GDPR | Synergist

The General Data Protection Regulation (“GDPR”) is the new legal framework that will come into effect on May 25, 2018. The GDPR focuses on protecting personal data, i.e., data about individuals, and sets out the responsibilities of businesses in relation to the processing (collection, storage, transmission, and use) of this personal data.

Synergist has been awarded ISO 27001 certification. ISO 27001 is the international best practice standard for information security. It is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes, and technology.

An organisation that implements measures to protect information using this three-pronged approach verifies that it is able to defend itself from not only technology-based risks but also other, more common threats, such as poorly informed staff or ineffective procedures.

ISO 27001 mandates that organisations conduct a thorough risk assessment, identifying threats and vulnerabilities that can affect their information assets and taking steps to assure the confidentiality, availability, and integrity (CIA) of that data.

The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data. This has been completed, and updates have been made to our policies, procedures, and processes where required, including an updated privacy policy.

How using Synergist helps ensure compliance

Ensuring compliance with the GDPR is the responsibility of every organisation and a great opportunity to review and document procedures to ensure personal data is being protected. Whilst the use of Synergist can’t in itself ensure compliance with the GDPR, we’ve introduced numerous features to make it easier for Synergist users to achieve compliance.

These include:

The addition of fields to store details of opt-in records for marketing communication preferences on contacts in addition to existing opt-out records
Facility to record source of opt-in info
Facility to record verification of opt-in status with date and user stamp
Automatic logging of changes to opt-in info in the history field for each contact
Batch selection of contacts either by status or from a list of email addresses
Batch update of contacts with consent changes
Additional data cleardown options for inactive contact data
Contact export facility, including all personal data.

Many of these features were introduced in Synergist v12.2 and are more fully detailed in the release notes.

Some key aspects of GDPR

1. EU-based people and their data

GDPR applies to any personal data about people based in the EU. This includes any individuals you collect personal data on, such as customers/clients, suppliers and employees.

Personal data includes names, contact details, bank account or credit/debit card details, and medical information.

2. The right to know

For some years, individuals have had the right to ask businesses what information is held on them. This continues under GDPR and is tightened up to the extent that businesses must respond to requests within a month.

Supporting Synergist features
You can search for individuals by name from either the client or supplier contact list. Once located, you can export the data you hold on that person to a .csv file using the 'Export option'. The 'Export' facility creates a .csv file of the data stored in Synergist for that contact, showing both the standard and any user-specific fields you created for that contact. Synergist allows you to restrict which of the users of your system have access to the 'export' facility.

3. The right to erase

Customers can ask a business to delete all personal data stored about them unless the information is needed for legal reasons, such as under tax regulations.

Supporting Synergist features
From the client (including prospects and leads) and supplier contact list, there is a facility to delete one or more selected contacts. If the records can't be deleted because they are linked to other records (e.g. the person involved was the contact on a job) then their personal data can be overwritten with 'XXXXXX').

4. Collecting personal data

Under GDPR, you can only collect personal data if your reason is legal, for example, to satisfy a contractual obligation. Even then, you must make it clear what the data is for, and you have to restrict your use of it for that purpose.

Supporting Synergist features
Although Synergist will not be the primary system where people are giving permission for you to process their data (this is likely to be your website content management system or mailshotting / inbound marketing system) for many of our customers, Synergist is their master contact database. For this reason, we have added features to enable you to store their opt-in and communication preferences and dates permission was given, the permission source, along with an automatic history of any changes made and by whom.

5. Data retention

GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. You will, therefore, need to decide how long you hold personal information for in different scenarios (e.g. an enquiry that does not become an active prospect) and have a mechanism for removing older personal records.

Supporting Synergist features
Synergist includes a powerful contact filtering tool to identify such records and a clear-down facility to remove the key data fields likely to hold personal data. This allows these records to be identified en masse and removed as a periodic batch process by a user.

6. Data portability

Individuals can ask for a digital copy of their personal data for any reason, even if it is to help them move to a new supplier.

7. Data breaches

If certain types of breaches do occur, you are obliged to report them to the appropriate supervisory authority.

8. Data protection and data security

You need to ensure that personal data is processed in a manner that ensures appropriate technical and organisational security. To achieve this, you should keep the data you process secure and ensure appropriate information security policies and procedures are in place. This applies to electronic and paper records as well as physical security.

For on-premise Synergist customers
You need to ensure that your Synergist server, the computers from which you access it, and your network are suitably secure. If necessary, check with your IT support.

For Synergist Cloud customers
The security of your data is of the utmost importance to us, and our reputation as a provider of cloud-based business management systems depends on us maintaining this. Your Synergist cloud instance is managed by ourselves and hosted in the AWS (Amazon Web Services) cloud. Your data never leaves the AWS environment in our processing of it. AWS was selected as the platform for the Synergist Cloud based on its commitment to Security by Design. If you wish to read more about SbD and the AWS cloud GDPR click here. For security reasons, we do not publish the details of the Synergist Cloud security measures, but we are happy to discuss these with clients if you have specific questions or requirements. Although we manage the security of the Synergist Cloud and enforce only encrypted communication with the Synergist Cloud from users machines, you still need to ensure that the devices from which you access your Synergist Cloud system and user credentials are kept secure, so if necessary check with your IT support.

Checklist for businesses

Find out which of your services collect personal data.
Ensure you can comply with GDPR, including having a legal basis for data processing.
Review your customer/client contracts.
Check your notices - internal and external - of compliance.
Make someone in your team responsible for GDPR compliance and data security.
Give training to your team.

See Synergist in action

Our agency experts will show you how Synergist can be shaped for your agency's unique needs and answer any questions you have.

GDPR compliance