A year has passed since the biggest change to data protection laws in Europe for more than two decades came into law.
On May 25, 2018 the new General Data Protection Regulation (GDPR) came into force. It was a move designed to make companies more accountable for the data they hold. The regulations themselves supersede the Data Protection Act (DPA) of 1998, which was created long before we witnessed the data revolution sparked by the mass use of the internet. The DPA rapidly became outdated, unfit for purpose and unable to cope with technological development. As such, the aim of GDPR is to give individuals more control over their personal information as well as simplifying and modernising the protection of data.
And it’s GDPR that brought data privacy to the public's attention alongside recent data breaches related to large companies like Facebook. But data protection has always been a top priority for any serious business dealing with large amounts of sensitive data. With data becoming an increasingly important commodity, and with the amount of data being processed growing by the day, data protection is receiving more attention.
Staying compliant with GDPR
Many business undertook a huge body of work to prepare for GDPR and viewed the date the regulation came into law as being the end of the project. Nothing could be further from the truth. Data protection, and staying compliant with GDPR, requires constant work.
Here’s the key things you should consider in order to stay compliant with GDPR:
1. Most importantly, every business controlling and/or processing personal data needs to fully understand and appreciate that they are entrusted with handling highly valuable assets (personal data). It is therefore key to understand basic data subject rights. The personal information that makes up your data belongs to the data subject, it belongs to them, treat it with respect.
2. Following this insight the business can (and should) create and enforce controls to protect these assets throughout the entire business. It is important to understand that data security, access control is not enough - it’s important for everyone in the business knows what part they play in protecting data.
3. Test your reporting process in the event of a problem (e.g. internal breach escalation and subject access requests).
4. Have the correct policies and procedures in place and ensure all employees and suppliers have understood them.
5. Train your staff to understand and identify data risks.
What we do at Quinyx
Most workforce management systems on the market are going to store different amounts of personal data about your employees. That’s why it’s imperative you understand how this data is stored and protected. Here’s what we do at Quinyx:
- Access control is a central part of our product and makes sure only authorised users can access personal data.
- We have regular and recurring training in GDPR.
- We utilise AWS (Amazon Web Services) rigid security mechanisms.
- Data privacy by design and security by design is implemented throughout the whole Change Release Management process and data protection and security is part of all impact assessments when adding a feature or making a change to the product.
- We have well documented and tested routines for any type of incidents including data breaches.
In summary (and in order to avoid hefty fines which can come if you’re business isn’t compliant with GDPR) you firstly need to ensure everything you do internally is ‘by the book’ and documented, communicated to your staff, and tested.
Secondly, when working with external suppliers like a workforce management provider, you need to be certain of their own process and the measures they have in place to safely look after your data.