This, in effect, means that if someone asks for a copy of their data, you must give it to them.
There will be vexatious requests and it may be tempting just to ignore them, but the law explicitly states that you just can’t do that.
All told, it’s going to work best if you have an automated mechanism to generate the data.
In addition to giving the person a copy of their personal data, you must also tell them what the data are used for, the length of time it is held, and where it’s stored (especially the USA).
In addition, if any automated processing is performed, then this must also be explained – this doesn’t mean simple flow of a purchase, but rather things like AI used in marketing and advertising.
Article 16
Still with me? Good! This one covers the “right to rectification”.
What this means is that if you are processing someone’s personal data, it is your responsibility to ensure that the data are correct, and if a user asks that the data be corrected, you must take action to fix it.
A good question to ask in your general operations is: How do you will ensure that the personal data you are controlling are not obsolete?
Article 17
This section covers the right to erasure (also known as “right to be forgotten” following a high-profile Spanish court case in 2014).
If the user decides they no longer want you to use their data, this requires that the data be deleted without delay.
Obviously there may be situations where this isn’t absolutely possible. For example, there are legal requirements for retention of data, particularly for employees, and processing of orders and other business operations require that some data be retained for accounting reasons.
Article 18
Right to restriction of processing
-
You can’t use data for unlawful purposes, and you can’t process inaccurate or obsolete data. If the user says stop, unless there’s a legitimate reason, you can’t process the data.
Article 19
Notification obligation regarding rectification or erasure of personal data or restriction of processing
-
You have to tell the data subject if you delete or change their data.
Article 20
Right to data portability
-
In the case of e.g. a bank, a user has the right to have their data given to them in a machine-readable way, so that they can transfer them to another bank.
Article 21
Right to object
-
This article gives individuals the right to object to the processing of their personal data. It effectively allows individuals to ask you to stop processing their personal data. The right to object only applies in certain circumstances.
Article 22
Automated individual decision-making, including profiling
-
A user can object to being profiled automatically, typically for direct marketing situations.
-
The user also has the right not to be subject to an automated decision, e.g. on whether they get a loan from a bank or not.
Article 33
Notification of a personal data breach
You MUST inform the local authority; the (DPC) Data Protection Commissioner in Ireland https://www.dataprotection.ie/docs/Home/4.htm and the (ICO) Information Commissioner's Office in the UK https://ico.org.uk/ within 72 hours in the case of a data breach, e.g. hacking, loss of data, mislaid data, etc.