Exact Globe

General Data Protection Regulation (GDPR) and Exact Globe / Exact Synergy

As of 25-5-2018 the General Data Protection Regulation (GDPR) will come into force and companies need to be compliant with these privacy regulations.

Within the GDPR the privacy of a natural person is put centrally. Every company needs to set natural persons - and the security of their personal data - as number 1 priority. This starts with the obligation to only process personal data when you have a clear purpose of doing so (Privacy by Design) and ends with the deletion of personal data when this purpose is no longer applicable.

Within the framework of the General Data Protection Regulation, this is referred to as a first requirement of "Privacy by Design". Have you activated all the functionality offered to protect this data? Think of the active policy in the field of authorization, data authorization, logging, action logging and archiving of master data. In addition to privacy-enhancing functionality within the application, Privacy by Design also refers to the requirement of data minimization. Data minimization means that you are responsible for recording only the personal data that is necessary for the purpose of the processing. Do you have insight into where and to what (which processes) you store personal data in Exact Globe or Exact Synergy? Do you have the management of personal data under control? How long do the recorded personal data serve their purpose and for how long can they be retained? Do you clean your recorded personal data on a regular basis by deleting it or by anonymizing it?

Data minimization

• Master data
  The personal data in the master data is used to create a transaction or is used to support the process of creating a transaction. You can think of creating entries, generating reminders, payment specifications and invoices based on the stored information. In most cases this will be the address details of the debtor, creditor or person. During the setup you can define yourself which information you store in which field. Besides entering the personal data in the logical places, in theory you can use each field in the application to store personal data. It is important that you have strict internal guidelines about storing personal data in the application. We distinguish the following natural persons (entities) in our products:
• Accounts (debtors, creditors, etc)
• Contacts
• Resources (persons, employees, applicants, users)

For these entities the following personal data can be stored: Address details, name, e-mail, credit card information, bank accounts, external references, BSN no., VAT number, business card, etc.

Once it is clear where the personal data is stored you can decide to delete or anonymise the information.

By deleting the information, the records are removed from the database. If the master data is used in transactions it cannot be deleted. In that case, you can anonymise the data, or merge the data.

If there is no purpose for keeping the (personal) data and the legal retention period has expired, you can remove the information from your database. You can think of a potential customer that showed interest in your products, but did never become a customer. In this case it is not needed to store the personal data and it is expected to cleanup this information on a regular basis.

In most situations the account, contact, employee or user will be linked to one or multiple entities. An account can be linked to an invoice, a contact to a delivery note, an employee to a payroll slip and a user to various kinds of registrations in the software. Because you have to keep the legal retention period in mind, the information often cannot be deleted from the company. For instance, if you want to delete the information of an employee after the retention period, it can still happen that this is not possible because the employee is linked to several entities. A solution can be to anonymise the employee. With this all personal data of the employee (or account, contact or user) is anonymised and person can no longer be recognized in the company. All personal data of this employee, such as gender, date of birth, name, BSN number or function title will no longer be available.

By anonymising the data, you are removing the personal data from the existing records. The records itself remain, but all personal data is removed or replaced by dummy information.

By merging the information, you merge the records that contain personal data with records that contain dummy information.

• Transactions
  In order to guarantee accountability to the accountant, processed entries or transactions cannot be changed. In the Netherlands, a 7-year retention obligation applies to the Fiscal Authorities. In case your sales invoice lines, purchase invoice lines, bank entries contain personal data that does not belong there in your view, it is important to pay close attention to your work procedures. Is the personal data necessary for the entry? Can you use invoice specifications and delete them separately later?
  
  
• Documents
  You can link natural persons to documents, but once you've anonymised or merged these natural persons, the anonymised or merged entity will be linked to the documents. It is however possible that the content of documents can contain personal data. You can think of sales- or purchase invoices, but also of diploma's, resume's and/or contracts. Besides this you can also generate and store invoices, reminders, etc (in PDF format). It is advised to have a good look at the procedures to check if there are procedures that result in having this personal data visible in documents. Further also incoming and outgoing bank files can be stored as an attachment in the database. You can anonymise or delete the documents that contain personal data. In that case you can delete the document or anonymise the personal data in the document.

• Requests
  You can link natural persons to requests, but once you've anonymised or merged these natural persons, the anonymised or merged entity will be linked to the requests. It is however possible that the remarks in requests can contain personal data. In that case you can anonymise or delete the requests.
  
  
• Logbook
  Keep in mind that when you change data (for instance a debtor), the changes made are visible in the logbook. It is important to process the logged information, check it for fraud and then delete it from the logbook.
  
  
• Back-ups
  According the GDPR also the backups should be anonymised if the personal data is no longer needed. It is important to have a look at your backup management and check if your backup procedures comply to this. If needed you can restore a backup in a test environment to remove the personal data. A consultant of Exact or your Exact partner can help you with this. Be careful that you to not overwrite your live company when restoring a backup.

Securing personal data

Via roles and rights, you are able to secure the personal data and determine which users are allowed to view this personal data.

For more information on the functions available in the software, see General Data Protection Regulation and Exact Globe / Exact Synergy - functionality.

More information

• General Data Protection Regulation, final version dated 27 April 2016 (pdf)
• EU Data Protection page
• General Data Protection Regulation and Exact Globe / Exact Synergy - functionality