Skip to main content

General Data Protection Regulation (GDPR)

Learn about GDPR and how Epicor helps you comply.

Compliance is a Shared Responsibility

Epicor is committed to data security and privacy—for both itself and its customers and will comply with the General Data Protection Regulation (GDPR) as it comes into effect. While Epicor GDPR compliance will contribute to its customers GDPR compliance status, compliance is a shared responsibility.

Epicor is committed to assisting its customers in complying with the GDPR requirements and continues to work on enhancements to help support its own compliance and that of its customers.

Download GDPR Brief How Epicor Helps

What is GDPR?

Understanding the Basics of GDPR

The General Data Protection Regulation (GDPR) is a new legal framework that replaces the EU Data Protection Directive and is enforceable beginning on 25 May 2018. The purpose of the GDPR is to further protect the privacy rights of EU individuals by governing how organizations manage and protect personal data pertaining to EU persons, regardless of where the personal data is collected, transferred, stored, or processed. 

The GDPR has numerous changes from the existing law that affects how EU personal data should be handled and may impact every department across many businesses worldwide. It is expected to affect any organization that processes EU personal data for itself or on behalf of others, as well as suppliers and other third parties that may process EU personal data for organizations.

What does the GDPR provide?

The GDPR provides individuals with certain rights and controls over their personal data. The GDPR also requires transparency regarding an organization’s use of personal data and establishes security and other controls over how personal data is protected.

Who is impacted by the GDPR?

The requirements set out by the GDPR may apply to any organization processing EU personal data. These requirements may also apply to third parties and other suppliers that an organization may utilize to process personal data.

Will the GDPR impact organizations outside the EU?

The impact of the GDPR extends beyond the EU borders. It will potentially affect any organization—regardless of location if the organization collects, receives, processes or stores EU personal data. This regulation may have implications for any organization located outside the EU that collects or receives EU personal data.

What are the key principles of the GDPR?

The intent of the GDPR is to strengthen existing individual rights, introduce new rights, and give EU persons more control over their personal data. The basic principles of the GDPR are to:

  • Require transparency on the handling and use of personal data
  • Limit personal data processing to specified, legitimate purposes
  • Limit personal data collection and storage to intended purposes
  • Enable individuals to request in certain situations: access, correction, deletion (right to be forgotten), transfer of their personal data to a third party, restriction or objection to the processing of their personal data
  • Ensure personal data is protected using appropriate security measures
  • Limit the storage of personal data for only as long as necessary for its intended purpose

What do the GDPR principles mean to my business?

Individuals in the EU may have the right to know, among other things, if and how their personal data is being processed, used, shared and stored. Individuals also may have various other individual rights, such as being provided access to their personal data. When responding to such requests, the information must be provided to the individual in a way that is clear and understandable.

Individuals may also have the right to have personal data corrected or deleted. If a person no longer wants his or her data processed— and an organization does not have another lawful basis for keeping it—the data must be erased.

The GDPR also provides individuals in the EU with the right to know when personal data has been breached. The GDPR requires organizations to inform individuals of high risk data breaches, in addition to notifying the relevant data protection authorities.

GDPR Definitions

The GDPR uses several terms that may not be familiar or particularly clear. We have tried to simplify them.

Personal Data: Personal Data is at the heart of the GDPR, and the definition of personal data is broad. Examples of personal data include name, email address, phone number, physical address, device identifiers like IP addresses, geolocation information, health information, financial information, age, date of birth, etc. Despite the fact that data—such as an individual’s name or email address—might be available through public searches or other public records, it may be considered personal data that must be protected under the GDPR. Organization that have doubt about whether data associated with a person or a person’s device is or is not personal data commonly assume that it is.

Controller: A controller is an organization that determines how and for what purposes personal data is collected, used, processed, disclosed, and maintained. For example, when a company collects personal data directly from an individual, or receives personal data from a third party that collected it on behalf of the company, the company is commonly the controller.

Processing: Processing is an action performed on personal data—whether or not by automated means. This includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data. Nearly anything that is done with personal data may be considered processing.

Processor: A processor is an organization which processes (e.g., collects, stores, uses, or discloses) personal data solely on behalf of a controller and in accordance with the instructions of a controller.

What do I need to think about regarding GDPR?

Your systems and software are important considerations when looking to meet the requirements of the GDPR, and should be part of adopting a robust organization-wide approach to GDPR compliance. Much of what is required to meet the requirements of the GDPR is process related, and organizations should consider the following:

  • Identify the personal data you have and where it resides
  • Implement robust governance on how personal data is accessed and used
  • Establish appropriate security controls to prevent, detect, and respond to data breaches and vulnerabilities
  • Respond to requests from individuals asserting their data protection rights (e.g. requests to provide an individual with a copy of their personal data)
  • Maintain documentation of compliance, including records of processing activities and responses to requests from individuals
  • Report any data breaches in a timely fashion, as required by law

What will Epicor provide me to help my organization comply with GDPR requirements?

Epicor is committed to data security and privacy—for both itself and its customers— around the world. Similar to other existing legal and regulatory requirements, Epicor takes its role as a Data Controller and Data Processor seriously.

GDPR compliance is a shared responsibility between Epicor and our customers. Epicor products and services can contribute to your GDPR compliance when they process personal data. For example, our products and services provide functionality to help meet individual rights requests. Products and services, including Epicor’s hosted solutions, have security measures and access controls. Organizations can incorporate the functionality and procedures in Epicor’s products and services to help them meet their GDPR compliance obligations.

Epicor is further committed to assisting our customers in complying with the various requirements applicable to their business— including GDPR. Thus, Epicor continues to monitor changing laws and best practices to help enhance our products, contracts, and documentation to help support our customers’ compliance with legal obligations—including the GDPR.

Connect With Epicor

Tell us about your unique goals and challenges so we can show you why Epicor software is a better fit. Contact us by phone, chat, or email. If you’re an existing customer, please log in to EpicCare