GDPR: Do the Right Thing

GDPR: Do the Right Thing

An Essential Guide for XPOS Users

The GDPR (General Data Protection Regulation) is a new privacy law coming into effect on 25 May 2018. It will replace the existing 1995 EU Data Protection Directive to significantly enhance the protection of personal data.  There are several new provisions within the GDPR and harsher penalties for lack of action.

Here at Crossover, we're feeling positive about the new regulations, which we see as a long-overdue clarification of, what should be, everyone’s right to have a say in how personal information is treated.

Basically, if you capture, use or process ANY information about staff, prospects, or customers, the new regulations will apply to you, regardless of whether you hold information on a computer, online, or manually (hard paper copies).

It can seem a bit intimidating at first, and, we'll admit, it’s a bit of a minefield. So, we’ve put together this guide to help you.

Crossover is unable to provide legal advice in any form. This aim of this guide is to offer background information to help retailers better understand some of the legal points in the GDPR, and what changes they should make. If you have any concerns, we suggest you speak to your buying group, or lawyer, who will be able to advise you.

Your ‘Data-Relationship’ with Crossover

Crossover provides a range of retail services from the epos solution, XPOS, to a number of data extraction and processing services, including

  • Back-Ups
  • Sales Data
  • Data Trac

The Back Up service is automatically provided as part of Crossover’s support service, and applies whenever a customer takes a support contract. Permission for the Sales Data, Data Trac and XCONNECT is secured separately and specifically from the retail customer.

Data Subjects

(Customers to the golf shop)

Essentially the GDPR gives new rights to Data Subjects – in your case, customers in your golf shop - with greater transparency, access to any information held and the right to have their data deleted. Currently a data subject has to give their consent for their information to be used but the new regulations step up the standard when obtaining consent, and say that consent needs to be given freely, and be “specific, informed and unambiguous”.

In other words, your Data Subjects (customers) should be told exactly what their details will be used for, in advance, and in “clear and plain” language.

Data Controller

(That’s you, the retail owner/manager)

The GDPR applies to ‘controllers’ and ‘processors’.  A controller determines the purposes and means of processing personal data.  A processor is responsible for processing personal data on behalf of a controller.

Data Processor

(Crossover Technologies & XPOS)

"Processing" can be defined as:

  1. Obtaining, recording or holding data
  2. Carrying out any operation on the data

Under GDPR, the XPOS system is “The Processor”, meaning it processes the data on behalf of the Controller (retailer). The Controller is expected to ensure the right permissions are in place to capture, and use the personal data of any customers to the shop.

Your 9 Steps to GDPR Greatness

It might all seem a bit complex right now, but it being GDPR compliant doesn’t have to be a big headache. Bite the bullet and get ready for the May deadline.  Here are our 9 GDPR-ready tips for XPOS users:-


Read Crossover’s new licence terms

Over the next few months, your XPOS system will be updated to the new 1.8.4 version. Take some time to read through the new terms and conditions as it explains our “data-relationship” with you in more detail.


Give your Customers a Spring Clean

Many of you will already have been collecting customer data and adding it to the XPOS system. Under GDPR, you can only capture customer information that you are going to use; and you must ensure it is correct and up to date. Very importantly, customers must be aware of exactly what you want to use their data for.

The ICO guidelines are very clear, “Personal data should be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes”.

Look at the data you currently hold and decide what you need to store, and what may need to go. Please contact Crossover’s support team if you need help to add, or edit, customer data to XPOS.


Review Current Marketing Permissions

Under GDPR, you will need to obtain consent to process the personal data of your customer, or change how you currently obtain that consent. In particular, GDPR says that consent must be “freely given, specific, informed and unambiguous”.

Consent requires a positive OPT-IN, as opposed to ‘opt-out’ which was the most-used practice previously. For the golf retailer, this means that all customers need to explicitly confirm that they are happy to be contacted and for what purpose.

XPOS helps you put this in place for your physical shop AND eCommerce, online store and allows you to capture these permissions. There are marketing permission ‘opt-out’ tick boxes for Post, Telephone, SMS and Email.

In the latest XPOS system update (1.8.4) when you add a new customer, all the boxes will be ticked showing that the customer opts-out of marketing communications. As and when you gain permission from the customer, you can UN-CLICK the box. An un-checked box means you can market to that customer.

A checked box in XPOS means you cannot contact the customer with marketing messages.

