GDPR & Data Protection – Checklist & Measures for the ERP System projectfacts
With our checklist for the new General Data Protection Regulation, you can protect contact data in accordance with EU guidelines!
Data Protection Checklist and Measures for the GDPR
From 25 May 2018, the new EU General Data Protection Regulation (EU-GDPR) also applies in Germany. The aim was to harmonize data protection law across Europe.
The new GDPR has implications for relationships with customers and employees, collaboration with service providers, and many internal and external processes that are handled in part through projectfacts.
The following presents resulting new features and changes in general and in relation to projectfacts. All statements here do not constitute legal advice, but are intended to raise awareness of the points we consider most important from our subjective perspective.
What is changing? What is new or needs to be adjusted?
The focus was particularly on stronger user rights, such as the right to information and the right to have one’s data deleted. Specifically, this means everyone has the right to clear and comprehensible information about what data is stored about them and how it is processed.
The right of users to have their data deleted is also strengthened. In principle, data should only be stored for as long as there is a specific use for it.
For most companies, this creates new challenges, particularly in the recruitment process and other HR work. Specifically, this means that, for example, all application documents must be deleted again after a rejection, and that personal master data must be separately protected depending on the protection class.
Also new is the obligation to configure software defaults to be as privacy-friendly as possible (Privacy by default). In addition, an obligation for data protection impact assessments has been introduced, which is intended to assess the data protection risks of special data.
Here is a brief checklist to highlight some individual important topics:
Newly to be taken into account:
• IT security – Privacy by design/default
• Data protection impact assessment when processing high-risk data
• Liability has been significantly increased
• Need to know principle (requirement for minimal rights and information)
The following documents or processes should be adapted:
• Data processing agreement
• Technical and organizational measures
• Procedure register (deletion rules, data protection levels)
• Commitment to data confidentiality (sensitization of employees)
• Disclaimer and privacy policy on website
• Reporting of data breaches (shortened deadlines of 72h)
The following data subject rights should be known, understood and observed:
• Right to information (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure / right to be forgotten (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
What does this mean for projectfacts and working with 5 POINT AG as the manufacturer of projectfacts?
5 POINT AG as the manufacturer and operator of projectfacts complies with the new data protection rules described in our new privacy policy on our website.
We will enter into new data processing agreements with all projectfacts customers that take into account the new GDPR requirements.
In the future we will also offer the topic of security aspects and the review of the projectfacts configuration to ensure compliance with data protection under the GDPR as part of our popular Empower Workshops.
Existing data protection before the GDPR
Projectfacts already has extensive protective measures prior to the introduction of the GDPR to protect not only personal data but all data in general:
• General group-based authorization system
• Detailed authorization system for data elements
• Authorization system based on organizations and associated contacts
• Options to delete contacts and individual data records
• Distribution of operating agreements to employees with storage of acknowledgement, e.g. for regular data protection awareness-raising among your colleagues
• Password rules
• IP protection to allow access only from specific locations
• Encryption of data transmission
• SMS login
• One-time passwords
• Daily backups on our servers
• ISO 27001-certified data center
New data protection features to support the GDPR
The next update of projectfacts will contain some changes that can significantly support you in implementing your own data protection measures:
• Report on stored contact data
• The option to publish or deactivate private address fields and date of birth by the user
• Forgetting, i.e. deleting personal data and optionally anonymizing names
• Deletion classification of contact data according to the procedure register (e.g. applicant, sales contact, business contact)
• Deletion periods according to contact classification per procedure register (e.g. 3 months after last action for applicants)
• Filter and deletion option according to deletion periods
• Files receive a security label so they can no longer be changed manually.
• Organizations will have a new file field for the data processing agreement.
• Data protection levels and data protection level permissions as an additional overarching authorization system and for use in risk impact assessments.
• Future vacations and sick leave can be displayed as absences
• Configurable retention and access to system logs in days
• Default permission (Private) for new files not directly attached to an element with permissions.
• New right to access archived data
The next update is planned for 15 May.
Tips for working with projectfacts
• Check permissions and adjust to minimal permission.
• Set up protection levels in the configuration.
• Set sensitive data to the appropriate protection level.
• Classify users with the permissible protection level.
• Set up contact types with deletion rules in the configuration.
• Assign contacts to the appropriate contact types.
• Check password security and set to high if necessary.
• For self-operated servers, regularly test backups and apply patches.
• For publicly accessible servers, disable auto-login.
• Inform employees about device security and the option to disable auto-login cookies on various computers via the projectfacts interface.
• Check employee changes. Who is active and who needs access?
• Create layout for information report.
• Delete old and no longer needed data.
• Check directory permissions in the file archive.
• Check permissions for archived project data.
If in doubt, simply ask and conduct a 1-day workshop including an audit with one of our consultants and security experts.
Appendix
Deletion rules for personal data
It is possible to define so-called contact classifications and thereby classify contacts. Deletion rules can be defined within the classifications. A deletion rule specifies after how many days without action a deletion is scheduled. For example, you could create the classification “Applicant” and enter that after 8 weeks without action (phone call, email or other activity) this data is scheduled for deletion. In the administration area, the data elements scheduled for deletion can be listed. The deletion process must then be carried out manually.
Protection levels and data protection impact assessment (DPIA) – risk matrix
In projectfacts, data can be assigned to so-called protection levels. This facilitates the data protection impact assessment that will be required in the future, as it makes it possible to fundamentally identify which data from which data protection level is actually present. If you have no data at the highest protection level, the risk of misuse at that level does not exist.
There are various publicly accessible protection level concepts. Here are three examples:
• Protection level concept LfD Lower Saxony,
• Protection level concept Independent Data Protection Centre Saarland
• Standard Data Protection Model (SDM)
These models have in common that the levels build on one another. In projectfacts it is possible to grant users fundamental protection level permissions. This makes it possible to map that data with protection level 4 can only be seen by persons who also have at least protection level 4. A permission up to level X therefore includes all data assigned to a lower level.
Darmstadt, 25.04.2018 Thorsten Lenk