The EU General Data Protection Regulation (GDPR) is designed to harmonize data privacy laws across Europe, to protect and empower the data privacy of all EU citizens and to reshape the way organizations across the region approach data privacy.
The GDPR takes effect on May 25, 2018 and here are helpful answers to the essential FAQs:
- What is GDPR?
- Who is affected by GDPR?
- What are Data Processing Agreements (DPAs) and why do I need to sign them?
- As a Lightspeed Retailer, how do I comply with GDPR requests from customers and employees?
- In which scenarios would I need to submit a GDPR request to Lightspeed Support?
- As a Lightspeed Retailer, what do I need to do in the event of a data breach?
- What are some additional resources that can guide me as a GDPR-affected merchant?
What is GDPR?
The GDPR is a new law that aims to give EU citizens more control over their data by regulating how businesses process personal data. In other words, GDPR governs anything businesses can do with personal data which includes viewing, storing, changing, transferring and even deleting personal data. Under GDPR, personal data is defined as any information related to a natural person (or "data subject") that can be used to directly or indirectly identify them. This includes information such as names, addresses, email addresses and phone numbers.
For more information on the GDPR and Lightspeed's efforts to comply with it, please read our helpful links or contact us at firstname.lastname@example.org:
Who is affected by the GDPR?
Lightspeed Retailers established in the European Union (EU) and/or who process personal data from customers residing in the European Union. For example, you would be affected by the GDPR if either of the following 2 criteria applied to you:
- Your Retail shop resides in the EU.
- Your Retail shop resides in the USA and you have a customer who resides in the EU.
What are Data Processing Agreements (DPAs) and why do I need to sign them?
As Lightspeed is helping Retailers in the processing of personal data, we are required by law to enter into a Data Processing Agreement (DPA) with our GDPR-affected Retailers. If you're a Retailer established in the European Union, you should have received the DPA by email.
Signing the DPA is fully to your benefit as it creates specific rights for you in relation to Lightspeed’s processing activities. Also, it clearly describes all the obligations that Lightspeed has towards you. Once you've signed the DPA, it is effective immediately and is legally binding. If you haven't received the DPA from us yet, it's important that you reach out to email@example.com and sign it as soon as possible. This will ensure that you're compliant with the GDPR and avoid fines from the privacy authorities.
It's also important to note that upon your permission, Lightspeed shares the personal data that you control in your Retail account with partners that you've selected to integrate with. This allows our partners to pull the data they need to build their integrations and Lightspeed to offer the best business solution to you as a Retailer. Because of the data-sharing nature of our partner integrations, if you're a GDPR-affected Retailers that has integrated their Retail account, you'll also need to enter into a DPA with our partners.
To request a DPA and for more information, please contact our integration partners directly.
As a Lightspeed Retailer, how do I comply with GDPR requests from customers and employees?
As a Lightspeed Retailer, the 6 GDPR requests you need to comply with are the following:
- Exporting customer data
- Exporting employee data
- Deleting customer data
- Deleting employee data
- Modifying customer data
- Modifying employee data
We recommend that our Retailers do their due diligence to confirm the identity of their employees and customers before completing their GDPR requests. We also recommend identifying any potential reason why you might need to keep some of the personal data that your customer or employee is requesting to delete (e.g. for tax, regulatory or payment processing (chargeback) reasons).
If you're an Omnichannel merchant, you'll also need to perform the above actions in eCom to complete GDPR requests.
Similarly, Retailers that have integrated their accounts with one of our partners need to contact them directly to learn what personal data they have and how to complete GDPR requests on their end.
NOTE: All of our Lightspeed products support the above GDPR requests. For instructions specific to your Lightspeed product, please see their respective GDPR Help articles:
In which scenarios would I need to submit a GDPR request to Lightspeed Support?
Depending on if you're a Lightspeed merchant, a merchant's employee or a merchant's customer, you can submit up to 5 types of GDPR request to our Support team:
- Information and access request
- Data Modification request
- Objection to processing
- Data deletion request
- DPA Request
Understanding the different types of GDPR requests you can submit to our Support team begins with understanding Lightspeed's 2 roles under GDPR:
- Lightspeed as a data controller.
- Lightspeed as a data processor.
For more information, please see Submitting a GDPR request to Support.
As a Lightspeed Retailer, what do I need to do in the event of a data breach?
- Notify the supervisory authorities within 72 hours after discovery.
- Notify the affected customers and/or employees ("data subjects") as soon as possible and include the following information:
- a description of the nature of the breach.
- the name and contact details of your data protection officer or other contact point;
- a description of the likely consequences of the breach.
- a description of the measures that you've taken or have proposed to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects
If any of the following conditions are met however, communications to each individual customer and/or employee wouldn't be required:
- You've implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
- You've taken subsequent measures which ensure that the high risk to the rights and freedoms of your customers and/or employees is no longer likely to materialize.
- Communicating to your customers and/or employees would involve disproportionate effort. In such a case, you'll be required to send a public communication or similar measure whereby they'll be informed in an equally effective manner.
What are some additional resources that can guide me as a GDPR-affected merchant?
Outside of complying with the GDPR as a Lightspeed Retailer, it's easy to get overwhelmed with the amount of GDPR information that's circulating and its requirements. To point you in the right direction and help you get started, below you'll find some additional resources that aim to guide GDPR-affected merchants.
Guide to documenting your processing activities under the GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/documentation/