The General Data Protection Regulation (“GDPR”) is the new legal framework that will come into effect on the 25th of May 2018 The focus of the GDPR is the protection of personal data, i.e. data about individuals, and sets out the responsibilities of businesses in relation to processing (collection, storage, transmission and use) of this personal data.
Synergist has been awarded ISO 27001 certification.
ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.
An organisation implementing measures to protect information using this three-pronged approach verifies that it is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.
ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data.
The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data. This has been completed with updates made to our policies, procedures and processes where required including an updated privacy policy.
Ensuring compliance with the GDPR is the responsibility of every organisation and a great opportunity to review and document procedures to ensure personal data is being protected. Whilst the use of Synergist can’t in itself ensure compliance with the GDPR, we’ve introduced numerous features to make it easier for Synergist users to achieve compliance.
These include:
Many of these features were introduced in Synergist v12.2 and are more fully detailed in the release notes.
GDPR applies to any personal data about people based in the EU. This includes any individuals you collect personal data on, such as customers / clients, suppliers and employees.
Personal data includes things like names, contact details, bank account or credit / debit card details and medical information.
For some years, individuals have had the right to ask businesses what information is held on them. This continues under GDPR and is tightened up to the extent that businesses must respond to requests within a month.
You can search for individuals by name from either the client or supplier contact list. Once located you have the option of exporting the data you hold on that person to a .csv file by using the 'Export option'. The 'Export' facility creates a .csv file of the data stored in Synergist for that contact, showing both the standard fields and any user-specific fields you have created for that contact. Synergist allows you to restrict which of the users of your system has access to the 'export' facility.
Customers can ask a business to delete all personal data stored about them, unless the information is needed for legal reasons such as under tax regulations.
From the client (including prospects and leads) and supplier contact list there is a facility to delete one or more selected contacts. If the records can't be deleted because they are linked to other records (e.g. the person involved was the contact on a job) then their personal data can be overwritten with 'XXXXXX').
Under GDPR you can only collect personal data if your reason is legal, for example to satisfy a contractual obligation. Even then, you must make it clear what the data is for, and you have to restrict your use of it for that purpose.
Although Synergist will not be the primary system where people are giving permission for you to process their data (this is likely to be your website content management system or mailshotting / inbound marketing system) for many of our customers Synergist is their master contact database. For this reason we have added features to enable you to store their opt in and communication preferences and dates permission was given, the source of the permission, along with an automatic history of any changes made and by whom.
GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. You will therefore need to decide how long you hold personal information for in different scenarios (e.g. an enquiry that does not become an active prospect) and have a mechanism for removing older personal records.
Synergist includes a powerful contact filtering tool to identify such records and a clear down facility to remove the key data fields likely to hold personal data. This allows these records to be identified en-masse and removed as a periodic batch process by a user.
Individuals can ask for a digital copy of their personal data for any reason, even if it is to help them move to a new supplier.
You can search for individuals by name from either the client or supplier contact list. Once located you have the option of exporting the data you hold on that person to a .csv file by using the 'Export option'. The 'Export' facility creates a .csv file of the data stored in Synergist for that contact, showing both the standard fields and any user-specific fields you have created for that contact. Synergist allows you to restrict which of the users of your system has access to the 'export' facility.
If certain types of breach do occur, you are obliged to report them to the appropriate supervisory authority.
You need to ensure that personal data is processed in a manner that ensures appropriate technical and organisational security. To achieve this you should keep the data you process secure and ensure you have appropriate information security policies and procedures in place. This applies to electronic and paper records as well as physical security.
For on-premise Synergist customers
You need to ensure that your Synergist server and the computers from which you access it along with your network are suitably secure. If necessary check with your IT support.
For Synergist Cloud customers
The security of your data is of the upmost importance to us and our reputation as a provider of cloud based business management systems depends on us maintaining this. Your Synergist cloud instance is managed by ourselves and hosted in the AWS (Amazon Web Services) cloud. Your data never leaves the AWS environment in our processing of it. AWS was selected as the platform for the Synergist Cloud based on their commitment to Security by Design. If you wish to read more about SbD and the AWS cloud / GDPR click here. For security reasons we do not publish the details of the Synergist Cloud security measures, but we are happy to discuss these with clients if you have specific questions or requirements. Although we manage the security of the Synergist Cloud and enforce only encrypted communication with the Synergist Cloud from users machines, you still need to ensure that the devices from which you access your Synergist Cloud system and user credentials are kept secure, so if necessary check with your IT support.