GDPR

PERSONAL DATA

LETS TALK ABOUT YOUR OBLIGATIONS AND HOW A SOLUTION FROM ELITE CAN MAKE ALL THE DIFFERENCE.

Fair & transparent
Data must be stored and processed lawfully, fairly, and in a transparent manner.

Our solutions facilitate secure and controlled processing and storage of all business information, with comprehensive audit trails, live reporting on document processes, and with custom escalation procedures and email notifications we can deliver full transparency and accountability that is consistent at every stage of your document life-cycles.

Legitimate & explicit/Adequate & limited
Data must be collected for specified, explicit and legitimate purposes & not further processed in a manner that is incompatible with those purposes. Data must also be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

We can ensure that only pre-ordained paths are followed with full audit trails when storing any document type. As an example when storing a CV the document would follow a secure, bespoke workflow in order to decide whether the applicant is to be invited for an interview. Once the interview has taken place, dependent on the result, the information could either be placed onto a deletion schedule (adhering to legal retention) or securely stored into a digital filing cabinet. Combining this functionality with the benefits of ‘real time’ reporting and audit trail on the documents –  sensitive information can be provided by you to the interested party instantly upon request making compliance fast and simple.

Accurate & Current
Data must be accurate, and where necessary, kept up to date, every reasonable step must be taken to ensure that personal data that is inaccurate (having regard to the purposes for which it was processed) is erased or rectified without delay.

So long as the user in question has the requisite access rights, all information stored can be edited or updated as needed. Using version control we can then ensure that only the up to date information is returned when searches are performed.

Time limited
Data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes of which the personal data is processed/stored.

Automatic deletion schedules can be implemented within your organisation. This can be by any criteria required. For example, as a rule of thumb, Invoices are to be stored securely for a legally required period of 7 years. We can set up automatic monitoring of this particular file type, so that when the expiration date is approaching, an email alert is sent to the required party/parties, informing them of the deadline approaching, and action/confirmation is required (Allow auto deletion, save to disk/Hard Drive etc).

Secure & protected
Data must be stored/processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Using our Cloud solutions, all information stored is fully accredited, secure, protected & encrypted, whilst also being backed up across 3 separate locations on the tier 4 Microsoft Azure cloud platform.


INDIVIDUAL RIGHTS

Under GDPR, individuals will benefit from increased rights, against those offered in the Data Protection Act:

The right to be informed
This encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data –

The options here are many and varied. The evidence of information being fairly processed will be available with a mouse click at every step of the processing of any information. With regards to how that information reaches the party requesting it, options from automatic email updates to the owner of the personal information, informing them of the details being stored and for how long, to digital forms being provided to either give or confirm permissions against storage/processing, and everything in between. We can ensure this information exchange is smooth, compliant and painless.

The right of access
Under the GDPR, individuals will have the right to obtain confirmation that their data is being processed, access to their personal data, and other supplementary information –

Along with the benefits noted in The right to be informed, the option to offer a “Guest” login to your software solution, allowing the logger of the query to view ONLY the information relating to them personally would be available. Alternatively, depending on the depth of their enquiry/requirements, reports can be provided allowing clarity on the information stored relating to them at all times.

The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete –

Much like the other points in this section, the struggle lays not in the facilitation of a dialogue with the requester, but in the finding of the information requested in the first place, along with tangible evidence of where this information has been, why it’s been there and who’s eyes have been on it. Using our comprehensive search functionality for stored information & the background evidence trail, there is no hiding place for either the information, or the parties involved in processing it. Notifying the person in question is the easy part. And with our help, both finding the information and proving good, fair & compliant practice, also becomes a pain free and simple task.

The right to erasure
The right to erasure, also known as “The right to be forgotten”. Simply meaning an individual has the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing –

Once again, having solved the larger issue of locating all relevant information quickly and painlessly in the first instance, as noted in previous points, the removal/deletion of this (subject to legal retention procedures of course) is made simple and fast.

The right to restrict processing
Previously with the DPA (Data Protection Act), individuals had a right to block or suppress processing of personal data. Under the GDPR, this will remain very similar. When processing is restricted, you are permitted to store, but not process the information –

In this event, simple steps can be taken to ensure compliance. For instance, the information in question can be stored in a limited access location and/or locked as a ‘read only’ file. Meaning, under no circumstance can it be used for any purpose other than that explicitly intended.

The right of data portability
This allows individuals to obtain and re-use their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability –

As long as the physical sharing of this information is in keeping with your own internal regulations, information can be downloaded/shared/provided in whichever form it is obtained in directly to the intended recipient without stress or delay, as a result of the streamlined search and locate functionality provided, coupled with the ease of mobile or off-site access for permitted parties.

The right to object
Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest (including profiling), direct marketing (including profiling) and processing for the purpose of scientific or historical research and statistics –

By the nature of this point, it would require reactive, rather than proactive action. Should a processing objection be made, steps can be put in place at any point of the information’s lifespan within our solutions, introducing conditions/permissions/safeguards to protect not only the interest of the request, but also those of you and your business.

Rights in relation to automatic decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to those existent under the DPA –

A far broader point than those that precede it, with our solutions in place any and all conditions can be applied to the storing/processing/handling of information and/or documentation, meaning that whilst this point primarily alludes to the protection of the hypothetical person contacting you and your business, there can be no circumstance that you would find yourself unprepared against in relation to regulation adherence and compliance.