Credit Collections and Risk

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

CCR2 GDPR

Data should be current and accurate. It should only be kept for as long as is necessary and only for the purpose of its processing (intended purpose), beyond which it should be deleted. Individuals do have the ‘right of erasure’, unless there is an overriding legitimate interest for holding such

with a data subject – whether already on file or obtained after 25 May 2018. If a business trades within the EU, or

offers services to EU residents, it will need to comply with GDPR regulations.

What consent is required? Consent is specific, granular, clear, opted-in, prominent, and documented. Historically, organisations would take an

opt-in stance unless the given individuals involved expressly opted-out. GDPR is quite the opposite. Prior consent will be required in order to

comply with new rules, and consent can be withdrawn or challenged by the individual at any time.

How long can we retain data? Data should be current and accurate. It should only be kept for as long as is necessary and only for the purpose of its processing (intended purpose), beyond which it should

March 2018

be deleted. Individuals do have the ‘right of erasure’, unless there is an overriding legitimate interest for holding such.

Must we protect the data? Precautionary measures must be taken to ensure data is not at risk of being accessed or inappropriately used. Techniques like encryption can help limit the impact of any breach.

What about deleting financial data? Financially-related data can be kept on legitimate grounds, such as HMRC record keeping, or when direct-debit originators need to retain data for indemnity claims. Data-retention policies should also be properly documented.

Whose job is this? Knowledge of data protection is the responsibility of all company departments. Under the GDPR, you will also be able

www.CCRMagazine.com

to appoint a data-protection officer (DPO) who will then take on the overall responsibility for the company’s data- protection approach.

What should I do next? Understand what data you have, why, who processes it, where it is stored, whether it is consented, and how long to retain it. Start a GDPR-compliance program, and educate staff on the obligations and risks.

Where can I get more information? We have produced a recorded webinar that looks at our approach to our own products. This may be of help to you in your preparations and it is available at this link: https://go.bottomline.com/GDPRWebinar Resources.html. Alternatively, you may wish to seek some

guidance from a GDPR-specialist firm, if you are not certain of how you should progress. CCR2

29

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44 | Page 45 | Page 46 | Page 47 | Page 48 | Page 49 | Page 50 | Page 51 | Page 52