The General Data Protection Regulation (GDPR) came into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
As a regulation, it will not generally require transposition into Irish law (regulations have ‘direct effect’), so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes. The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.
What bxp software can offer
We have tools which makes this issue, put simply “not an issue” and helps your business work better.
We also have a dedicated IT Security data protection officer in Thomas Glennon who has worked with us for over 9 years.
We have extensive and operational knowledge of the issues and have written over 40,000 words of documentation on security, protection and data management.
Our GDPR transfer guide for new clients, means:
- that you have a professional to chat to,
- who is here to help and
- is invested in your challenges,
- working from a guided experience honed auditable checklist.
GDPR is not just one outbreak / illness (or set of laws) but your business health, growth and well-being. Our case studies, glowing references and clients who trust us daily prove that bxp is about partnership not supply and demand. https://www.bxpsoftware.com/blog/
Email us at firstname.lastname@example.org or phone us on 01 4294000. You’ve already got someone to learn from.
The biggest change in GDPR is that the issue becomes not just your business but also your suppliers. So stop having suppliers and have an invested partner who wants to cover your business, knows you and who wants to work with you.
As we move into the time of GDPR, businesses are faced with far reaching choices. Gone are the days of the traditional business selling their products and skills. Focusing on just one thing is no longer an option.
5 year olds are being brought before the law
- Welcome to 2017: 5 Year old fined £150 for lemonade stand
Even blue chip businesses face legal, risk, compliance and security challenges. Recent ransomware attacks have highlighted globally the threat of cybersecurity.
You have systems, processes and a business natural resistance to change. IT budgets are overstretched and there isn’t enough hours in the day. A lack of knowledge and awareness make it a subject that is just one straw too many especially at a time when so many businesses are fighting just to keep revenue figures up. What can be done?
Some of our clients had black and green screen systems that wouldn’t chat to anything. Some client are still using Windows 2000 and Windows XP.
How do we help specifically with your GDPR compliance?
- Become aware: bxp training programs with monthly updates, everything you need to know done by someone who does it every day
- Becoming accountable: bxp provides instant audit logs and makes working with systems a matter of clicks not nightmares
- Communicating with Staff and Service Users: We’ve got tools for that and can work with your marketing teams to make it a benefit for your customers
- Personal Privacy Rights: Would scheduled automated tools which remove Personally Identifiable Information automatically with emailed reports help? It takes away risk and provides auditability for everyone
- How will Access Requests change: Easy managed with ticketing solutions, website integrations, sms and email integration solutions, with little to no overhead to your business
- What we mean when we talk about a “Legal Basis”. When business see Legal you think lawyer. Bxp and the team understand the law and are here to translate for everyone, especially you. Remember in GDPR your supplier is just as responsible for their solutions.
- Using Customer Consent as grounds to process data. Big data, dark data, why data? Get information, not data. What business need is information, not data. Let our dashboards and drill down reports give you the insight you actually need.
- Processing Children’s data: Whether a child, a patient, relative of a patient or customer, knowing what can and can’t be done just needs experience and auditability. Let us help. We’ve done this and more than once!
- Data Protection Impact Assessments (DIPA) and Data Protection by Design and Default.: What bxp was built for. With every aspect of the system built for security availability and auditability, bxp is an instant tick in the box. Our clients audit us all the time as we do ourselves… we can make the paperwork simply go away. No one likes audits but we do!
- Reporting Data Breaches: As a business you’d rather not have to at all. How about a team who can help and know just what to do when you need some help?
- Data Protection Officers: Not police, just knowledgeable. Glad to help. Who’s your fire officer, health and safety officer, social media officer? Let us keep you up to date on what you need to know.
- International Organisations and the GDPR. bxp supplies all across the globe and especially into the UK and Europe. Brexit will add complexity but not impossibility. Make your business run better.
Let us make your business better. Make the informed choice, simpler, quicker and right for you. We look forward to helping you.
Email us at email@example.com or phone us on 01 4294000. You’ve already got someone to learn from.
All n One will never supply data to anyone who is not their client. System Champions are primary contacts for security gate keeping practices as well as organisational clarity and support. If a client needs to retrieve data from the system it is available through a number of reports, lookups / search facilities and data export tools, all of which have audit histories.
