Changes in MindaClient for GDPR

New GDPR features in MindaClient

GDPR

The General Data Protection Regulation (GDPR) very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.

MindaClient sees the introduction of GDPR as an opportunity to enhance the protection of the personal data it processes and also to give all organisations who use MindaClient the tools to help them comply with the requirements of GDPR.

Caution: MindaClient does not make your company compliant with GDPR. It provides you with the tools to help you become compliant in accordance with your own GDPR policy.

1. Consent Management

GDPR requires businesses to have a purpose for collection of any personal information. This purpose should always be supported by a legal basis which can be a contractual obligation, a legitimate interest for storing and using data or that explicit consent has been given.

Article 7 deals with conditions for consent
Article 13 outlines the information where personal data is collected from the data subject

Anytime that consent is used as the legal basis for collecting and storage of personal data, GDPR requires that a company can prove that consent has been given by the person.

permissions_mac

MindaClient Client Profile screen

The new GDPR permissions are on the bottom right and there is a date field to record when you last checked the data. This helps you comply with the GDPR requirement to keep the data up to date.

For each person added to MindaClient you will be able to digitally record consent, record the legal basis for why you are storing the data from a predefined dropdown list. MindaClient will also record who has updated the information and when it was updated.

Based on the new “Date data Checked” field in MindaClient you will have the facility to contact your clients and contacts. This will allow you to filter and communicate with all clients who haven’t had their “Date Data Checked” field in the last two years for example.

2. Ongoing option to opt out

GDPR requires that when a contact has given his consent to receive marketing communications such as email or SMS from your company, they should always have the right to opt-out from receiving future marketing communications.

  Article 18 deals with the restriction of processing

MindaClient now has a simple tickbox that is available for individual and bulk communication to clients.
This is built into the Email communication and the Text communication.
You just tick the “Include Opt Out” tickbox and the recipient will have the option to opt out.

3. Data Retention

GDPR places a responsibility on data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. Your company should have a defined policy on retention periods for all items of personal data kept.

  Article 17 deals with the right to erasure (‘right to be forgotten’)

Once you have decided what your policy is you can filter your clients in MindaClient and proceed to delete them based on your own criteria.

retention

Bulk delete – searching for companies in the engineering sector that we haven’t spoken to since 01/04/2016

This bulk delete facility is only available at Administration level. There are multiple checks built in to ensure that data is never deleted in error.

A change in MindaClient is that this data is instantly and completed deleted once you have doubly confirmed. Previously deleted data would have gone into the archive section but in order to comply with the GDPR regulations the data is fully deleted.

To provide a level of transparency the audit does record who has carried out a bulk deletion, when it was carried out and how many clients were deleted.

Deletion of data is a final step and should be carried out in accordance with your own retention policy under GDPR.

There are other Data Cleansing housekeeping activities that should be carried out to ensure that your data is accurate and up to date as required by GDPR.

4. Data Cleansing

  Article 5 of the GDPR regulations requires that personal data shall be accurate and, where necessary, kept up to date

MindaClient provides facilities to help you keep your data accurate and up to date.

Bulk Updating

In MindaClient you can filter your clients and then carry out bulk updating on sections of your client base. Here are some examples of how this could be relevant to your company under GDPR.

  •  For existing clients, you could update your clients and contacts to remove permission to communicate by Text, Email or printing labels.
  • You could filter a section of your clients and archive them at the end of the year.
  • You could assign all clients from one sales person to another with staff turnover.

Deduplicating data

MindaClient warns you if you are adding a client that is in already. However If you do come across any duplicated data you can combine the records using our Merge Client facility

Deletion of clients

You can delete an individual client or you can delete clients in bulk as outlined above. You will always be prompted to confirm any deletion of data in MindaClient. Deletion of clients should always be in accordance with your GDPR policy.

5. Anonymising your Clients

Article 17 of the GDPR regulations states that a person has the right of erasure also known as “The right to be forgotten”. It states that they have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.

  Article 16 outlines the right to rectification
  Article 17 outlines the right to erasure (‘right to be forgotten’)
  Article 19 details the notification obligation regarding rectification or erasure of personal data or restriction of processing

MindaClient has built a facility that lets you anonymise the personal information relating to both clients and contacts. You can anonymise an individual contact where that contacts personal data is anonymised.

You can anonymise Clients and Contacts in bulk. There are checks and confirmations in place to ensure that data is never anonymised without user express confirmation.

Anonymising of data is permanent and cannot be undone.

Anonymising of a client or contact will involve removing the following from their record.

