Any organisation using the agileBase platform will almost certainly be storing and manipulating data, whether that be as one of the agileChilli standard apps for food manufacturers, or a custom system tailored to your industry and organisation. That data might be sensitive and will in some cases be personal data – data about individual people.
If that’s the case you’ll more than likely know all about the General Data Protection Regulation (GDPR) which comes into force this May. Even if your organisation doesn’t hold any personal data this article may still be of some use. Virtually all organisations have important data they need to secure, it may be just be important and sensitive in other ways.
To that end, we’re publishing the outlines of the processes we follow. You may like to adapt some for your own use or just have a read to see if there’s anything you’d like to investigate further.
Secondly, as a supplier of a platform for ‘business agility through technology’, we’re in a rather unique position. Under the GDPR, we will be jointly responsible with our customers for ensuring personal data in the system is protected. To do that we need to know what type of data it is, where it’s stored and what it’s used for. However, because our customers often build and improve systems on agileBase entirely on their own, we don’t always know the answers to those questions. Therefore, we will be contacting some customers with a ‘screening questionnaire’ shortly, to help us ascertain whether further discussions or audits might be appropriate.
We designed the Compliance Cycle model above to help us understand the scope of the new GDPR by offering a high level overview of our approach, based around eight core themes.
Of course, many of the details, practices and technologies will be the same as those we carry out anyway as good practice in protecting customer data generally, which we’ve always taken very seriously. The main difference is that we now have to ensure customers understand both their own obligations and the measures we take, so that they can be confident of their own compliance.
Step 1) Learn and Educate: As a SaaS provide we need to educate both ourselves and our customers about the impact of this regulation on our respective businesses. In particular, we both need to understand what constitutes “personal data” and “sensitive personal data”.
Like many customers, we store staff training records in agileBase, including induction records detailing steps taken to help them manage data securely during the course of their work
Step 2) Identify: Once we understand what data is being collected we need to identify where this is being held. From a software perspective we also need to know where it flows to and from.
Examples might be data flowing into agileBase from e-commerce websites or out to finance packages via the API (a system for connecting software).
Step 3) Minimise: The first step in this process is to consider deleting any old data that is either of a high risk or of low value, but no longer of any real use. Secondly, consolidate (move) personal data from difficult to monitor tools, (e.g. spreadsheets) to systems that lend themselves to central control.
As a SaaS provider we will also need to minimize any risk our clients may expose us to.
Step 4) Assess: We then need to assess the overall level of residual risk by considering both the inherent risk in each type of data held and the specific risk for this type of data in each of the locations in which it is being held.
Once we know our risk exposure we can decide how best to manage that risk.
Step 5) Protect: We then need to work to secure the data we retain, with a particular focus on high risk personal data.
Step 6) Monitor: We need to put in place systems to monitor activity that might require investigation and have in place policies to rapidly address genuine issues, breaches etc.
Having done our best to reduce any ‘business as usual’ risk to a reasonable level we now need to plan for how we will handle any failure.
Step 7) Respond: We need to be ready to rapidly respond to both day to day queries about the data we retain from various stakeholders within the time guidelines laid down within the regulations and to any breakdown in our data security measures.
Response templates will be stored in our agileBase document library for centralised and easy access, together with stakeholder contact details
Step 8) Report: We also need to have procedures in place to report not only breaches failures but also an unusual activity, to the relevant authorities and customers.
Any customers who would like details on the technical and process steps we take to protect data should contact us at firstname.lastname@example.org. If you’d like to hear about setting up document libraries for forms and procedures, training records or asset/systems inventory databases, please do get in touch too.
As always, we look forward to hearing from you.