How long you retain data varies greatly with requirement. You will need to establish for your organisation how long you can retain data. It will be important to differentiate between active customers, former customers and prospect customers. Active, former and prospect can also be applied to any synonym for a person: member, staff, patient, student.
The easiest way to find out what your obligations are is to get in touch with your local data protection commissioner who can advise you. Alternately contact with data protection lawyers or data protection specialist consultants should be sought, though they will probably charge for their services.
As a result of those conversations you will need to develop a “data protection policy” for your organisation. This will spell out your data retention requirements.
As a best practice, it should:
- Identify all sources of person data and be updated regularly (circa monthly)
- State the physical location of the data
- State the primary function of, reasons for retention and duration of retention of the data
- State how access control to that data is maintained
- State how security is managed on that data
- Appoint a person internal to the organisation to be responsible for data protection matters (DPO : Data Protection Officer)
- Ensure the DPO is trained formally according to jurisdictional laws and on an ongoing basis
- Enable a clear request mechanism of the DPO for internal and external queries with a Service Level Agreement on responding to queries
- Have an organisation statement on data retention and management, which is recognised by all staff and suppliers interacting with the data
- Have operational policies and procedures on how the data is managed
- Have quality control checks to ensure policies are being followed
The use of data and Marketing Permissions
Storing data requires management of the data. The simple question always boils down to “what do you want to do with the data”.
Customer data of active customers is perfectly legitimate to retain. Just focus on what constitutes “active”.
Data of former customers will have a retention period applied. Local law will dictate what is required and where.
Potential customers may ask for their data to be removed but there is no pressure on the organisation to remove data.
The primary use of retained data only becomes an issue when marketing or communications are operationally sought to be performed. i.e. we want to do a mail shot / bulk text message. When this need arises special record of “Marketing Permissions” must be retained with the data. Getting the person to state “I agree to be communicated with” must be explicitly granted and the permission recorded. Marketing permissions are a separate area of law to data protection laws.
In Ireland, direct marketing also falls to the Data Protection Commissioner. http://www.dataprotection.ie/docs/DIRECT-MARKETING-A-GENERAL-GUIDE-FOR-DATA-CONTROLLERS/905.htm
The basic rule that applies to direct marketing is that you need the consent of the individual to use their personal data for direct marketing purposes. As a minimum, an individual must be given a right to refuse such use of their personal data both at the time the data is collected (an “opt-out”) and, in the case of direct marketing by electronic means, on every subsequent marketing message. The “opt-out” right must be free of charge. You must also make clear who you are and where you obtained the individual’s personal data (where this is not obvious).
- Active person – may be communicated freely with, if in relation to provision of the product or service.
- Former person – may be communicated with, providing clear option of “opt-out”
- Potential person – must be told up front about communication, with an explicit “opt-in” option. The default position must be considered to be “opting out”.
If you have existing data and when the data was captured marketing permissions weren’t required, e.g. in Ireland before 1990, an explicit marketing permissions will need to be sought.
For former and potential persons, separate permissions must be sought for:
- By Post
- By Phone
- By Email
- By SMS
It is considered courtesy to give current persons the option with which they would like to be communicated with, at the start of the relationship, with the option to change during the relationship.
Currently social media allows for the person to block the organisation, so explicit social media permissions are not currently sought (as of July 2014).
For example…. I have a bunch of mobile numbers, I’d like to text them all. You must first categorise them, ensure you have permission and then carefully word the message to allow opt out. Failure to do so can result in €3,000 per contact, up to a maximum fine of €100,000.
Summary proceedings for an offence under the Data Protection Act may be brought and prosecuted by the Data Protection Commissioner. Under section 31 of the Acts, the maximum fine on summary conviction of such an offence is set at €3,000. On convictions on indictment, the maximum penalty is a fine of €100,000. http://www.dataprotection.ie/docs/Offences_and_Penalties_under_the_Data_Protection_Act/97.htm
This law is actively upheld. http://www.irishexaminer.com/ireland/phone-companies-fined-for-unsolicited-calls-and-texts-251440.html
Check out how bxp tools assists with Data protection