GDPR ready

By | May 3, 2018 has been working  close to one year preparing for the GDPR regulations. has been working hard over the last year to prepare for the new European GDPR regulation, and prepare the system so that it helps also the users of the system to become GDPR ready. Here is a list that describes in some details what has been done. Much of the documentation work has been done by our security officer while he has also been keeping a tight grip on development so that our system is compliant to the strict regulations. All system feature and changes are planned for launch latest in the 3rd week of May but some see the light sooner.

  • all processes have been mapped out
  • plans have been made
  • server security has been hardened even further
  • all staff that comes near any personal information needs to show clean criminal records and sign Non disclosure agreements
  • back up procedures have been changed to minimize personal information storage for deleted systems
  • privacy policy has been made in much more details
  • terms & conditions have been changed
  • GDRP processor-controller contract has been prepared
  • all suppliers have been scrutinised and some have been dropped just for security’s sake

There have also been done various system changes to make our user’s more compliant with GDPR regulations. There are both changes that make the security enhanced so that our users are better protected in case someone gets hold of their equipment, and changes so that user’s permission for client’s data and communication is more clear.

  • 4 custom features are now available for free for all
    • Double authentication module, for enhanced login security into systems. It is very important that users embrace this quickly as the most likely cause of data breach is probably that someone gets hold of equipment virtually or in reality that enables them access to the system and the data.
    • Terms&Conditions module, where users can set their own T&C along with Privacy policy where they detail in human readable language (not in some legal blah) how they plan to use the data.
    • Cancellation policy module, where users can detail how their cancellation policy is enforced.
    • Delete history module, that enables users to set how long data is needed to be kept on data subjects that have made bookings within the system. If you do not need to keep the data, then this tool is great to auto delete data after for example 30 days since booking is completed. If users have set up client login, use membership etc, then this module should not be used.
  • No direct access for support team. Upon activation of double authentication, the does not have any access to the user’s system which can be bad if you need quick assistance but also enhances security. Although all of staff that can come in contact with personal information have clean criminal records and have signed an NDA, access now becomes restricted and the only way for them to gain access is if the user gives them temporary code so they can help them out with settings if needed.
  • From admin interface there is now access to 3 groups of personal data
    These groups are Company info (usually available on the internet for all to see), System users info (usually available on the internet for all to see so clients can choose them to book), and most importantly client info (never available on the internet for other than system users to see). Each of these groups has an easy to use interface where every single bit of information stored in the system is printed on the screen, or can be exported into a structured JSON report. Additionally, upon request, all client details can be deleted with the use of a simple button. These records can only be accessed by users after simple authentication procedure by re-entering password. If they have double authentication, they will be asked for verification code to get access. Because client data is often part of statistical information about sales and bookings, the data is not all deleted but made completely unrecognisable but still kept usable for stats. This is very important.
  • One of the most delicate information in the system are patient details, and these are usually stored in a component called SOAP. The SOAP component has now been enhanced to be encoded at rest so that no one can have access to this information, even if they break in to the user’s system, or even into servers UNLESS they have the secret key. This key can be kept on an USB drive, or in a computer’s folder. It is never stored on servers. Just make sure that the computer is well protected, so that if it is stolen, thieves would not have easy access to the hard disk. Same applies to the USB drive, this can also be encrypted with a code that only you remember.
  • Emails have unsubscribe links and this has now also been added to the promotions emails so clients that have unsubscribed to get these messages will not be receiving them. This has though fortunately not been a problem as clients are generally happy to receive promotions from their favorite providers.

For users that want to harden security even more, there is the HIPAA feature that can be enabled for premium subscriptions. This feature allows users to set automatic system log out after predefined time, like 20 minutes after system was being used. It also allows users to get notifications upon each login into the system. Furthermore, this feature disables personal data to be sent over email or SMS, it removes client’s names and information from these notifications, making it harder for snoopers to see personal data.

It is also recommended for users to harden the security on mobile devices using long passwords, and automatic deletion of phone data when there is several wrong passwords entries. This will avoid thiefs getting hold of double authentication access code.

All users should set auto screen lock to decrease the risk of snooping from people that may be browsing the work place. Here is a link that describes how this can be done on Windows based computers:

Here is a link to good article from PayPal about how GDPR affects anyone handling personal data from subjects in EU, and what steps to take.

Remember that your are responsible for the privacy policy towards your own clients and no one can make this for you, as this is something you decide. Make it in a clear concise manner so that your clients understand how you plan to treat their data and explain what measure you take to make their data safe. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.