systems@work & GDPR Compliance
On 25 May 2018, new European data protection legislation comes into force.
In summary, the GDPR is designed to strengthen the rights of individuals regarding their personal data and is intended to unify data protection laws across Europe. These laws are intended to protect EU citizens and will apply regardless of where a users data is processed.
- Enhanced Privacy Rights
- Increased Organisational Obligations To Protect Data
- Mandatory Breach Reporting
- Increased Penalties For Non Compliance
systems@work is committed to GDPR compliance across all our products and services. In addition we will work closely with our clients and partners as they rollout their GDPR compliance strategy in preparation for May 2018.
This statement is intended to provide information to our clients using:
- expense@work On Premise Expense Management Software for SunSystems.
- expense@work On Premise Expense Management Software for Microsoft Dynamics 365.
- time@work On Premise Time Recording and PSA Software for SunSystems.
- time@work On Premise Time Recording and PSA Software for Microsoft Dynamics 365.
- expense@work Cloud Edition Expense Management Software for SunSystems.
- expense@work Cloud Edition Expense Management Software for Microsoft Dynamics 365.
- time@work Cloud Edition Time Recording and PSA Software for SunSystems.
- time@work Cloud Edition Time Recording and PSA Software for Microsoft Dynamics 365.
- expense@work, forms@work and time@work On Premise and Cloud Editions for SAP, Coda, and other Financial Software Systems.
How Will GDPR Impact systems@work Clients?
The extent to which GDPR will impact you as a systems@work client will depend in part on the way in which our software is deployed and used in your organisation.
This is because GDPR makes a distinction between two types of roles:
- Data Controller - The organisation which determines the purposes and means of processing personal data.
- Data Processor - The organisation which processes data on behalf of the data controller.
There are a number of ways in which systems@work software may be deployed and used in your organisation:
- On Premise - In this scenario systems@work software is installed and run on servers within your own organisational control. For the purposes of GDPR your organisation will be both the Data Controller and the Data Processor.
- Cloud - In this scenario systems@work software is installed and run on servers hosted in an external data centre. For the purposes of GDPR your organisation may (intentionally or unintentionally) split the duties, roles and responsibilities of Data Controller and Data Processor with the company who manages your hosted environments. In some cases this will be systems@work but in others it may be a 3rd party provider contracted directly with you. A further complication may arise when the company who manages your environment is themselves using the services of 3rd party SAAS and IAAS providers (for example Microsoft, Amazon or Google).
Data controllers will be responsible for implementing the necessary technical and organisational policies to demonstrate and ensure that any data processing performed is carried out in compliance with the GDPR.
These obligations will relate to general principles such as:
- Fulfilling an employee or other data subjects’ rights with respect to their data.
- The accuracy of the data.
- Data minimisation.
- Limitation of purpose.
- Transparency & fairness.
systems@work Product Security
systems@work products have a number of tools and configuration options which can be utilised to further protect employee and other personal data against unauthorised or unlawful processing. These tools include:
- These can be used to restrict the options available to administrators relating to employee and user data.
Single Sign On
- Linking systems@work login’s to Active Directory and other SSO directories allows for centralised control and policy enforcement.
- Our software can enforce password expiry, minimum length and format to improve overall system security.
Preparing For GDPR
- Communication - Ensure that all systems@work software Administrators in your organisation, are aware of the changes in their obligations and that of your organisation because of GDPR.
- Data Held - You should document all personal data held in systems@work software. You should also document where it was obtained from and who is permitted access to this data. You should also document procedures detailing how long this information is retained.
- Privacy Notices - You should ensure that all privacy notices relating to information held in systems@work software are reviewed and updated where necessary.
- End User Rights - Ensure that there are procedures in place which document and explain to individuals their rights relating to data you hold about them in systems@work software. You should specify the circumstances under which data can be deleted or provided to them and also the format in which that data is provided and the timescales involved.
- End User Consent - You should have a properly documented procedure in place that seeks, records and manages the consent to hold employee (or non employee) data that is held in systems@work software.
- Data Breaches - Ensure that the right procedures are in place to detect, report and investigate any data breaches. If you are hosting systems@work software on premise then this will be an internally managed procedure. However if your systems@work software is hosted by a 3rd party, including systems@work then its important to ensure your procedures dovetail with your provider.
- Training - Ensure that your systems@work Administrators are adequately trained in the security features of systems@work software. Such training should be done in cooperation with your organisations Data Protection Officer to ensure wider compliance.
Recommended Next Steps Summary
- Know Your Obligations Under GDPR
- Review All Data Held In systems@work Software
- Assess Current Controls
- Take Advice
- Contact Us
It is vital that you seek independent legal advice relating to your obligations and your status under the GDPR as only an accredited legal professional with knowledge of your organisation can provide you with legal advice specifically tailored to your situation. Nothing in this article or on the systems@work website is intended to provide you with this legal advice.