General Data Protection Regulations – GDPR
On 25 May 2018, the new EU data protection regulation enters into force. It places new demands on everyone who handles personal data – both in regard to administration and IT systems.
What is personal data?
Personal data is all data that can be tracked to an individual, i.e. names, addresses, employee numbers, email addresses etc.
How should I handle personal data?
In general, you must have a person’s consent to handle their data, you must be able to account for how and why you handle their data, and last but not least, you are obliged to remove the person’s data when you no longer have the right to use it.
Ventu cannot advise specifically on the legal aspects of the GDPR, so for further information we recommend that you seek out help from your legal adviser.
How does Microbizz support me with the GDPR?
In the Q1 2018 version of Microbizz, we have added a long list of features that can help you on a daily basis to work with the GDPR.
We have defined the following modules as potentially containing personal data: Person, CRM and user.
Deletion vs. deactivation of data
Until now, Microbizz has had a principle of data never being completely deleted, but rather deactivated, so that it could be retrieved later if it had been deleted by mistake.
This principle cannot be maintained according to the GDPR, so therefore the term “to delete” will now mean that data is deleted forever and cannot be re-established in any way, while adjusting the term to e.g. “to deactivate” for data that is not to be completely deleted.
As you must be able to account for how long personal data has been stored, you should know that data can live for up to 3 months in Microbizz’ backup systems before being destroyed completely. If for example you have agreed that you must only keep personal data for two years, you must therefore ensure that data is removed from Microbizz after 1 year and 9 months in order to comply with such an agreement.
Definition of personal data
A new point has been added in the settings menu in each module called “personal data”. Under this, you have the opportunity, amongst other things, to define which fields you store personal data in, which is done by highlighting the desired fields in the list. This is used among other things for the anonymization of data (see later).
Expiration of personal data
As it is in breach of the GDPR simply to keep personal data for an unlimited time, we have now introduced a feature that will ensure the automatic expiration of personal data. Basically, we have placed an expiration date on the individual pieces of data, e.g. all people.
If the field is not filled out, this means that the data never expires, otherwise data will expire at the indicated time.
It is possible to configure whether a date should be filled out automatically when you enter new data.
Handling of personal data that has expired
When personal data expires, you can select per module what will happen to it, which also happens under the new GDPR point.
Here, you have three options:
Nothing will happen automatically. You will just be able to see that the date has been exceeded.
Anonymize the data
All fields that are marked as containing personal data, as previously, will be anonymized. So, if for example it read: “John Smith” in the field, then this would be replaced with “Person name 1”, so that the data object itself is retained, but the personal data is destroyed. This can be preferable should you wish to save other data for statistical purposes.
Delete the data
This will delete the data, so that the data will no longer be available. This applies to the entire object and not only the fields marked as containing personal data.
Filtering of expiration dates
The field “expiration date” is a field just like all the others in the object, so for example you can set up a filter on your front page that shows all the objects that are about to expire, and thus can decide whether they should be extended or destroyed completely.
People have a right to ask for access to the data you have stored on them.
For this reason, we have created an “access” menu item for all data objects, which quickly and efficiently lists all the data that is found in Microbizz that relates to the data object.
- This tab shows the logical linking of data, so the function cannot predict for example whether a person is mentioned by name in a note concerning another data object.
- Be aware that the person’s right to access is superficial, understood to mean that even if you have registered that the person takes part in a meeting at a given point in time, for example, then you do not need to provide any further information on the meeting, e.g. agenda, who else took part etc. so the access function in Microbizz has been deliberately made rudimentary.
- You can choose to withhold information if for example it is considered confidential. In general, this function shows all registered data, but this does not necessarily mean that the person has the right to see all the data. Any censoring is handled manually however.
The right to deletion
In certain situations, a person has the right to have their data deleted, which is why we have added a function for deleting data on all data objects. Note again that this means a complete destruction of data and not just a deactivation, so this data cannot be re-established.
Note that under the GDPR it is not permitted to make tests using genuine personal data – unless it is crucial to the test that genuine personal data is presented.
This is relevant to our customers that have a test solution added to an operational solution.
In order to accommodate this, we have produced a function which, globally as part of a complete solution, can anonymize all data marked as personal data, so that you can quickly create a valid test basis.
Support vs. advice
Note that our support staff have been specially instructed not to offer advice on the GDPR, as this is a legal topic. That is to say that our support team can advise you in how to operate the above functions, but they cannot advise you in whether a specific field can be considered as personal data, or how long you may keep a specific piece of data for – in these cases we will refer you to the company’s legal adviser.