GDPR and Time Registration
The biggest change in the history of data protection since the internet is due to take place on 25th May, 2018. Indeed, new rules around data protection are forcing countless businesses to undergo massive transformation. All employee information must be protected, certain data may no longer be compiled and protocols must be written for virtually every single data process. As more stringent requirements are being imposed on the protection of HR data and employees are set to enjoy greater rights in terms of data, it’s essential that employers are well informed.
The origins of the GDPR can be found in Directive 95/46/EG, an older directive that will be replaced by the new regulation.
GDPR and Protime
As market leader in the field of time registration, planning, access control and social software, Protime is actively involved in many of the areas that the GDPR regulation will effect.
The GDPR, or General Data Protection Regulation, concerns the protection of data for EU citizens. In brief, this means that those companies which don’t have an office in the EU, yet do provide services to EU citizens, must comply with the regulation. Protime solutions can be deployed worldwide and consistently comply with local regulations.
The new regulation defines it as follows:
The GDPR applies to all organisations – located inside or outside the EU – which control peronal data (data controlers, de gebruikers van de Protime software) or process data (data processors, Protime zelf), of EU citizens.
The GDPR amendments are of a largely technical nature. There will be little or no change to the Protime software in terms of usability. However, the storing of data, 'behind' the software, will change. Personal data, enriched with IP addresses or mobile IDs, must comply with GDPR regulation and security. This is one of the processes that Protime is currently working on hard. The data will be protected for example by scripting, hashing and encryption. A large number of fields are already 'hashed'. Modifying this data transforms it into 'pseudonymous data.' How such data is handled must be described.
Biometrische data, vingerscan
The GDPR prescribes specific rules for access or clocks with biometric data. This is sensitive information that requires improved protection and explicit authorisation. It's highly likely that your employees already need to sign for the fact that biometric data is used to gain entry somewhere. As of GDPR implementation, the logging of this will be mandatory.
What has already been accomplished?
In the past, a 'Policy Framework' was drawn up. This describes exactly what security applies to Protime. This framework will continue to be worked on over the coming months.
Protime wishes to become 100% compliant with GDPR requirements in as short an amount of time as possible. The following steps have already been taken:
- Renewed data centre with private cloud environment
- New secure SFTP servers
- Enhanced testing on intruder sensitivity
- Security by design: software must be designed to be as secure as possible. This is achieved via specific best practices based on frameworks.
New steps have also been taken internally. Indeed, Protime's internal IT have made numerous modifications to our laptops, the security is state-of-the-art, and there has even been a change to the guest Wi-Fi, which cannot be opened so easily any more.
What still needs to happen?
Whilst security is already of an extremely high standard, there are still a number of changes to be implemented within the GDPR framework. This is likely to have a small effect on the Protime software. Subject to change: for relatively new users, the new password policy is already in effect. This new policy will be rolled out for the remaining users, in consultation with them. The policy for admins (data centre engineers) will also be further tightened. The cloud will undergo additional testing for intruder sensitivity and security will be enhanced.
Internally, Protime will also take some extra steps to further ensure the security of data.
What could go wrong?
On a technical level, the Protime software shall fully comply with all of the GDPR requirements. However, it should be noted that this relates to SaaS-users. If you are still using the 'legacy' Protime on your own server, then it would be wise to contact your account manager to discuss an upgrade or conversion to SaaS.
Employees are your greatest risk. If an employee leaves their PC open without locking it, then the data that it contains can be viewed by others, resulting in a so-called 'data breach'. Employees might also be tempted to select an extremely simple password or send their Protime password to a colleague via email. This should not be permitted under any circumstances.
If you have questions about Protime and the GDPR, you can always contact your Protime account manager or send a message via the contact form.