General Data Protection Regulation 2018 (GDPR)

Lightspeed GDPR approach

Last updated: February 1, 2018

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy. The General Data Protection Regulation (AVG or English GDPR General Data Protection Regulation) and Lightspeed fully support the strict privacy standards that will be stipulated in the regulation policy. AVG is a new law that will take effect on May 25, 2018. The regulation is intended to attract and strengthen data protection law for all business living in the European Union.

Lightspeed has set itself the goal GDPR fully comply before the enactment of the legislation

This page will set out:

  1. What is Lightspeed doing about the GDPR?
  2. What does this mean for our customers?
  3. General GDPR information

1. What is Lightspeed doing about the GDPR?

Since 2017, Lightspeed have employed a dedicated team of internal and external advisers to identify improvements and requirements for our products. We started this process early because we have a responsibility to protect the privacy of our customers (and their customers), something which has  always been of paramount importance to us. As a company, we want to ensure that at all times we comply with both UK and international laws that protect privacy.

Lightspeed has two roles involving GDPR. Lightspeed acts as a data controller for personal data of its customers. Personal data mainly concerns the name and contact information of our all our customers. Additionally Lightspeed acts as a processor (CPU) of the personal data received by Lightspeed customers, as well as third party data concerning their customers. This means that Lightspeed must support its customers to ensure the processing of personal data remains secure and our primary responsibility is to ensure that we adequately protect all data of our customers. In addition, we will assist our clients in responding to requests for inspection, removal or alteration of personal data.

To ensure both, Lightspeed has sought ways to continually optimise the processing of personal information and data. Additionally, Lightspeed is preparing to take the necessary technical measures to meet the new rights of people under GDPR regulation. We began to take action immediately after the announcement of the date GDPR will be in effect. Currently, you can find all updates and information on GDPR on this page, and we will continue to update our customers on details regarding the necessary steps we are taking with respect to GDPR compliance.

2. What does this mean for our customers?

Every Lightspeed customer also has the responsibility to ensure that they are acting in accordance with the new GDPR legislation. As data controllers also, Lightspeed customers are responsible for maintaining the lawful processing of personal data of their customers. To meet these standards, we recommend (at minimum) following steps:

  1. Make sure your terms of service, privacy and your cookie policy are up to date, and you inform your customers correctly which of their personal data you intend to use and for what purposes.
  2. Ensure those who provide you with access to their data give the opportunity to receive a copy of their personal data or, under certain circumstances, allow you to correct or delete their personal information.
  3. You are required to sign an agreement for the processing of all parties who process personal data on behalf of you to agree on the purposes for which these processors may use the personal information, including to Lightspeed. In the coming weeks, we will be contacting our customers to provide the opportunity to sign our standard contract for the processing of data (DPA).
  4. You must ensure that stored personal information is accurate and protected.
  5. You must not track personal information for longer than necessary, or the period stipulated in any agreement. 
  6. Be prepared if any stakeholders make a notice of act (within 72 hours) in the event of any data breach.

Please note that the above is not comprehensive and we recommend you seek legal advice for more information on any implication of the GDPR that may affect your business.

3. General GDPR information (FAQ)

What is GDPR?
The GDPR is a new law aimed at EU citizens to give more control over their data. It will replace the Data Protection Directive of 1995. The GDPR governs the collection, storage, transmission and use of personal data. This means all the ‘processing’ of personal data, including tracking (tracking) devices. Therefore is any company or organisation that processes data for its customers, clients or customers, under this legislation. Personal information means any information that relates to a person (called data subject). For EU citizens, it means they will have more control over their data. It is now regulating how businesses must process and store the personal data they collect.

Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU, but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

What is personal data?

Under GDPR, personal data is any information relating to an identified or identifiable natural person. This person is referred to as the “data subject”. This includes the obvious data such as name, address, email address and phone number but also IP-address or data specific to the physical, physiological, genetic, economic, cultural or social identity of that natural person.

What is processing of personal data?

Processing means anything you can do with personal data and includes viewing, storing, changing, transferring and even deleting personal data.

What is the difference between a controller and a processor of personal data?

