If you store records of people you deal with in your agileBase instance, what is that data used for? Where did it come from? Who can see it? Why is it legitimate for you to process that data – which of the six lawful bases under the GDPR apply? Will the data be accessed outside of the country? How long will it be retained for once it’s no longer in use?
As you are no doubt aware, the General Data Protection Regulation will be applicable as of May 25th. Most companies using agileBase store some personal information so these questions and others are all things that need thought.
A lot of other data may also be commercially sensitive too (rather than personal data), requiring just as much careful thought into data protection.
This week’s update is relevant in a couple of ways. Firstly, additional measures are in place to protect against or mitigate the unauthorised mass downloading or exporting of data, working in concert with the existing safeguards. Remember that the export option is only available if
- the user is a member of a role which has ‘allow exports’ ticked (off by default)
- the view has ‘allow users to export’ ticked (on by default, can be disabled in the view’s manage tab)
Now, even if an export is allowed, an administrator can choose to get notifications whenever an export over a certain size occurs. This option is triggered if the administrator ticks one of two boxes in a table’s ‘manage’ tab:
- this table contains personal data
- this table contains commercially sensitive data
When either of those are chosen, the admin will be prompted to choose a number (defaulting to 100). Any exports containing at least this number of records will prompt an automated email, which they can use when checking if the export is for a valid reason.
When managing one of these tables, the administrator is also shown which roles have the ‘allow exports’ option and whether any views are set up to transfer data to third party systems using the API.
Data protections and the GDPR
If the admin selects ‘this table contains personal data’, then a further section of notes is displayed, prompting consideration of various data protection questions pertinent to the GDPR. There are even some boxes where you can record your thoughts about each issue, current situation, future plans or whatever else is useful to you.
Please bear in mind that this is not a tool to manage your company’s evidencing of compliance with the GDPR. Hopefully though it will be of some practical help, particularly prompting you to think about data privacy and protection from the moment that a table is first created. For a system such as agileBase, where agility is a key feature, allowing systems to be built and evolved rapidly, it’s important not to overlook that!
If you need some help checking preparations for the GDPR, there’s some really good background information on the Information Commissioner’s Office website and there’s a fully indexed, searchable version of the entire regulation at https://gdpr-info.eu.