GDPR stands for General Data Protection Regulation and was designed to give EU citizens more control over their data. The GDPR legislation came into force on 25th May 2018. Its introduction was very difficult to ignore due to the deluge of “Security Policy update” emails that went out. You’ve updated your Security Policy and allocated roles and responsibilities, but now the dust has settled, it’s time to think about how much work it will take to manage your data effectively. This can be time-consuming if you are trying to do this manually. This is where your software systems can help. But does your LIMS or CRM system have the right tools to help you achieve GDPR compliance?
The legislation is new, but the data management requirements aren’t
GDPR is just putting best practice into a formal legislative structure. In addition, for those companies in the UK, the Data Protection Act has been in place for more than two decades to help protect information.
The companies that have earned the most trust from their customers are the ones that already follow this and these newly mandated practices. These are the ones that manage their customer data the best. Poor practice eventually comes to light and some huge companies have recently learned how difficult it can be to rebuild trust after sloppy data practices are highlighted. Poor customer data management brings high monetary and reputational costs – especially after the new legislation came into effect.
What system features are relevant to GDPR?
Although most companies deal with some common areas of data, each company will have a different way of managing it. Your CRM and LIMS systems need the flexibility to cope with those little differences that make your company and its services unique. You still share common requirements for the underlying features though. These include the following:
- Data structure flexibility – as your data needs change you may need to alter your data structures. You should record identifiable data in as few places as possible. This makes it easier for you to monitor for oversight and processing. Achiever provides all the tools you need to add, remove and modify any table, field or relationship in your entire database. If you’ve had the appropriate training, you don’t even need to ask us (your supplier) to manage these changes for you. You have control.
- Powerful searching – you need the ability to track down all data relating to an individual or, any company, product or process. You need to derive knowledge from your data. Achiever’s query builder is part of the foundation of the system and supports all of your customised data structures. It allows you to draw data together from different tables. You can then use this information to query, export, update, translate or process as you wish. You can carry out all this using standard tools built into the system. There’s no need to ask us to do it for you.
- Workflows – that can update (anonymise) or delete data. Any data that can be used to identify an individual is deemed to be sensitive. You need tools that allow you to control who can see sensitive data and what they can do with it. Achiever users can identify any fields containing text as “Sensitive” and from then on, the data that field contains will be encrypted even before it is saved into the database. Decryption is based on business rules that you control and is carried out on a record-by-record basis in any query. Such data is always displayed or available on a “need to know” basis only.
- Auditing – you will need a detailed level of automated auditing to validate the changes you make and to ensure that your compliance is clearly evidenced. You can enable Achiever’s automatic field-level auditing on any field. This records before/after values and who made each change and when. This is all transparent to the users and requires no programming or changes to any screen, query or process. Also, as its part of the system your auditing happens automatically as you use and update data in the system. As a result, any required audit trail will be there for you to view and analyse.
- Security filters – any customer profiling or automated processing routines that you have need to be configured to respect those individual customer communications or processing preferences, and to follow certain rules. This is notoriously difficult to manage. Achiever’s automatically applies security filters to all searches and processing routines, including the ad-hoc query builder. As a result, you don’t have to remember to exclude individuals who have not opted in to communications.
- Tools to evolve the system – legislation changes as well as evolution of your own processes and requirements are inevitable. So, your databases should evolve with you. Achiever’s built-in tools allow you to easily customise and adapt your systems and underlying database structure. As a result, you ensure that you are always maintaining best practice, as painlessly as possible.
Software that has data protection options and tools at its core
One risk to consider is that your system supplier has added a “bolt on” module to cope with GDPR. Ideally, you’d prefer if these features were already built into the core of the product. And, even better, have been in place and used for years. These requirements aren’t new so you shouldn’t have to work with features that have no track record.
We have always put data protection tools at the heart of Achiever’s design. Our customers have been using the tools for more than 15 years, so they have a proven track record.
Many large institutes have relied on Achiever to manage their sensitive data for years including Chris Chambers, at the University of Leeds:
“Leeds Teaching Hospital NHS Trust is happy that its database system, Achiever Medical, has the necessary robust auditing and encryption tools to both protect our donor identifiable data and also to manage it effectively. We have been using Achiever Medical to manage and segregate the data of separate teams for 9 years and this now extends to 31 teams. Achiever Medical has now been extended to managing our internal auditing and will allow us to record consent appropriately and manage/remove data as required, to fully comply with GDPR.”