This legislation came into force on 25th May 2018 and it was very difficult to ignore due to the deluge of “Security Policy update” emails that went out. You’ve updated your Security Policy and allocated roles and responsibilities, but now that the dust has settled, it’s time to think about how much work it will actually take to manage your data effectively over time. Do you have the right Laboratory Sample or CRM data management system to comply with GDPR that allows you to easily operate in this new environment?
The legislation is new but the data management requirements aren’t!
GDPR is just putting best practice into a formal legislative structure. The companies that have earned the most trust from their customers are the ones that already follow these newly mandated practices and manage their customer data the best. Poor practice eventually comes to light and some huge companies have recently learned how difficult it can be to rebuild trust after sloppy data practices are highlighted. Poor customer data management brings high monetary and reputational costs – especially after the new legislation came into effect.
System features relevant to GDPR
Although most companies deal with some common areas of data, each company will have a different way of managing it. Your business systems need the flexibility to cope with those little differences that make your company and its services unique. You still share common requirements for the underlying features though. These include the following:
- Data structure flexibility – as your data needs change you may need to alter your data structures. Identifiable data should be recorded in as few places as possible and easily monitored for oversight and processing. Achiever provides all of the tools needed to add, remove and modify any table, field or relationship in your entire database. If you’ve had the appropriate training, you don’t even need to ask us (your supplier) to manage these changes for you. You have control.
- Powerful searching – you need the ability to track down all data relating to an individual or, indeed, any company, product or process. You need to derive knowledge from your data. Achiever’s query builder is built into the foundation of the system, supports all of your customised data structures and allows data from different tables to be drawn together and queried, exported, updated, translated or processed as you wish. All of this can be carried out using standard tools built into the system. There’s no need to ask us to do it for you.
- Workflows that can update (anonymise) or delete data. Any data that can be used to identify an individual is deemed to be sensitive. You should have tools that allow you to control who can see sensitive data and to control what can be done with it. Achiever users can identify any fields containing text as “Sensitive” and from then on the data that field contains will be encrypted even before it is saved into the database. Decryption is based on business rules that you control and is carried out on a record-by-record basis in any query. Such data is always displayed or available on a “need to know” basis only.
- Auditing – you will need a detailed level of automated auditing to validate the changes you make and to ensure that your compliance is clearly evidenced. Achiever’s automatic field-level auditing can be enabled on any field and this records before/after values and who made each change and when. This is all transparent to the users and requires no programming or changes to any screen, query or process. The fact that it’s part of the system means that your auditing happens automatically as the data in the system is being used and updated. Any required audit trail will already be there to view and report on as needed.
- Security filters – Any customer profiling or automated processing routines that you have need to be configured to respect those individual customer communications or processing preferences, and to follow certain rules. This is notoriously difficult to manage. Achiever’s security filters are automatically applied to all searches and processing routines, including the ad-hoc query builder. This means that users never need to remember to exclude individuals who have not opted in to communications, or for automated processing and decision making.
- Tools to evolve the system – Legislation changes as well as evolution of your own processes and requirements are inevitable, and so your databases should evolve with you. Achiever’s built-in tools allow you to easily customise and adapt your systems and underlying database structure to ensure that maintaining best practice at all times is as painless as possible.
Maturity of tools
One risk to consider is that your system supplier has added a “bolt on” module to cope with GDPR. Ideally, you’d prefer features that were already built into the core of the product and, even better, have been in place for years. These requirements aren’t new so you shouldn’t have to work with features that have no track record.
Achiever’s tools have always been at the heart of its design and have been used for years so they have a proven track record.
Many large institutes have relied on Achiever Medical to manage their sensitive data for years including Chris Chambers, Support Analyst at the University of Leeds who provided this endorsement:
“Leeds Teaching Hospital NHS Trust is happy that its database system, Achiever Medical, has the necessary robust auditing and encryption tools to both protect our donor identifiable data and also to manage it effectively. We have been using Achiever Medical to manage and segregate the data of separate teams for 9 years and this now extends to 31 teams. Achiever Medical has now been extended to managing our internal auditing and will allow us to record consent appropriately and manage/remove data as required, to fully comply with GDPR.”