As of 25-5-2018 the General Data Protection Regulation (GDPR) will come into force and companies need to be compliant with these privacy regulations.
Within the GDPR the privacy of a natural person is put centrally. Every company needs to set natural persons - and the security of their personal data - as number 1 priority. This starts with the obligation to only process personal data when you have a clear purpose of doing so (Privacy by Design) and ends with the deletion of personal data when this purpose is no longer applicable.
Within the framework of the General Data Protection Regulation, this is referred to as a first requirement of "Privacy by Design". Have you activated all the functionality offered to protect this data? Think of the active policy in the field of authorization, data authorization, logging, action logging and archiving of master data. In addition to privacy-enhancing functionality within the application, Privacy by Design also refers to the requirement of data minimization. Data minimization means that you are responsible for recording only the personal data that is necessary for the purpose of the processing. Do you have insight into where and to what (which processes) you store personal data in Exact Globe or Exact Synergy? Do you have the management of personal data under control? How long do the recorded personal data serve their purpose and for how long can they be retained? Do you clean your recorded personal data on a regular basis by deleting it or by anonymizing it?
Data minimization
For these entities the following personal data can be stored: Address details, name, e-mail, credit card information, bank accounts, external references, BSN no., VAT number, business card, etc. Once it is clear where the personal data is stored you can decide to delete or anonymise the information. By deleting the information, the records are removed from the database. If the master data is used in transactions it cannot be deleted. In that case, you can anonymise the data, or merge the data. If there is no purpose for keeping the (personal) data and the legal retention period has expired, you can remove the information from your database. You can think of a potential customer that showed interest in your products, but did never become a customer. In this case it is not needed to store the personal data and it is expected to cleanup this information on a regular basis. In most situations the account, contact, employee or user will be linked to one or multiple entities. An account can be linked to an invoice, a contact to a delivery note, an employee to a payroll slip and a user to various kinds of registrations in the software. Because you have to keep the legal retention period in mind, the information often cannot be deleted from the company. For instance, if you want to delete the information of an employee after the retention period, it can still happen that this is not possible because the employee is linked to several entities. A solution can be to anonymise the employee. With this all personal data of the employee (or account, contact or user) is anonymised and person can no longer be recognized in the company. All personal data of this employee, such as gender, date of birth, name, BSN number or function title will no longer be available. By anonymising the data, you are removing the personal data from the existing records. The records itself remain, but all personal data is removed or replaced by dummy information. By merging the information, you merge the records that contain personal data with records that contain dummy information.
For these entities the following personal data can be stored: Address details, name, e-mail, credit card information, bank accounts, external references, BSN no., VAT number, business card, etc.
Once it is clear where the personal data is stored you can decide to delete or anonymise the information.
By deleting the information, the records are removed from the database. If the master data is used in transactions it cannot be deleted. In that case, you can anonymise the data, or merge the data.
If there is no purpose for keeping the (personal) data and the legal retention period has expired, you can remove the information from your database. You can think of a potential customer that showed interest in your products, but did never become a customer. In this case it is not needed to store the personal data and it is expected to cleanup this information on a regular basis.
In most situations the account, contact, employee or user will be linked to one or multiple entities. An account can be linked to an invoice, a contact to a delivery note, an employee to a payroll slip and a user to various kinds of registrations in the software. Because you have to keep the legal retention period in mind, the information often cannot be deleted from the company. For instance, if you want to delete the information of an employee after the retention period, it can still happen that this is not possible because the employee is linked to several entities. A solution can be to anonymise the employee. With this all personal data of the employee (or account, contact or user) is anonymised and person can no longer be recognized in the company. All personal data of this employee, such as gender, date of birth, name, BSN number or function title will no longer be available.
By anonymising the data, you are removing the personal data from the existing records. The records itself remain, but all personal data is removed or replaced by dummy information.
By merging the information, you merge the records that contain personal data with records that contain dummy information.
Securing personal data
Via roles and rights, you are able to secure the personal data and determine which users are allowed to view this personal data.
For more information on the functions available in the software, see General Data Protection Regulation and Exact Globe / Exact Synergy - functionality.