The controller is the person who determines the purpose and means of processing of personal data. The processor is a person who processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have jointly agreed upon. Under GDPR, Lightspeed is the controller of personal data of its employees and the personal data that directly concerns the contact persons of our merchants. Lightspeed is a processor of the personal data that merchants are receiving from its customers.

What are Lightspeed’s merchants’ obligations under GDPR?

Under GDPR, the merchants are the controller of the personal data of their customers. This means that as controllers, they are required to process data in accordance with GDPR. Some of the key points are:

  1. Determine what personal data is processed and for what purposes;
  2. Accommodate merchants’ rights in relation to the processed data;
  3. Ensure that the processed personal data is protected adequately;
  4. Establish a clear process to identify and report data breaches within the timeframes set out in GDPR;
  5. Conclude a data processing agreement with all third parties who process personal data on Lightspeed’s behalf;
  6. Inform the merchants, by means of a privacy policy, in a clear and understandable way on how their data is processed and what has been done to be compliant under GDPR.

What does GDPR say about processing personal data?

GDPR prescribes that in processing personal data the following principles should be taken into account:

  1. Personal data must be processed in a matter that is fair and transparent towards the data subject;
  2. Personal data may be collected for purposes that have been communicated to data subject and for which you have a legitimate purpose;
  3. Personal data must be accurate and kept up to date; inaccurate data must be corrected or erased without delay;
  4. Personal data must be kept no longer than necessary;
  5. Personal data must be handled in a secure way.

What are Lightspeed’s obligations towards its merchants under GDPR?

Merchants have chosen Lightspeed as a processor of the personal data of their customers. This means that Lightspeed will assist them with their obligations as a controller. In addition, Lightspeed is the controller of any personal data that relates to the merchant directly. For more information on how we process the personal data relating to our direct merchants, please refer to the privacy policy located on our website.

What specific rights do individuals have in relation to the personal data that is processed under GDPR?

An individual has the following rights (each of which are explained later in this document):

  • Right of information and access
  • Right to rectification
  • Right of portability
  • Right to object
  • Right to erasure
  • Right to restriction of processing

The controller of the personal data is responsible for addressing these requests; but Lightspeed, as a processor, will assist its merchants in that regard. Any request from a merchant in relation to the above-listed rights should be followed up within one (1) month of the request. If it concerns complex or substantial requests, the term might be extended by an additional month.

What does the right to information and access to personal data mean?

Upon request, individual must be informed about the personal data that is being processed. Copy of the personal data undergoing processing shall be provided, free of charge. In addition, the following information must be provided:

  • the purposes of processing
  • the categories of data processed
  • the recipients or categories of recipients
  • the envisaged retention period, or, if not possible, the criteria used to determine this period
  • the individual’s rights in relation to personal data

What does the right to rectification of personal data mean?

An individual may require incorrect personal data to be rectify.

What does the right of portability of personal data mean?

An individual may require personal data to be provided in a structured, commonly-used and machine-readable form so that it may be transferred to another data controller without undue burden.

What does the right to object to processing of personal data mean?

An individual does not have the right to object to the processing of  personal data in general but may object to the following processing activities:

  • Processing for direct marketing purposes
  • Processing for scientific, historical, research or statistical purposes

What does the right erasure of personal data mean?

It means that an individual may require a controller to have personal data deleted if the processing fails to satisfy the requirements of GDPR. This may be the case under the following circumstances:

  • When the personal data is no longer necessary for the purpose for which it was collected;
  • Where an individual withdraws prior consent and there is no justification for the processing.
  • Where an individual objects to controller’s basis for processing data.
  • When the data is otherwise unlawfully processed.

What does the right to restriction of processing of personal data mean?

This right gives an individual an alternative to the right of erasure and allows the individual to require data to be restricted from further processing when the processing is challenged. Such challenge may occur if the individual disputes the accuracy of data or has objected to the processing. Restriction means that the controller may only store the data and may not further process it unless the individual gives consent, or the processing is necessary for legal claims.  

How is Lightspeed helping merchants with the data subject rights of customers?