  • Firstname
  • Surname
  • Address
  • Phone number
  • Mobile
  • Email Address

anonymise

Anonymise Contact Screen

6. Internal Restrictions

The processing of client data is an area that is given much coverage under GDPR. Permission to process, purpose of processing and processing for set length of time.

  Article 25 refers to Data protection by design and by default

Internally, within your company it is very important that your users only have access to the data that they need to process. Their access rights may also have to change depending on what part of your business they are working in.

MindaClient provides a comprehensive facility where you can set access rights for users, ranging from full administration rights to all data, right down to read only or mobile only access rights

staff_details
User Access permission screen


7. Protecting your data from staff

  Article 24 states that the controller shall implement appropriate technical and organisational measures to ensure that processing is performed in accordance with this Regulation

Your sales people and users must have access to client information in order to process the data by recording meetings, sales etc.

With the additional requirements of GDPR and the protection of personal information, some companies are becoming more aware of the possibility of employees who are leaving copying client information.

There are three points in MindaClient that address these concerns.

A)      There is an audit trail running in MindaClient that tracks changes made by users. It displays the old value, the new value, who made the change and when it was made.
B)      In the main Client Reporting screen if a user downloads any client information the audit trail records who downloaded the data, when it was downloaded and what the criteria for the report was.
C)      If a user is leaving your company, the key thing to do is just tick to make them inactive and they will no longer have access to your client data

8. Processing of Requests

Every EU citizen will have the right to ask how an organisation is using their personal data, where it’s used and why. They also have the right to request a digital copy of the data that is being held about the individual.

GDPR gives the “Data Subject” many rights such as Right of access, Rectification, Erasure, Rectification, Erasure & Restriction.

The record keeping and processing of these rights is one of the controllers responsibilities.

  Article 30 deals with Record keeping for the processing of activities

MindaClient has developed procedures that will allow you to process all requests from Data subjects.

sars

Processing requests in MindaClient

When you receive a request you can record it in MindaClient for the relevant client

You can record the following :

  • The type of request
  • The person who took the request
  • The person who made the request
  • The date of the request
  • The time of the request
  • How long you spent processing the request
  • Any other comments

You can set reminders and follow ups to ensure all requests are processed.

You can report on all requests in the reporting section

If you get a request for a digital copy of a persons data you can extract this in the Client Reporting screen.
If you want to download a copy of all information you have about a person you can do this using the new Print Profile download facility.

checkboxesDownload selected Client data

9. Audit Trail

Under GDPR you need to be able to answer the following questions

“Who accessed or changed data within our systems?”

“When was the data accessed or when was it changed?”

“When did a specific user last access to the system ?”

  Section 2 of the regulations deals with the Security of personal data

There is an audit trail running in MindaClient and this tracks all changes by users. It records

  • The person who added the record
  • The value before the change was made
  • The person who made the change
  • The date and time of the change
  • The new value of the data
  • It records when a user accessed MindaClient
  • It records changes to dropdown lists

If you wish to view the full audit trail for a client you can select which area you wish to print the audit for or you can select to print all changes.

print_details2

10. Security

  Article 32 of the GDPR regulations deals with the Security of processing

Article 32 states that the controller shall  implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The following is a summary of the security steps that MindaClient has undertaken.

Encryption

All data transferred to and from our websites is encrypted via HTTPS using strong SHA-256 bit encryption. Similarly, all backups between servers are made using SHA-256 bit encryption.

Constant Back up

A full backup of the MindaClient server is made every hour using a secure SSH encrypted connection between servers. This is done using an automated and dedicated backup service located within the Irish Republic.

Firewall

Our MindaClient server has a hardware firewall at datacentre level, and in addition there is a software firewall on each machine. Access over all ports is fully restricted based on the need to access, and when access is allowed, this is further restricted based on IP address.

Failover

Our MindaClient server is mirrored in real time to a failover server on the AWS cloud (Dublin). In the unlikely event of a disruption to service on our primary server, we have an IP switching service in place that will allow us to simply failover to the secondary machine.

Hashed passwords

All passwords are hashed. In the event of a breach, none of our user passwords can be decrypted.

Strong passwords

We have implemented a ‘strong password’ policy. When creating a password, this strong password criteria must be met by users.

Regular Updating of Passwords

We have an automated facility that allows our clients to turn on the forced updating of their users’ passwords. When a set time period has elapsed, the user will be required to change their password to a new ‘strong’ password.

Password Reset

If a user needs to reset their password, they can make this request on the login page of our website. An email is sent to the registered email account of that user, allowing the user to update their password securely.

Left Menu Icon
Logo Header Menu