When you want to create a ‘marketing’ or sales campaign, use the search filters in XPOS to screen out anyone who hasn’t given marketing consent.

Some retailers are choosing to start afresh when it comes to marketing permissions.  Crossover can reset customer marketing permissions from your XPOS so that you can start collecting customer information in line with the new GDPR regulations. Just contact us on and we’ll do this for you.


Ask for Opt-In Permission at Every Sale

Many retailers collect customer information to help them build an accurate picture of their customer base, which, in turn, enables them to target their marketing better, and helps retailers to make better buying decisions.

It’s good business sense and you can still do this under GDPR. All you have to do is ask.

When you make a sale, ask the customer for his/her name. Make sure you use the Customer Selector button to put the customer name against the sale – whether they’re paying with cash or card.

If you’re collecting any personal information, make sure customers know you’re doing this and what it will be used for. You may already be doing this with your cookies policy on your eCommerce website.


Allow Customers to “Be Forgotten”

One of the core principles of the new GDPR is that individuals have the right to request the removal or deletion of their personal data, where there is no compelling reason for its continued processing. Any consent withdrawal requests by your customers must be processed as soon as possible

Retailers must ensure they have a process in place to review, amend or delete someone’s information and respond quickly if they have a request. Please talk to Crossover if you need help putting processes in place.


Know your Data Journey

It’s important to understand where your customer data goes. Does it stay on your PC, or leave via the Internet?

XPOS data is stored in a SQL database on your PC and then backed up to our secure Azure servers every night. If you use any other services including XCONNECT, XBALL, or DATATRAC, or give your data to Crossover Promotions please get in touch with us and we can provide additional information about your data’s journey.


Tighten-Up for Top Security

Under the new regulations, “personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage”.

In your XPOS system, we’d recommend you follow our best practice on security settings and do the following:

  1. Setup security within XPOS and ensure that the Customers section is only accessible to certain staff members.
  2. Setup security within XPOS more specifically to:
    • Not allow the export of Customer data and/or email addresses
    • Not allow the emailing of Customers
  3. Ensure your PC has a Windows password to stop unauthorised access
  4. Ensure you are backing up XPOS every day

Don’t Leave Out Staff!

It isn’t just customer data that comes under the new GDPR regulations, information about staff falls under the GDPR umbrella too.

A quick spring-clean would be a great action for starters. Is your staff data up to date? Is it stored securely? Do you really need all the information you hold?

If you’re processing sensitive personal data, (eg. medical advice or conditions, ethnic origin, political opinions, membership of organisations), you will need to be especially careful and we’d suggest you actually take some legal advice for additional guidance.

Personal information should not be available to other staff members. Access of staff details in XPOS can be limited through security settings and we recommend you implement these now. Call our support team to find out how.


Act Quickly in Event of a Data Breach

GDPR guidelines are very specific when it comes to a breach of your data. A security data breach can happen for a number of reasons:

  • Loss or theft of data or equipment on which data is stored
  • Inappropriate access controls allowing unauthorised use
  • Equipment failure
  • Human error
  • Unforeseen circumstances such as fire, or flood
  • Hacking attack

Consider a 4-step management plan in the even to of a breach.

Containment and Recovery

Investigate, ‘contain’ the breach and limit damage where possible. Make sure one person is responsible for investigating.

Establish who needs to know about the breach and keep them informed.

Inform police if necessary, and the people affected if there’s a high risk to individual rights.

Assess The Risks

How serious or substantial might consequences be to individuals? How likely are they to happen?

Notification of Breaches

Notify relevant individuals who might have been affected so that they can take steps to protect themselves if necessary.

Inform the appropriate regulatory body so that it may provide advice and deal with complaints.

The relevant supervisory authority only needs to be informed in the event of a breach

Evaluation and Response

After the first actions, evaluate the effectiveness of your breach management plan and make changes necessary to avoid a repeat data breach for the same reasons (eg. If the breach was caused by relaxed security, ensure changes are made with your systems).

Remember, GDPR isn’t designed to stop you from communicating with your members or visitors. If you carry out the steps we've suggested here, your data should be cleaner and better, and will enable you to target your activity more effectively.What's more, customers will see that you're doing the right thing and it's a great opportunity to build loyalty and trust.

We're here to guide you through this and help you with any questions you might have. Just call our expert support team 01454 418395.