Lightspeed will assist merchants with appropriate technical and organisational measures with responding to requests. This means that if a request is received from a customer, merchants can easily redirect it to Lightspeed for additional assistance. The exact procedure to file a data subject request with Lightspeed will follow soon.

How is Lightspeed protecting the personal data it processes?

Lightspeed has taken both technical and organisational measures to ensure that all the data that we process is adequately protected.

What is a data breach?

Any incident where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.

What does Lightspeed do in the event it suffers a data breach?

Lightspeed has an internal data breach policy in place which enables it to adequately react in the event of a data breach. Lightspeed’s actions are, briefly, the following:

  1.     Identify the source of the data breach;
  2.     Contain the breach and take all necessary measures to protect data;
  3.     Notify the involved data controller without undue delay after becoming aware of the data breach;
  4.     Asses to what extent measures need to be taken to prevent a similar data breach in the future.

It is the controller’s obligation to notify the supervisory authorities without undue delay and, where feasible, within 72 hours after becoming aware of the breach. A notification is not necessary if the breach is unlikely to result in a risk to the rights and freedom of natural persons.

It is also the controller’s obligation to notify the individuals who are affected by the data breach. The notification is not necessary if the breach is unlikely to result in a high risk for the rights and freedoms of the individuals or if appropriate technical and organisational protection where in place at the time of the incident.

Does Lightspeed use sub-processors?

Lightspeed uses AWS and KPN to store and protect our data. For these services Lightspeed has entered into an agreement with these sub-processors to ensure that they process the personal data with at least the same level of security as it does.

Is Lightspeed transferring data outside the European Economic Area?

Lightspeed is using AWS servers in the USA to store data from Merchants relating to Lightspeed Retail. GDPR requires that if data is  transferred outside the European Economic Area (EEA), Lightspeed shall ensure that the recipient of the data is protected with the same level of protection that processors inside the EEA are bound by. The European Commission has recognised the certification under the EU-US Privacy Shield Principles as a form of adequate protection. Lightspeed has signed an agreement with AWS in order to confirm that they are certified under and bound by the EU-US Privacy Shield Principled and therefore offer an adequate form of protection for the personal data that they receive from Lightspeed. Lightspeed is currently certified under such Privacy Shield.

Is Lightspeed going to be offering a two-step-authentication?

Lightspeed is continuously evaluating and improving its security infrastructure to safeguard against unauthorised or unlawful processing of personal data. At this moment we do not have any concrete plans to implement two-step-authentication.

Do Lightspeed’s customers need to sign an additional agreement with Lightspeed before 25 May 2018?

GDPR requires that a control enters into a data processing agreement with each processor. Lightspeed will act as a processor for the personal data received from merchant’s customers because it is stored in Lightspeed software products. Lightspeed will be offering its merchants to sign the standard data processing agreement before 25 May 2018. In this agreement, Lightspeed sets out the purposes for which it may process merchant’s personal data and the measures taken to protect such data.

What is a Data Processing Agreement?

A data processing agreement sets out the relationship between the controller and the processor. It describes what personal data the processor may process on behalf of the controller and for what purposes it shall do so. It also describes the technical and organisational measures that the processor has taken to make sure that his processing activities meet the requirements of GDPR and that the rights of the individuals are adequately protected.

How long can personal data be kept?

GDPR does not give a specific term in regard to keeping the personal data but indicates that personal data should be retained no longer than necessary in relation to the purpose for which such data is processed. There is also an exception to keep certain personal data longer if it is required to do so by law.

How many years will Lightspeed retain the personal data it processes?

Lightspeed aims is to retain personal data no longer than necessary for the purpose for which such data is received and processed. The length of the period really differs per type of personal data. More details on our data retention policy will follow soon.

Is the current cookie bar compliant with GDPR?

GDPR does not specifically address any requirements for cookie bars. However, under GDPR merchants need to have a ground for the processing of data. If the cookies used include the processing of personal data of merchant’s customers and/or visitors, you need to ensure that you have valid ground for doing so. The explicit consent of merchants’ customer/visitor which can be achieved by actively accepting the use of cookies can be seen as a valid ground.