The General Data Protection Regulation becomes law across the EU on 25 May this year, and in order to assist our customers to ensure that they are compliant with the regulation we have introduced some system changes to the core Safe4 service. These changes are in fact part of a work-in-progress, since there are still some areas of uncertainty in the way that GDPR is expressed. The system modifications at this stage address the basic requirements of GDPR compliance, and will be built upon as greater clarity emerges.
As the Data Processor under data protection legislation, Safe4 makes use of a number of constructs, described within the system as providers and vaults. The new release, designated as version 5.10, allows these to be completely deleted, with all of their data content being irreversibly removed. The ability to perform such deletions will be granted to customers, the Data Controllers, at system administrator level only, and any actions of this sort will be carried out after several warnings have been given and responded to.
Users can also be deleted by Data Controllers. Safe4 permits users to have access to multiple providers and vaults, and consequently the removal of a user from a particular vault will not affect their access to any others.
However, because Safe4 is a system of record, the audit trails relating to the existence of providers, vaults and users will be retained. For example, the record of a user account’s existence will be retained as a basic “stub”, so that the integrity of audit trails can be maintained. Activity while a user was a member of a Safe4 vault will thus be available for evidential purposes in future, while any personal information that was stored about that person will be deleted.
The full range of reporting options will be developed over time as the specific needs of customers are established, and as aspects of GDPR compliance are clarified both by the Information Commissioner’s Office and by case law.
An additional function that will be made available to the Data Controller immediately will be the ability to respond to Subject Access Requests. The Safe4 administrator will be able to generate a Subject Access Request report at the touch of a button. This will create a PDF document that can be provided externally if required, or stored as a record within Safe4.
As always, we at Safe4 consider the secure handling of customers’ information to be our highest priority. This approach will continue, and will be extended as necessary through working closely with Data Controllers to ensure that their GDPR compliance obligations are being met.
For more information on how Safe4 can support your GDPR compliance programme, please contact us. We will be very pleased to assist. General information on GDPR can be obtained from the UK Information Commissioner’s Office.