Are your DMS and other systems GDPR-compliant? A guide to assessment.

BACK TO LIST

In our previous posts we explored the need to identify personal data and to understand how to use it without breaking the law or the individuals’ rights. Now we will help you understand how to assess various software you might be using in your dealership to make sure you are compliant with GDPR.

One big reason for introducing GDPR was to reinforce data protection practices in an increasingly digital world. Ideally, all digital data processed by an organization should be stored in a single place and used by means of adequate access levels and policies.

In practice, data, including personal data, is stored in different ways (standard or proprietary files, databases on-premises or in the cloud) and used by software with different levels of specialization e.g. workshop tools, document management systems, word processors, etc. Moreover, this data travels across the local network or via internet to remote places.

It is therefore essential to understand the role of IT, software and technology to make good decisions in regards to GDPR compliance.

GDPR Requirements for Software

Both parties involved in data protection, controller and processor, have the responsibility to comply with GDPR. In order to meet this goal, they need to make several choices to build the IT ecosystem that suits their needs and fulfils the legal requirements.

GDPR requires privacy-by-default and by-design, meaning thinking about privacy regulations from the start whenever these decisions are made.

Software is not inherently GDPR-compliant. Compliance is not guaranteed by having the tool, but rather by how it is used. Depending on its technical features, a software package can hinder or facilitate compliance to GDPR. The next paragraphs list relevant articles:

"...processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

(GDPR Art. 5, f)

"...the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

(GDPR Art. 32)

How to assess the software you use?

Here is a list of technical features to evaluate how strongly a particular software supports GDPR:

  • Encryption – Data travelling across two remote points must be readable to the sender and receiver only. Data storage (including back-ups) cannot be readable to unauthorized parties.
  • High availability and integrity – By means of redundant storage and periodic backups, the software must be available to the users whenever they need it without delay.
  • Authentication methods – It must be possible to identify who changed or accessed personal data. The authentication (i.e. to identify the human being or interface), must not be “weak” (i.e. without password); ideally, advanced methods (e.g. biometric) should be used.
  • Granular user rights – Limit what data can be accessed or changed by an authenticated user (or interface) – different roles and users need to work only on what is needed
  • Logging – It is of particular help to be able to identify who and when accessed or modify data, especially in case identification and breach reporting.
  • Patches – No software is bug-free, but having the right support from the software provider greatly helps to keep systems up-to-date.

Note that this can apply to the whole IT infrastructure and not only to one specific software. It encompasses workstations, servers, networks, devices, operating systems. Networks should provide secure and reliable means of data transfer, workstations need to be checked regularly for malware or viruses that can make their way to sensitive data and put it in the hands of unscrupulous people.

The implementation, maintenance and support of these elements can be an in-house task or outsourced – software as a service is becoming increasingly popular.

POSTED ON
4/16/2018 12:00:00 AM
BACK TO LIST