Register and GDPR
This blog gives an overview of how the EU General Data Protection Regulation (GDPR) affects Register and some considerations and recommendations for compliance.
We are now going to discuss the scenario where you are using our Customer Relationship Manager (CRM) functionality to store data about your customers. Let’s first make some definitions as laid out by GDPR.
Personal Data means data about a living individual who can be identified from the data (or from the data and other information either in your possession or likely to come into your possession).
This is information you may store using our CRM functionality. For example, customer name, address, Date of birth, favourite table or stylist.
Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information is, or is to be, processed.
As a merchant you are in control of this data and you are the data controller.
Data Processors (or Service Providers)
Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller.
As the provider of the service we are the data processor.
GDPR Compliancy Recommendations
You may want to consider external assistance on how GDPR specifically affects your business, but here are a few pointers. As you have control of what data is stored and are the entity creating the data you are the Data Controller. As the data controller for the customer data it is your responsibility to ensure GDPR compliance.
What to data to store.
The CRM element of Register is highly configurable, and you can add or delete data items to record against the customer. In general terms, you should only store information you actually need to use and is relevant for your business.
We recommend using different logins and associated pin numbers. I.e. do not use a generic pin number across clerks and do not share clerk logins.
Register has its own log in and timeout settings for security. However, we would also recommend you set a timeout and password on the EPOS computer itself to lock the whole computer down. This could be on the tablet or integrated computer device.
Gaining Authority to store the data
Customers must be asked if they are happy for you to store use and process their data. This must also be recorded for reference. Within Register under the CRM configuration you can use any or all of the following pre-configured questions.
You can also configure any custom question and answers as you see fit.
How to manage customer rights
As you are storing customer information, the customer has certain rights under GDPR. This section describes them and how to handle them.
The right to access, update or to delete the information you have on the customer.
If the customer requests access to view their data, you can look them up on the CRM locally on the Register if in store and show the customer. Or look them up via the Web Portal and export and provide this to the customer. If the customer requests an update to their information, this can be made on the Register or via the Web Portal. If the customer wants their data deleted from Register, known as “the right to be forgotten” you can delete them from the Register client or the Web Portal.
The right of rectification.
The customer has the right to have their information rectified if that information is inaccurate or incomplete. This can be implemented on the Register client or the web portal.
The right to object.
The customer has the right to object to your processing of their Personal Data. You can configure this as questions on the CRM see above under “Gaining Authority to store the data”. If they are existing, you can either delete them or not enter them on the system if they are new.
The right of restriction.
The customer has the right to request that you restrict the processing of their personal information. You can record their preferences under the CRM. It is your responsibility to ensure they are met. For instance, if they state they are OK for appointment text reminders, but do not email, then do not email them.
The right to data portability.
Customers have the right to be provided with a copy of the information you have on them in a structured, machine-readable and commonly used format. You can export their information to an Excel Spreadsheet via the Web Portal.
The right to withdraw consent.
Customers also have the right to withdraw their consent at any time where you relied on their consent to process their personal information. You can update this either on the Web Portal or via the Register client. You could delete them entirely or alter an answer to a question from yes to no. For instance, “Accept Marketing”, change the answer from yes to no. You may then need to alter this in any marketing tools that you use.