On 25 May 2018, new European data protection legislation comes into force.
In summary, the GDPR is designed to strengthen the rights of individuals regarding their personal data and is intended to unify data protection laws across Europe. These laws are intended to protect EU citizens and will apply regardless of where a users data is processed.
- Enhanced Privacy Rights
- Increased Organisational Obligations To Protect Data
- Mandatory Breach Reporting
- Increased Penalties For Non Compliance
[email protected] is committed to GDPR compliance across all our products and services. In addition we will work closely with our clients and partners as they rollout their GDPR compliance strategy in preparation for May 2018.
This statement is intended to provide information to our clients using:
- [email protected] On Premise Expense Management Software for SunSystems.
- [email protected] On Premise Expense Management Software for Microsoft Dynamics 365.
- [email protected] On Premise Time Recording and PSA Software for SunSystems.
- [email protected] On Premise Time Recording and PSA Software for Microsoft Dynamics 365.
- [email protected] Cloud Edition Expense Management Software for SunSystems.
- [email protected] Cloud Edition Expense Management Software for Microsoft Dynamics 365.
- [email protected] Cloud Edition Time Recording and PSA Software for SunSystems.
- [email protected] Cloud Edition Time Recording and PSA Software for Microsoft Dynamics 365.
- [email protected], [email protected] and [email protected] On Premise and Cloud Editions for SAP, Coda, and other Financial Software Systems.
How Will GDPR Impact [email protected] Clients?
The extent to which GDPR will impact you as a [email protected] client will depend in part on the way in which our software is deployed and used in your organisation.
This is because GDPR makes a distinction between two types of roles:
- Data Controller - The organisation which determines the purposes and means of processing personal data.
- Data Processor - The organisation which processes data on behalf of the data controller.
There are a number of ways in which [email protected] software may be deployed and used in your organisation:
- On Premise - In this scenario [email protected] software is installed and run on servers within your own organisational control. For the purposes of GDPR your organisation will be both the Data Controller and the Data Processor.
- Cloud - In this scenario [email protected] software is installed and run on servers hosted in an external data centre. For the purposes of GDPR your organisation may (intentionally or unintentionally) split the duties, roles and responsibilities of Data Controller and Data Processor with the company who manages your hosted environments. In some cases this will be [email protected] but in others it may be a 3rd party provider contracted directly with you. A further complication may arise when the company who manages your environment is themselves using the services of 3rd party SAAS and IAAS providers (for example Microsoft, Amazon or Google).
Data controllers will be responsible for implementing the necessary technical and organisational policies to demonstrate and ensure that any data processing performed is carried out in compliance with the GDPR.
These obligations will relate to general principles such as:
- Fulfilling an employee or other data subjects’ rights with respect to their data.
- The accuracy of the data.
- Data minimisation.
- Limitation of purpose.
- Transparency & fairness.
[email protected] Product Security
[email protected] products have a number of tools and configuration options which can be utilised to further protect employee and other personal data against unauthorised or unlawful processing. These tools include:
- These can be used to restrict the options available to administrators relating to employee and user data.
Single Sign On
- Linking [email protected] login’s to Active Directory and other SSO directories allows for centralised control and policy enforcement.
- Our software can enforce password expiry, minimum length and format to improve overall system security.
Preparing For GDPR
- Communication - Ensure that all [email protected] software Administrators in your organisation, are aware of the changes in their obligations and that of your organisation because of GDPR.
- Data Held - You should document all personal data held in [email protected] software. You should also document where it was obtained from and who is permitted access to this data. You should also document procedures detailing how long this information is retained.
- Privacy Notices - You should ensure that all privacy notices relating to information held in [email protected] software are reviewed and updated where necessary.
- End User Rights - Ensure that there are procedures in place which document and explain to individuals their rights relating to data you hold about them in [email protected] software. You should specify the circumstances under which data can be deleted or provided to them and also the format in which that data is provided and the timescales involved.
- End User Consent - You should have a properly documented procedure in place that seeks, records and manages the consent to hold employee (or non employee) data that is held in [email protected] software.
- Data Breaches - Ensure that the right procedures are in place to detect, report and investigate any data breaches. If you are hosting [email protected] software on premise then this will be an internally managed procedure. However if your [email protected] software is hosted by a 3rd party, including [email protected] then its important to ensure your procedures dovetail with your provider.
- Training - Ensure that your [email protected] Administrators are adequately trained in the security features of [email protected] software. Such training should be done in cooperation with your organisations Data Protection Officer to ensure wider compliance.
Recommended Next Steps Summary
- Know Your Obligations Under GDPR
- Review All Data Held In [email protected] Software
- Assess Current Controls
- Take Advice
- Contact Us
It is vital that you seek independent legal advice relating to your obligations and your status under the GDPR as only an accredited legal professional with knowledge of your organisation can provide you with legal advice specifically tailored to your situation. Nothing in this article or on the [email protected] website is intended to provide you with this legal advice.