Synergist and GDPR

The General Data Protection Regulation (“GDPR”) is the new legal framework that will come into effect on the 25th of May 2018  The focus of the GDPR is the protection of personal data, i.e. data about individuals, and sets out the responsibilities of businesses in relation to processing (collection, storage, transmission and use) of this personal data.

Steps that Synergist has taken to ensure compliance

ISO 27001 certification

Synergist has been awarded ISO 27001 certification.

ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology. 

An organisation implementing measures to protect information using this three-pronged approach verifies that it is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data.

The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data. This has been completed with updates made to our policies, procedures and processes where required including an updated privacy policy.

How using Synergist helps ensure compliance

Ensuring compliance with the GDPR is the responsibility of every organisation and a great opportunity to review and document procedures to ensure personal data is being protected. Whilst the use of Synergist can’t in itself ensure compliance with the GDPR, we’ve introduced numerous features to make it easier for Synergist users to achieve compliance.

These include:

  • The addition of fields to store details of opt in records for marketing communication preferences on contacts in addition to existing opt out records.
  • Facility to record source of opt in info.
  • Facility to record verification of opt in status with date and user stamp.
  • Automatic logging of changes to opt in info in history field for each contact.
  • Batch selection of contacts either by status or from a list of email addresses.
  • Batch update of contacts with consent changes.
  • Additional data cleardown options for inactive contact data.
  • Contact export facility including all personal data.

Many of these features were introduced in Synergist v12.2 and are more fully detailed in the release notes.

Some key aspects of GDPR

1. EU-based people and their data

GDPR applies to any personal data about people based in the EU. This includes any individuals you collect personal data on, such as customers / clients, suppliers and employees.

Personal data includes things like names, contact details, bank account or credit / debit card details and medical information.

2. The right to know

For some years, individuals have had the right to ask businesses what information is held on them. This continues under GDPR and is tightened up to the extent that businesses must respond to requests within a month.

Supporting Synergist Features

You can search for individuals by name from either the client or supplier contact list. Once located you have the option of exporting the data you hold on that person to a .csv file by using the 'Export option'. Synergist allows you to restrict which of the users of your system has access to the 'export' facility.

3. The right to erase

Customers can ask a business to delete all personal data stored about them, unless the information is needed for legal reasons such as under tax regulations.

Supporting Synergist Features

From the client (including prospects and leads) and supplier contact list there is a facility to delete one or more selected contacts. If the records can't be deleted because they are linked to other records (e.g. the person involved was the contact on a job) then their personal data can be overwritten with 'XXXXXX').

4. Collecting personal data

Under GDPR you can only collect personal data if your reason is legal, for example to satisfy a contractual obligation. Even then, you must make it clear what the data is for, and you have to restrict your use of it for that purpose.

Supporting Synergist Features

Although Synergist will not be the primary system where people are giving permission for you to process their data (this is likely to be your website content management system or mailshotting / inbound marketing system) for many of our customers Synergist is their master contact database. For this reason we have added features to enable you to store their opt in and communication preferences and dates permission was given, the source of the permission, along with an automatic history of any changes made and by whom.

5. Data retention

GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. You will therefore need to decide how long you hold personal information for in different scenarios (e.g. an enquiry that does not become an active prospect) and have a mechanism for removing older personal records.

Supporting Synergist Features

Synergist includes a powerful contact filtering tool to identify such records and a clear down facility to remove the key data fields likely to hold personal data. This allows these records to be identified en-masse and removed as a periodic batch process by a user.

6. Data portability

Individuals can ask for a digital copy of their personal data for any reason, even if it is to help them move to a new supplier.

Supporting Synergist Features

See 'Data Portability' above. The 'Export' facility creates a .csv file of the data stored in Synergist for that contact, showing both the standard fields and any user specific fields you have created for that contact.

7. Data breaches

If certain types of breach do occur, you are obliged to report them to the appropriate supervisory authority.

8. Data protection and data security

You need to ensure that personal data is processed in a manner that ensures appropriate technical and organisational security. To achieve this you should keep the data you process secure and ensure you have appropriate information security policies and procedures in place. This applies to electronic and paper records as well as physical security.

For on-premise Synergist customers

You need to ensure that your Synergist server and the computers from which you access it along with your network are suitably secure. If necessary check with your IT support.

For Synergist Cloud customers

The security of your data is of the upmost importance to us and our reputation as a provider of cloud based business management systems depends on us maintaining this. Your Synergist cloud instance is managed by ourselves and hosted in the AWS (Amazon Web Services) cloud.  Your data never leaves the AWS environment in our processing of it. AWS was selected as the platform for the Synergist Cloud based on their commitment to Security by Design. If you wish to read more about SbD and the AWS cloud / GDPR click here. For security reasons we do not publish the details of the Synergist Cloud security measures, but we are happy to discuss these with clients if you have specific questions or requirements. Although we manage the security to the Synergist Cloud and enforce only encrypted communication with the Synergist Cloud from users machines, you still need to ensure that the devices from which you access your Synergist Cloud system and user credentials are kept secure, so if necessary check with your IT support.

Checklist for businesses

  • Find out which of your services collect personal data.
  • Make sure you can comply with GDPR, including having a legal basis for processing the data.
  • Review your customer / client contracts.
  • Check your notices -- internal and external -- of compliance.
  • Make someone in your team responsible for GDPR compliance and data security.
  • Give training to your team.


The UK Information Commissioner's Office (ICO) – 12 steps to prepare for GDPR.

The Federation of Small Business (FSB) – How to prepare for GDPR.

The Agency Works

Our exclusive UK implementation partner

Providing on-site demonstrations, training, experience and consultation.