Information for existing and prospective customers
The EU General Data Protection Regulation (GDPR) is a significant piece of European legislation that enters the enforcement phase on May 25, 2018. GDPR builds on existing data protection laws to strengthen the rights of EU individuals over the use of their personal data and creates a single data protection approach across Europe.
Vendavo, as the data processor working in conjunction with our customers as data controllers, is committed to the delivery of solutions and services that comply with GDPR.
What are we doing?
Vendavo welcomes GDPR and the strong data protection and security principles it promotes, many of which Vendavo put in place long before GDPR was introduced.
Similar to existing legal requirements, compliance with GDPR requires a partnership between Vendavo and our customers in their use of our solutions and services.
In scenarios where data controllers make use of a third-party, such as Vendavo, to process personal data, fulfilling commitments as a data processor is an obligation of compliance with GDPR. Because of this requirement, Vendavo works extensively to ensure that our Terms and Conditions of use and related agreements, along with relevant policies, contain appropriate provisions for personal data that we process and/or store.
How will Vendavo comply with GDPR?
Our GDPR preparation started in May 2017, and as part of this process we are reviewing, and updating where necessary, all internal processes, procedures, data systems and documentation to ensure that we are ready when GDPR comes into force. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our customers. Among other activities, this preparation includes:
- Updating our Data Processing Agreement to meet GDPR requirements in order to permit customers to continue to lawfully transfer EU personal data to Vendavo and to permit Vendavo to continue to receive and process that data;
- Updating our third-party vendor contracts to meet the requirements of GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and to permit those third parties to continue to receive and process that data;
- Analyzing all of our current features and templates to determine whether any improvements or additions can be made to make them more efficient for customers that are subject to GDPR;
- Evaluating potential new GDPR-friendly features and templates to add to our application.
Does GDPR impact Vendavo customers?
Depending on the customer location, software configuration and the nature of data used, Vendavo software may process personal data, which is subject to data protection laws, including GDPR. Accordingly, the latest version of Vendavo software supports GDPR requirements in a range of ways, including:
- Deletion. Vendavo software supports deletion of data, including personal data and related data, such as transactions and deals. This can be performed using the archiving feature, which allows customers to flag data for archival and deletion.
- Changes to personal data. Vendavo software supports the enablement of logging for fields that may contain personal data.
- Disclosure of personal data. Data privacy regulations may require the release of personal data upon request of the data subject. Vendavo customers may create a report containing this information using Pricemart Extractor, which includes optional encryption.
- Sensitive personal data. Sensitive personal data is a category that requires special handling under GDPR. The definition of what qualifies as sensitive personal data may differ by legal area or industry. For example, sensitive personal data may pertain to information on racial or ethnic origin, political opinions, or bank and credit accounts. Vendavo solutions do not typically collect sensitive personal data, and as a result, have not been designed to store and process such data.
What do you need to do?
As a current or future customer of Vendavo, you are responsible as the data controller for ensuring the use of our solutions and services is compliant with both GDPR and the policies relevant to your organization. Consider the following tips:
- Get to know GDPR. Familiarize yourself with the provisions of the new regulation, particularly how it may differ from your current data protection obligations and consider the relationships you have with both your customers and staff. Also, note the variance of local provisions which may be superseded by the new regulation when it comes into force.
- Audit your data and processes for data capture. Consider creating an updated and precise inventory of personal data that you control. Review your current controls and processes to ensure that they are adequate and build a plan to address any gaps. The following are steps you can take today:
- Review your survey program;
- Review your process documentation;
- Ensure you have a lawful basis for holding and/or processing the data.
- Stay informed. Keep abreast of updated regulatory guidance as it is issued.
Vendavo will monitor the implementation of GDPR legislation by the Information Commissioner’s Office (ICO) and provide pertinent informational updates to our customers throughout the process.
This information is provided for customer guideline purposes only and is not legal advice. It is subject to change or removal without notice. Consult with your own legal counsel as you prepare for GDPR compliance.