The General Data Protection Regulation (GDPR) is the European replacement for the Data Protection Act. It became law on 25th May 2018. The purpose of the act is to protect sensitive customer data and control the use of said data.
If your organisation holds any personal details of any individual, then it is a requirement that you put in place a project to assess what requirements there are for you to comply with the legislation.
The definition of personal data is very broad and includes any information relating to an identified or identifiable person. A name, email address or phone number counts as personal data and therefore means that you would have to comply with the legislation. Effectively this means that every single company will have to undertake a GDPR project to document what data is held, where it is held and how it is used.
GDPR is not something that you can simply rely on your suppliers to provide compliance for on your behalf it is your legal responsibility to ensure you are fully compliant. Every company should initiate a GDPR assessment project prior to May 2018.
Booksolve have initiated a GDPR project. This has been split into two sections:
Data Audit: Booksolve will be providing details of all the customer information that is held in our packages. As a company it is essential that you know what personal information may be held in each and every software package you use, have installed or store data from.
Data Security: It is a requirement that the data files of any system are managed securely. This includes the backup (disaster recovery) policy and it is your obligation to ensure the security of data (including the use of encryption for any data off your premises (‘in transit’).
Drive encryption: We recommend that all servers hosting Booksolve SQL databases use a disk drive encryption program (Bitlocker or similar).
SSL/TLS Certificates: All website pages that manage customer data should be secure and use an https:// URL. This means every website must now have a valid certificate.
Right to data access: Individuals have the right to request a copy of any data related to them in a simple electronic format. Booksolve will be adding a simple report that allows this data to be listed for a specified customer in a form that is easy to send out to them.
Right to erasure: Individuals have the right to request the erasure of any data related to them (where that does not contradict the legal requirements to maintaining a historical audit). Booksolve will be adding a new function that will allow this to be done, by anonymising all personal data for the individual in live data.
Right to rectification: Individuals have the right to the correction of any incorrect data held on them. We expect this to be possible in standard Booksolve screens in the vast majority of cases. If any data is requested to be removed that cannot be managed that way then the Booksolve helpdesk should be contacted and we have a policy statement to manage that internally.
Consent: It is now the case that explicit consent is required for the use of any personal data. Websites must be designed to ensure that consent is obtained for each and every use of data. No tick boxes can be ticked by default, or consent hidden in a link to terms and conditions.
Export of Data: Where Booksolve exports data to third-party systems that do not support encrypted or secure transmission methods, it is the responsibility of the Booksolve customer to decide if the export is to continue or be disabled. e.g. Home fulfilment supply by a third party that contains the name and address of customers to send the product out to.
Offsite Backup Service: The Booksolve offsite FTP backup service is being updated so that all data is fully encrypted (AES 256bit) and only transported over secure FTP.
Data in Transit: Any copies of customer Booksolve databases will be encrypted by Booksolve before being taken off-site. No data will be stored in an unencrypted format on any computers in the Booksolve offices.
Working Copies: In the case of live data being required for testing or analysis in the Booksolve offices, Booksolve will ensure that any restored database will have a procedure run that will anonymise any customer data in the database.
Impact Analysis: Booksolve will be required to carry out a ‘Data Protection Impact Assessment’ when moving or working on customer databases containing live customer data. This will include the creation of test rigs or supply of data to third parties.
If, in the process of your GDPR project, you require additional information from Booksolve then please contact our helpdesk.
An internal company policy is required to cover the discovery of a data breach. A data breach could be a hack into your system, or a leak of data while ‘in transit’. The policy must include reporting the breach to the correct authority within 72 hours of discovery.
Official EU GDPR Document:
http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
UK Information Commissioner’s Office page on GDPR, including ’12 Steps to Take Now’ section:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/