Making Staff Squared GDPR Compliant
22nd March 2018
As of 25th May 2018, the law surrounding data protection and processing is changing. The new General Data Protection Regulation (GDPR) is a European regulation which will apply in all EU member states, and will succeed the Data Protection Act 1998 to bring data into line with previously unforeseen ways in which data is now used. GDPR will cover many areas in relation to data protection, and is being implemented to better enable individuals to control their personal data. It also places new obligations on organisations to be more accountable for the data they handle and process.
Many concepts and principles of the Data Protection Act 1998 remain much the same within the new GDPR, which is good news if you are a company fully compliant of the DPA, as this means that you already have a steady foundation to expand from. Although, there are certain additions being introduced with the new law.
Some key changes outlined by GDPR are as follows:
- Territorial scope increase, applicable to all companies that process personal data belonging to people within the European Union, regardless of the company’s location in the world.
- Consent may be revoked by data controllers at any time, and data processors must abide by this without question.
- Data breaches that come to the attention of any person must be reported within the first 72 hours of the issue being recognised.
- Fines of up to €20 million (approximately £18 million), or 4% of a company’s total global annual turnover can be implemented for non-compliance.
To read more changes that will be coming into play as of 25th May, visit the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
Alternatively, see our ‘GDPR – Getting to Grips with the new Law’ blog post for more information on GDPR.
Currently, Staff Squared stands fully compliant with the laws outlined in the DPA, and we are working tirelessly to build on the policies and procedures already in place to bring us in line with the new GDPR.
We are cracking down on our data retention policies, meaning that any personal data stored by Staff Squared will only be kept while it is needed for us to provide our services.
If at any time a customer chooses to close their account (or a trial account is not upgraded after it expires), we will only keep the information relating to the account for up to ninety days following its closure.
Only once an account has been closed and the ninety-day period has transpired, we may anonymise certain information and retain this for statistical purposes.
As a very integral part of the new GDPR, there is a greatly defined shared responsibility between Data Controllers and Data Processors to ensure data security. Because of this shift in applicability within data protection law, we recognise that the ability to request access to information stored in relation to any one person must be readily available to them.
Moving forward, a new Subject Access Request (SAR) report option will be added to Staff Squared’s existing Reports page, which will allow Admin users to submit a SAR for any number of employees. We will then process these requests and collate all the required information, including personal information entered to a profile, absence records and wall posts.
Once this is complete, the Admin user requesting the SAR report will receive an email and dashboard notification, informing them that the report is ready to download along with a link to access it. This report will expire after a set period of time to ensure maximum security of the enclosed information.
Similar to our pre-existing HR Audit log, we are currently working on a new, separate report option which will detail any and all actions completed by an Admin user while impersonating another user’s account.
To go that extra mile in ensuring that your data is safe and protected, we are encrypting all of the data within the Staff Squared database ‘at rest’, meaning that if (in the extremely unlike event) our database was somehow compromised, the person/s would not be able to read the data in plain text, rendering the data worthless to them.
At present, the only restriction we enforce on users when creating a password is that it must exceed six characters. However, with the network of ways in which we use the internet consistently changing, people are becoming smarter and more skilled in replicating account passwords, creating a very serious data security issue; and for this exact reason, we are going to be introducing complex passwords to Staff Squared.
All existing Staff Squared users will not be affected by this change; however, if at any point they (along with new users) wish to reset their password, they will be required to set one that is consisting of a combination of different characters, and will also experience character restrictions, i.e. the use of simple patterns or number sequences.
With the implementation of complex passwords, we are able to make sure that our customers are kept safe, and their data is secure.
In support of the introduction of complex passwords, we are also working to implement a two-factor authentication feature to our log in process. This will require users to download an authentication app on their phones, which will generate a code to enter upon logging in to their accounts.
If you do not clearly specify terms and conditions, you place your business in a position of uncertainty and misunderstanding – so it is vital that you are positive that your users have fully read and understood the T&Cs of the service you are providing to them. Not only does it protect their rights as a consumer, but it gives you and your company a sense of security.
While Staff Squared clearly details its T&Cs in the sign-up process, there is currently no feature that directs new users to accept these. Moving forward, we will be introducing a tick box feature, requiring all new users to confirm that they have read, understood and agree to our terms and conditions before they are able to continue with their sign-up.
Staff Squared is already Cyber Security Essentials certified; however, we are always striving to be as secure and compliant as possible, and will, therefore, be enhancing this standard to Cyber Security Plus by June 2018. We are also currently pursuing an ISO27001 accreditation, for which we will be externally assessed in 2018.
If you have any questions regarding Staff Squared and our approach to processing data in compliance with the new GDPR laws, please email email@example.com
The term ‘processing’ is very broad and covers an extensive list of operations that could be performed on, to or with information or data. This could include, but is not limited to, the organisation, retrieval and disclosure of the information or data. This clarifies that Data Protection law applies wherever an organisation does anything that involves or effects information or data. ‘Automated processing’ – anything on a computer.
A data controller dictates how and why personal data is processed. They are the decision maker; for instance, a customer or an organisation.
A data processor is the party doing the actual processing of the data; for instance, an IT company or a payroll services provider who are storing and processing the data provided.
The data processor tends to blindly process data in accordance with the data controller’s wishes. For example: Customers of Staff Squared are the data controllers and Staff Squared itself is the data processor.
Consent in terms of data processing, means specific and informed indication of how any data should be used and processed.
A breach of security that leads to accidental, unauthorised or unlawful loss, access, alteration or disclosure of personal data.
The distinction of who, what and where the new GDPR covers.
Subject Access Request
A written request from an individual to see information held on them, which must be responded to by the Data Processor within forty days of receipt.
ICO – Information Commissioner’s Office
A UK based, non-departmental public body which supplies information rights in the interest of the public.