article image

GDPR is coming – we’re getting prepared. Are you?

11 April 2018

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. This comes into force in May 2018 and tightens regulations on how businesses and organisations handle private customer data. 

What is a data controller?

The data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 

What is a data processor?

The data processor is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. 

A data processor is responsible for processing personal data on behalf of a controller.

MCR Systems processes personal data on behalf of its customers and is therefore considered the data processor for the purposes of GDPR.

MCR is registered as a data processor with the Information Commissioner's Office (ICO), registration number Z3130336 and is next due for renewal on 2nd April 2019.  It is still the client responsibility as the data owner to maintain their own registration with the ICO.

How does GPDR impact data held in Symphony?

The introduction of GDPR has meant that data processors, such as MCR Systems, require a high level of security when storing personal and sensitive data.  It also requires the introduction of new features such as providing information to data subjects on request and the right to be forgotten.  MCR Systems have been working hard to provide a new hosting platform with a high level of security as demonstrated by a recent assessment which shows we are PCI DSS compliant.  In addition, MCR Systems have been developing administration tools to work in Symphony to ensure our customers who use this system are GDPR compliant as well.

What developments are MCR working on to assist with compliance?

Data Subject Requests

Individuals have a right to be informed by an organisation if it is processing personal data that relates to them and, if so, to be told:

  • What personal data it is being processed.
  • The purposes for which the personal data is being processed.
  • Who, if anyone, the personal data is disclosed to.
  • The extent to which it is using the personal data for the purpose of making automated decisions relating to the data subject and, if so, what logic is being used for that purpose.


As part of the next software release the SymPAY administration tool will include a new feature to allow for authorised system administrators to produce a data subject report which will include all information held by a SymPAY account holder including Account record information, All Account Properties and the customers Transaction History.


Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

The Data subject report will include the capability to export the subject’s data in a suitable file format which will provide the source for responding to a data portability request.


Data Rectification

GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.

The Symphony Loyalty solution already allows for individuals to update their own information or for authorised system administrators to correct inaccurate information using the SymPAY administration tools.


Right to be forgotten

GDPR introduces a right for individuals to have personal data erased, or anonymised. Individuals can make a request for erasure verbally or in writing.  The Data controller has one month to respond to a request.

To ensure the integrity of financial information it is acceptable within the scope of GDPR to maintain the transactional information contained within the Symphony & SymPAY solutions.  However, to enable compliance data controllers must be able to erase all information relating to an individual.  As part of the next software release the SymPAY administration tool will include a new feature to allow for authorised system administrators to anonymise selected accounts.

In addition, for organisations using the SymPAY account management API an additional call will be made available to trigger the anonymise account activity.


Right to object

Individuals have the right to object to be included in profiling and digital marketing activities.

The Symphony Loyalty solution already allows for individuals to amend their communication profile and within the user settings function.


Restriction of processing

Individuals have the right to request the restriction or suppression of their personal data.

When processing is restricted, you are permitted to store the personal data, but not use it.

The Symphony Loyalty solution already allows for individuals accounts to be disabled which excludes further processing on the account.



GDPR has provisions on automated individual decision-making and profiling of an individual. The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her.

Whilst the SymPAY solution does perform many profiling activities on individual’s data and makes automated decisions such as issuing a voucher on someone’s birthday, or providing a discount to members of a VIP customer group the GDPR regulations do allow for profiling activities to be carried out to fulfil the performance of a contract, but the data controller is required to be transparent on the use of the data collected Customers are therefore encouraged to review their SymPAY terms and conditions to ensure any planned profiling activities are covered in the agreement to join the scheme.


Security, Accountability and Record Keeping

Data processors and controllers are expected to put into place comprehensive but proportionate governance measures. these measures should minimise the risk of breaches and uphold the protection of personal data.

The SymPAY solution maintains an audit trail of all activity within the system furthermore MCR are currently in the process of updating its data hosting platform to ensure data security and integrity is to the highest possible standard.

The symphony user administration function already allows for configuration of accessing specific reports and features which allows data controllers to restrict which of their users have access to personal information, as an added enhancement the user configuration will be enhanced to ensure that reports which contain user sensitive information can only be accessed by named users who are specifically approved as privileged to access personal information.



GDPR sets a high standard for consent.  This means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.

Consent requires a positive opt-in. Pre-ticked boxes or any other method of default consent should not be used. Consent requests should be kept separate from other terms and conditions and be specific such that you separate consent for separate things. Vague or blanket consent is not enough.

The SymPAY account registration process is being amended to allow for explicit opt in for marketing purposes at time of registration. In addition, MCR is adding the capability to trigger the opt in /out functionality from a bespoke URL POST solution enabling a communication mail shot to existing clients to encourage a more GDPR compliant opt in.

Request a Callback

If you would like to enter a message for a team please do so below, before clicking submit.

Thank You

A member of our team will be in touch soon...

Contact Us

Please use the form below to contact us, alternatively you can contact us using 0116 299 7000

Opt in to receive marketing communications: