Epicor is committed to data security and privacy—for both itself and its customers and will comply with the General Data Protection Regulation (GDPR) as it comes into effect. While Epicor GDPR compliance will contribute to its customers GDPR compliance status, compliance is a shared responsibility.
Epicor is committed to assisting its customers in complying with the GDPR requirements and continues to work on enhancements to help support its own compliance and that of its customers.
The General Data Protection Regulation (GDPR) is a new legal framework that replaces the EU Data Protection Directive and is enforceable beginning on 25 May 2018. The purpose of the GDPR is to further protect the privacy rights of EU individuals by governing how organizations manage and protect personal data pertaining to EU persons, regardless of where the personal data is collected, transferred, stored, or processed.
The GDPR has numerous changes from the existing law that affects how EU personal data should be handled and may impact every department across many businesses worldwide. It is expected to affect any organization that processes EU personal data for itself or on behalf of others, as well as suppliers and other third parties that may process EU personal data for organizations.
The GDPR provides individuals with certain rights and controls over their personal data. The GDPR also requires transparency regarding an organization’s use of personal data and establishes security and other controls over how personal data is protected.
The requirements set out by the GDPR may apply to any organization processing EU personal data. These requirements may also apply to third parties and other suppliers that an organization may utilize to process personal data.
The impact of the GDPR extends beyond the EU borders. It will potentially affect any organization—regardless of location if the organization collects, receives, processes or stores EU personal data. This regulation may have implications for any organization located outside the EU that collects or receives EU personal data.
The intent of the GDPR is to strengthen existing individual rights, introduce new rights, and give EU persons more control over their personal data. The basic principles of the GDPR are to:
Individuals in the EU may have the right to know, among other things, if and how their personal data is being processed, used, shared and stored. Individuals also may have various other individual rights, such as being provided access to their personal data. When responding to such requests, the information must be provided to the individual in a way that is clear and understandable.
Individuals may also have the right to have personal data corrected or deleted. If a person no longer wants his or her data processed— and an organization does not have another lawful basis for keeping it—the data must be erased.
The GDPR also provides individuals in the EU with the right to know when personal data has been breached. The GDPR requires organizations to inform individuals of high risk data breaches, in addition to notifying the relevant data protection authorities.
The GDPR uses several terms that may not be familiar or particularly clear. We have tried to simplify them.
Personal Data: Personal Data is at the heart of the GDPR, and the definition of personal data is broad. Examples of personal data include name, email address, phone number, physical address, device identifiers like IP addresses, geolocation information, health information, financial information, age, date of birth, etc. Despite the fact that data—such as an individual’s name or email address—might be available through public searches or other public records, it may be considered personal data that must be protected under the GDPR. Organization that have doubt about whether data associated with a person or a person’s device is or is not personal data commonly assume that it is.
Controller: A controller is an organization that determines how and for what purposes personal data is collected, used, processed, disclosed, and maintained. For example, when a company collects personal data directly from an individual, or receives personal data from a third party that collected it on behalf of the company, the company is commonly the controller.
Processing: Processing is an action performed on personal data—whether or not by automated means. This includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data. Nearly anything that is done with personal data may be considered processing.
Processor: A processor is an organization which processes (e.g., collects, stores, uses, or discloses) personal data solely on behalf of a controller and in accordance with the instructions of a controller.
Your systems and software are important considerations when looking to meet the requirements of the GDPR, and should be part of adopting a robust organization-wide approach to GDPR compliance. Much of what is required to meet the requirements of the GDPR is process related, and organizations should consider the following:
Epicor is committed to data security and privacy—for both itself and its customers— around the world. Similar to other existing legal and regulatory requirements, Epicor takes its role as a Data Controller and Data Processor seriously.
GDPR compliance is a shared responsibility between Epicor and our customers. Epicor products and services can contribute to your GDPR compliance when they process personal data. For example, our products and services provide functionality to help meet individual rights requests. Products and services, including Epicor’s hosted solutions, have security measures and access controls. Organizations can incorporate the functionality and procedures in Epicor’s products and services to help them meet their GDPR compliance obligations.
Epicor is further committed to assisting our customers in complying with the various requirements applicable to their business— including GDPR. Thus, Epicor continues to monitor changing laws and best practices to help enhance our products, contracts, and documentation to help support our customers’ compliance with legal obligations—including the GDPR.
Epicor solutions deliver the unique business and operational capabilities that distributors need―in the cloud or on premises versions. You will better manage your future and help your customers grow.