An Overview of GDPR
The new General Data Protection Regulation (GDPR) came into effect in the UK on 25th May 2018, with the intention of offering increased protection of the rights of the public by better protecting their data as processed by businesses.
GDPR requires businesses to both manage and secure personal data.
How does BigChange Manage Personal Data?
BigChange manages personal data by appointing a Data Protection Officer who reports regularly to the Leadership team on data privacy matters and who has prepared and manages a document set that includes:
- Personal Information Management Systems
- Data Asset Inventory: what data, the purpose of processing, ownership, and retention period.
- Privacy Impact Assessment
- Customer Terms of Trade that are personal data aware
- Purchase of Goods and Services contract that is personal data aware
- Data Subject Request procedure
- Data Privacy Notification procedure
How Does BigChange Secure Personal Data?
BigChange is committed to the security of our customers’ data. Our approach is aligned to ISO 27001, which is an industry benchmark for Information Security, ensuring that stringent Information Security protocols are strictly adhered to.
To access BigChange through the internet, you need to connect using HTTPS (Secure Hypertext Transfer Protocol), which is a method of connecting to a website in conjunction with Secure Sockets Layer (SSL) protocol which offers secure transport. If you forget to enter ‘https’ our system will automatically direct you to this to ensure a secure connection.
When logging into BigChange, you can set up two-step authentication. This works on the principle of the user logging in needing to know something (a password) and have something (a mobile phone) to gain entry into your system. This code refreshes every 30 seconds and is randomly generated so cannot be re-used or copied. There are many applications out there which can easily manage these codes, Google Authenticator is free and available on both iOS ad Android mobile operating systems.
You control access
The Administrators at your site have the ability to restrict the functionality of both individual and groups of users. You can ensure that users can only see data they need to, limiting risk and exposure to Data Security breaches. Administrators also can restrict the IP address that users can log into the system from. This give you the option of only allowing members of staff to login to BigChange from the office or their home, with all other connections being prevented. (This feature is dependent on having a static IP address).
Server and data protection
BigChange utilises Amazon Web Services to host our servers and data, as a result we utilise the best type of protection available (DMZ and EC2 firewalls) to protect the data contained on them by restricting access. Multiple web servers fed by load balancers provide capacity and resilience against any one server failing.
Our customer data is also stored in Amazon AWS Microsoft SQL Server databases, this is encrypted at rest to AES-256, the highest level of encryption currently available.
Each of our customers’ data is logically partitioned, meaning that customers cannot accidentally access other customers’ data.
A comprehensive data backup regime is in place which includes full, incremental and continuous backups stored within the AWS environment, meaning that your data cannot be “lost” in the unlikely event of system failure or natural disaster. Disaster recovery is enabled by copying data and server image backups to a second AWS Data Centre in the UK, this has the equivalent level of security as our primary data centre. Therefore, if one data centre fails, the system can be re-established in another location.
Features We Offer to Help You Remain Compliant
At BigChange we have incorporated several features within our software which may help you remain compliant with GDPR legislation.
GDPR requires that data is processed lawfully and for a specific purpose, often as agreed in a contract or by consent.
Your CRM includes a list of Persons that you can filter on criteria including their Group and consent status. To register/edit a Person’s consent status:
Navigate: CRM → [side menu] Contacts → Persons → Select a Person → Edit → [tab] Consents:
You will see any current consents or click to add a new one:
- Status – Choose from Awaiting consent, Consent refused and Consent given.
- Medium – Choose from Email, Click and Telephone.
- Comment – Add any additional information relating to this Person
- Attachment – Upload any relevant attachments.
- Ok – Click to Save.
The consent information will then be displayed and any changes in consent will be added to build up a history including dates and the Owner ie the person who added the change.
- It is possible to filter the person list by consent status and date (e.g. you could view all persons that refused to give their consent and act accordingly)
- The person list has a button allowing you to batch update the consent of all persons selected (‘Mark all’ → New consent pop-up)
- You can send an email to all selected persons by setting up a template with the keyword “Consent” (that will be replaced by a URL), where the person (email recipient) can choose to opt-in (give their consent). The email sent and the person’s opting-in will be saved in the consent log (i.e. in the person’s pop-up, to allow you to keep track). The template keyword for doing this can be found under the ‘Contacts & Notes’ tab, in the ‘Person’ section: “Consent” when inserting a keyword into a template.
You can manually record opt-in/opt-out requests for each person and include an attachment of this correspondence for your records.
Additionally, you can manage subscription to Marketing emails. When using Send All emailing from the CRM Contact list, if you check the Marketing email box, this will send emails only to people who have not unsubscribed from Marketing emails and offer an option to unsubscribe at the bottom of each marketing email sent.
These features work with back-office user rights. Navigate: My account → Administration → [side menu] Web Users → Roles → [section] Contacts
Data Subject Access Requests
Under the GDPR legislation, as with its predecessor, the Data Protection Act 1998, Data Subjects (any living person who is the subject of data) may request data held about them, and/or may request that their data be corrected, deleted or have processing ceased.
In order to process this request via JobWatch, please follow the simple steps below:
Navigate: My account → Administration → [side menu] Account → Data Subject Access Request.
A form will now have opened which will need to be completed for each request
An example of a completed form might look like this:
Click to send the request. A popup confirmation will now appear:
As described, you will shortly receive an email containing a link to the requested information. An example email is shown below:
Click on the link in the email to download the zip file which will then be visible at the bottom left hand of your screen:
Click on the zip file to open it and you will see files containing all of the data which you currently hold on the requestor:
You can now send the files to customers as requested.
CRM Notes can be used to record and track the receipt and completion of all Data Subject Requests.
Templates can be created to record requests and responses for Data Subject Requests.
What Data You can Request From BigChange
Data Subjects (where BigChange is the Data Controller), and BigChange customer administrators (where BigChange is the Data Processor) may request:
- what is the data processed and why,
- access to the data,
- revised processing, or amendment of a data subject’s data.
Requests where BigChange is the Data Controller
Data Controller requests are from the following data subjects: BigChange applicants/employees/ex-employees, BigChange Prospects, BigChange Supplier Contacts, Ex-Employees, anyone BigChange have tracked and emailed, Customers & Ex Customers. These requests are to follow BigChange’s Data Subject Request Process and are ordinarily free of charge.
BigChange as a Data Processor
Data Processor requests are from the BigChange Customer admin user and relate to the following data subjects: BigChange Customer’s customers, BigChange Customer’s applicants/employees/ex-employees, BigChange Customers prospects and leads, BigChange Customer supplier contacts. These requests are the responsibility of BigChange customer who may use the BigChange system to fulfil the request. BigChange reserve the right to charge a fee to the Customer.
New features and functions to our system are being added constantly, particularly those relating to data security.
As these new features are released, we will update our Help Centre informing you of these and provide useful help articles on how to get the most out of these functions.
You may also be interested in reading our article on Cloud Service Security.