The GDPR (General Data Protection Regulation) is a new privacy law coming into effect on 25 May 2018. It will replace the existing 1995 EU Data Protection Directive to significantly enhance the protection of personal data.  There are several new provisions within the GDPR and harsher penalties for lack of action.

Here at Crossover, we're feeling positive about the new regulations, which we see as a long-overdue clarification of, what should be, everyone’s right to have a say in how personal information is treated.

Basically, if you capture, use or process ANY information about staff, prospects, or customers, the new regulations will apply to you, regardless of whether you hold information on a computer, online, or manually (hard paper copies).

It can seem a bit intimidating at first, and, we'll admit, it’s a bit of a minefield. So, we’ve put together this guide to help you.

Crossover provides a range of retail services from the epos solution, XPOS, to a number of data extraction and processing services, including

• Back-Ups
• Sales Data
• Data Trac
• XCONNECT

The Back Up service is automatically provided as part of Crossover’s support service, and applies whenever a customer takes a support contract. Permission for the Sales Data, Data Trac and XCONNECT is secured separately and specifically from the retail customer.

It might all seem a bit complex right now, but it being GDPR compliant doesn’t have to be a big headache. Bite the bullet and get ready for the May deadline.  Here are our 9 GDPR-ready tips for XPOS users:-

Over the next few months, your XPOS system will be updated to the new 1.8.4 version. Take some time to read through the new terms and conditions as it explains our “data-relationship” with you in more detail.

Many of you will already have been collecting customer data and adding it to the XPOS system. Under GDPR, you can only capture customer information that you are going to use; and you must ensure it is correct and up to date. Very importantly, customers must be aware of exactly what you want to use their data for.

The ICO guidelines are very clear, “Personal data should be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes”.

Look at the data you currently hold and decide what you need to store, and what may need to go. Please contact Crossover’s support team if you need help to add, or edit, customer data to XPOS.

Under GDPR, you will need to obtain consent to process the personal data of your customer, or change how you currently obtain that consent. In particular, GDPR says that consent must be “freely given, specific, informed and unambiguous”.

Consent requires a positive OPT-IN, as opposed to ‘opt-out’ which was the most-used practice previously. For the golf retailer, this means that all customers need to explicitly confirm that they are happy to be contacted and for what purpose.

XPOS helps you put this in place for your physical shop AND eCommerce, online store and allows you to capture these permissions. There are marketing permission ‘opt-out’ tick boxes for Post, Telephone, SMS and Email.

When you want to create a ‘marketing’ or sales campaign, use the search filters in XPOS to screen out anyone who hasn’t given marketing consent.

Some retailers are choosing to start afresh when it comes to marketing permissions.  Crossover can reset customer marketing permissions from your XPOS so that you can start collecting customer information in line with the new GDPR regulations. Just contact us on support@crossovertec.co.uk and we’ll do this for you.

Many retailers collect customer information to help them build an accurate picture of their customer base, which, in turn, enables them to target their marketing better, and helps retailers to make better buying decisions.

It’s good business sense and you can still do this under GDPR. All you have to do is ask.

When you make a sale, ask the customer for his/her name. Make sure you use the Customer Selector button to put the customer name against the sale – whether they’re paying with cash or card.

If you’re collecting any personal information, make sure customers know you’re doing this and what it will be used for. You may already be doing this with your cookies policy on your eCommerce website.

One of the core principles of the new GDPR is that individuals have the right to request the removal or deletion of their personal data, where there is no compelling reason for its continued processing. Any consent withdrawal requests by your customers must be processed as soon as possible

Retailers must ensure they have a process in place to review, amend or delete someone’s information and respond quickly if they have a request. Please talk to Crossover if you need help putting processes in place.

It’s important to understand where your customer data goes. Does it stay on your PC, or leave via the Internet?

XPOS data is stored in a SQL database on your PC and then backed up to our secure Azure servers every night. If you use any other services including XCONNECT, XBALL, or DATATRAC, or give your data to Crossover Promotions please get in touch with us and we can provide additional information about your data’s journey.

Under the new regulations, “personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage”.

In your XPOS system, we’d recommend you follow our best practice on security settings and do the following:

1. Setup security within XPOS and ensure that the Customers section is only accessible to certain staff members.
2. Setup security within XPOS more specifically to:
   • Not allow the export of Customer data and/or email addresses
   • Not allow the emailing of Customers
3. Ensure your PC has a Windows password to stop unauthorised access
4. Ensure you are backing up XPOS every day

It isn’t just customer data that comes under the new GDPR regulations, information about staff falls under the GDPR umbrella too.

A quick spring-clean would be a great action for starters. Is your staff data up to date? Is it stored securely? Do you really need all the information you hold?

If you’re processing sensitive personal data, (eg. medical advice or conditions, ethnic origin, political opinions, membership of organisations), you will need to be especially careful and we’d suggest you actually take some legal advice for additional guidance.

Personal information should not be available to other staff members. Access of staff details in XPOS can be limited through security settings and we recommend you implement these now. Call our support team to find out how.

GDPR guidelines are very specific when it comes to a breach of your data. A security data breach can happen for a number of reasons:

• Loss or theft of data or equipment on which data is stored
• Inappropriate access controls allowing unauthorised use
• Equipment failure
• Human error
• Unforeseen circumstances such as fire, or flood
• Hacking attack

Consider a 4-step management plan in the even to of a breach.

Remember, GDPR isn’t designed to stop you from communicating with your members or visitors. If you carry out the steps we've suggested here, your data should be cleaner and better, and will enable you to target your activity more effectively.What's more, customers will see that you're doing the right thing and it's a great opportunity to build loyalty and trust.

We're here to guide you through this and help you with any questions you might have. Just call our expert support team 01454 418395.