On May 25th, 2018 the new General Data Protection Regulation (GDPR) becomes effective. The GDPR is a regulation which affects literally every business who handles personal information regarding one or more citizens of a country in the EU regardless of where the business is located. Failing to comply may result in huge fines which may go up to 20 million euro or 4% of the annual revenue (whichever is bigger). Many businesses haven’t prepared or are still in the preparation for this big change.
But what are the challenges that restaurant and store owners face when they want to comply with GDPR? These are some of the areas that we try to help you with, so the personal information you collect can be stored in a more secure way and can meet the requirements better. Personal information may be private persons’ names, emails, addresses, phone numbers, unique identifiers and also any other information which allows for a person to be uniquely identified.
1. Encryption of sensitive data
IncoCloud will soon include a brand new service called GDPR Compliance which will allow the sensitive information in your IncoPOS database to be encrypted using AES 256 bit encryption. This means that all the sensitive data will be encrypted at rest (stored on your hard drive) which is one of the GDPR requirements. Another requirement is that the sensitive information should be encrypted while in transit. With this method of encryption, the sensitive information will remain encrypted while in transit over the network too. This is important for scenarios in which if you have for example 3 POS terminals connected to a central database in your network. In this case, if you encrypt the hard disk of the computer storing the information all the data will be encrypted while stored, but not while in transit (transferred over the network). This means that it is possible for a malicious person to listen to the traffic in your network and to obtain a copy of the sensitive information while it is being transferred between the workstations.
Another key advantage is that the encryption keys that are used to encrypt and decrypt your information are never stored on your workstations. The GDPR Compliance service stores them and sends them automatically to your workstations when they are started. This means that no human interaction is required to handle the encryption or decryption process. The latest version of IncoPOS for Android also supports encryption and works without any additional setup. IncoCloud by itself is encrypting all sensitive information and is GDPR compliant. This comes with the requirement that your workstations will require internet access at the time they are being started! Also if your database is stolen, you can remove that database from IncoCloud and nobody will be able to access your sensitive data from that database anymore.
2. Restriction of the access to sensitive information
IncoPOS has always had a great level of control over the access to each of its functions. Every user in IncoPOS can be restricted to access exactly the functions that he needs so he can do his work. This can eliminate the exposure of sensitive information to operators which should not have access to it. This measure by itself can greatly reduce the risk of personal data leak. Actions which can be disabled for a user include running reports with sensitive information about partners or users in it, exporting partner or user information and preview or editing of partner and user information.
3. Logging access to sensitive information
In some cases, users must have access to sensitive information. Another feature that the GDPR Compliance service can enable is logging of all access to sensitive information. This means that you can check from IncoPOS in Reports->Administration->Application log… and see when exactly and who accessed sensitive information and how (from a report, export or directly viewing the information in the application).
Another level of protection that the GDPR Compliance service adds is to disallow any changes in the log. This means that even is a user accesses some personal information and tries to delete information from the logs about his access IncoCloud will immediately repair the log back to the original state.
4. The right to be forgotten
According to GDPR every partner or user has the right to be forgotten and unless we have a strong reason not forget him we should do that. The problem is that we should retain information about our operations so our inventory and balances should not change whether we decide to forget a certain partner or user. The GDPR Compliance service allows you to do just that. Once we attempt deletion of a partner, the system will warn us if there are operations made with that partner and offer to move him to the “Deleted” group and hide him from the list. But if we would like to forget all his details we can simply attempt to delete him again from the “Deleted” group and then a new dialog will appear if we would like to forget all the partner information but leave the operations made with this partner. If we confirm then all the details about this partner will be cleared and he will be named something like “Forgotten 1”. For security purposes, this action is only available to users with access level “Owner”. The same actions are available for the users in the system too.
All our systems are built with our clients’ and partners’ best interest in mind. Reaching top level security is always a target almost impossible to reach without sacrificing user experience and ease of use. With these new changes, we let your business reach a very high level of compliance, but it is not everything you need to do. For example, make sure that handling sensitive information outside the software system is compliant with GDPR too. This includes asking for consent when sensitive information is recorded in any way. Also, you have to make sure that sensitive information is handled with adequate security measures when recorded on paper too.
GDPR compliance in IncoCloud
Since most of our clients use IncoCloud to backup and process their sensitive information we also do our best to comply with GDPR before May 25th, 2018. These are some of the measures we take:
- We will make sure that we have received your consent about the emails you can receive. If we don’t have it by 25th of May you will not receive any more emails from us. You can later change that from your IncoCloud profile.
- You can edit all your personal information from your IncoCloud profile. Also, we will include options to delete your profile and export all the information we have about you.
- You can change the consent you give to every service in IncoCloud which accesses your partners’ information from your IncoCloud profile. Or like before you can simply disable a service and it will stop having access to any of your data.
- We added an age check when creating an IncoCloud profile to make sure we comply with GDPR and we only process information for persons which are 16 years or older.
- As always your information is always transferred and stored encrypted and we are dedicated to improving the security for our customers even after May 25th, 2018.