GDPR and POS

In May 2018, new laws will come into force across the EU tightening regulations on how businesses and organisations handle private customer data. This will have a big impact on point-of-sale activities, from processing transactions to how customer data is captured and used.

The General Data Protection Regulation (GDPR) will apply across all 28 EU member states, including the UK, which will not have left the union by that point. However, the rules will also apply to any businesses trading within the EU, whether physically or digitally, no matter where in the world they are based.

The overarching goal of the GDPR is to strengthen the rights of private citizens with regards to data collection by businesses and other organisations. It sets out two key mechanisms for achieving this:

  • Creating a requirement for organisations to gain explicit consent from individuals before personal information is collected, processed and stored.

  • Increasing penalties for breaching privacy rules.

For companies in the retail, hospitality and leisure industries, these will have a specific impact on point-of-sale activities. Any business which runs an EPOS system should be prepared for the following changes.

  • Penalties for security breaches in EPOS systems will increase. If a business is found to be at fault for a breach which, for example, leads to theft of customer card details, it could be fined up to 4 per cent of its turnover.

  • Businesses which link their EPOS systems to CRM and capture customer data for marketing purposes will have to review their privacy policies. Specifically, they will have to put in place protocols for gaining consent from customers, and be prepared to erase customer records on request.

Building on PCI-DSS

The processing of debit and credit card transactions is already subject to strict regulations under the PCI-DSS. In practice, the GDPR does not significantly alter the actions businesses need to take to remain compliant with the PCI-DSS, but it does increase the stakes for non-compliance.

In particular, businesses need to be more alert to the risk of data breaches. Whether it is from malware attacks or physical breaches such as the theft of a terminal, businesses will be held more accountable under the GDPR. Not keeping anti-virus software up to date could be enough to be held liable if your systems are hacked. Not securing your EPOS system adequately could count against you if a physical breach occurs.

If a business does become aware of a potential data breach in its EPOS, it will be required to alert the relevant authorities within 72 hours. Organisations are being advised to prepare by drawing up policies for handling data breaches, and for managing their own accountability, in line with GDPR rules so they are ready to hit the ground running come May 2018.

Privacy by Design

Although the concept of Privacy by Design has existed for a number of years, the GDPR will give it regulatory weight for the first time. What it means is, businesses will be expected to build systems and operations around the demands of privacy and data protection, rather than tag them on at a later date.

In practice, this will mean taking account of two key areas in which individual rights are strengthened by the GDPR – the right to access and the right to erasure. If you collect customer data via your EPOS, the GDPR states they must be informed, and given access to that data in the form of being told exactly what is being collected and what it is being used for. Furthermore, should customers not want their data to be collected, organisations must comply, and must also delete any existing records if requested to do so.

Taken together, the rights of access and erasure create an obligation on organisations to seek consent for any personal data collection.

Article Credit: Aures

Start Your Business Transformation

Give us a call to discuss your Microsoft Dynamics 365 requirements

  • 01276 583 024

Get Insights Delivered to Your Inbox

Dynavics will never share your data with a third party.
For full terms and conditions, see the privacy policy.