On the 25th May 2018, the new European data protection legislation comes into force.
General Data Protection Regulation, known as GDPR, is the most significant data protection legislation to be introduced in the past 20 years and will replace the 1995 EU Data Protection Directive. The key changes are here.
In summary, GDPR is designed to strengthen the rights of individuals regarding their personal data and is intended to unify data protection laws across Europe. These laws are intended to protect EU citizens and will apply regardless of where a user’s data is processed.
EBI Software is committed to GDPR compliance across all our products and services before the regulation becomes effective. In addition, we will work closely with our clients and partners as they roll-out their GDPR compliance strategy in preparation for the 25th of May 2018.
How will GDPR impact EBI Software clients?
The extent to which GDPR will impact you as a EBI Software client will depend in part on the way in which our supplied software is deployed and used in your organisation and also whether EBI Software are providing you with a business application software support and maintenance service. This is because GDPR makes a distinction between two types of roles:
- Data Controller – The organisation which determines the purposes and means of processing personal data.
- Data Processor – The organisation which processes data on behalf of the data controller.
Firstly we must identify who owns the roles of Data Controller and Data Processor based on how the EBI Software supplied business application software is deployed.
There are a number of ways in which EBI Software supplied software may be deployed and consumed or used in your organisation:
- On Premise – In this scenario EBI Software supplied software is installed and run on servers within your own organisational control. For the purposes of GDPR your organisation will most likely (unless you outsource the administration of the servers or the day to day running of your software) be both the Data Controller and the Data Processor.
- Non EBI supplied Cloud – In this scenario EBI Software supplied software is installed and run on servers hosted in an external data centre. For the purposes of GDPR your organisation may (intentionally or unintentionally) split the duties, roles and responsibilities of Data Controller and Data Processor with the company who manages your hosted environments. A further complication may arise when the company who manages your environment is themselves using the services of 3rd party SAAS and IAAS providers (for example Microsoft, Amazon or Google). EBI Software are neither Data Controller nor Data Processor.
- EBI supplied Cloud – In this scenario EBI Software supplied software is installed and run on servers managed and administrated by EBI in datacentres selected by EBI . For the purposes of GDPR and in context to the business software applications that EBI support for your organisation, the duties and responsibilities of Data Controller and Data Processor are split with EBI. EBI Software will act in some instances only as Data Processor but at all times the customer will act as Data Controller as EBI Software only ever act on behalf of the customer and are supplied and instructed at all times by personal details of customer employees that are then used to set up secure audited access to the business software applications installed for the customer use on the EBI managed servers. The Hosting centre where EBI’s servers are located has their own GDPR and security procedures which control physical access.
Secondly, we must consider who owns the role of Data Controller and Data Processor when EBI Software support consultants engage with the customers employees and log onto the customers business application software during the process of providing either a software support and maintenance update service or consultancy.
Our support service is the core service provided to all EBI Software customers and requires that EBI Software retain contact details of several Customer employees on EBI’s centralised Software Helpdesk system and also on EBI centralised ERP system.
In this respect, EBI Software act as part Data Processor for the customer who at all times acts as Data Controller.
EBI Software only ever holds several key fields of data on each employee that the customer identifies to EBI s being a person we can contact in order to provide the software support and maintenance service. EBI only ever hold valid contact details (name, role, business email address, business telephone contact numbers) of these identified customer employees in a password protected, secure access, fully audited ERP system.
The EBI Software Support team have a documented process for these customer employee details to be added, amended and deleted on written request by the customer who is the Data Controller.
Only selected members of the EBI management team are authorised to produce a report containing lists of these customer employee details on request by the customer identified Data Controller who in turn can also act as the link between any of their employees who may require the details of their personal data held on EBI Software Support applications to be produced, amended or deleted.
Please note that Data Controllers will be responsible for implementing the necessary technical and organisational policies to demonstrate and ensure that any data processing performed is carried out in compliance with the GDPR.
These obligations will relate to general principles such as:
Fulfilling an employee or other data subjects’ rights with respect to their data.
The accuracy of the data
Limitation of purpose
Transparency & fairness
EBI Software supplied software Product Security
EBI Software supplied software products have a number of tools and configuration options which can be utilised to further protect employee and other personal data against unauthorised or unlawful processing. These tools include:
These can be used to restrict the options available to administrators relating to employee and user data.
Single Sign On
Linking EBI Software supplied software login’s to Active Directory and other SSO directories allows for centralised control and policy enforcement.
The supplied software can enforce password expiry, minimum length and format to improve overall system security.
Recommended Next Steps
Know your obligations under GDPR
Review all data related to employees, customers and suppliers held in EBI Software supplied software applications
Assess current controls for access to and access within the software applications (do they need review and tightening?)
o Understand how the supplied software has secure access and data access controls managing access to personal details held within the software
o Document processes to view, add, amend or delete such data within the business application software
Assess current process for providing EBI with employee details necessary for EBI Software support team to provide their business software application support and maintenance service
o Ensure documented internal process to request EBI to view, add, amend or delete employee details from the EBI Software support helpdesk and their ERP system
Contact EBI Software at GDPR@EBI-software.co.uk for further assistance.
It is vital that you seek independent legal advice relating to your obligations and your status under the GDPR as only an accredited legal professional with knowledge of your organisation can provide you with legal advice specifically tailored to your situation. Nothing in this document, or on the EBI Software website is intended to provide you with this legal advice.