The General Data Protection Regulation (GDPR) is an EU regulation that comes into force on 25th May 2018.
It is a set of laws that build on existing data protection legislation in order to further protect the personal data of individuals in a modern digital age.
The new laws apply to all businesses regardless of size, and will continue to be implemented in British law after the UK has withdrawn from the European Union.
People sometimes talk of software being "GDPR Compliant" however GDPR is a very broad regulation that does not concern itself with the specifics of business software, and therefore it is not possible to have a piece of software officially certified as GDPR compliant.
GDPR does however require that software includes Privacy by Design, something that Easify has set out to achieve since its inception.
So it is not a question of software being GDPR compliant, but about the software providing support required for a business to fulfil the requirements of GDPR. In other words, your business software will form part of your overall strategy to implement the requirements of GDPR.
One area where GDPR does affect business software systems has to do with the physical location of computer systems involved in processing personal data.
GDPR specifies that any computer systems that are used to process personal data must be located (domiciled) within the EU.
Easify Cloud Servers are all hosted within the North Europe resource group of the Microsoft Azure cloud platform.
We do not transfer any data outside of the EU.
Easify software does not send any personal data back to us either directly or via telemetry.
Administrative access to Easify Cloud servers is heavily restricted, only a very small number of Easify staff are authorised to administer Easify Cloud Servers.
All communications to and from your Easify Cloud Server are TLS encrypted.
We use a 3rd party provider for postcode lookups if you have them enabled, the postcode lookup provider is located in the UK and they have attested that they are GDPR compliant.
If you use integrated card terminals with Easify, no personal information is transmitted from Easify to the card processor during a card transaction.
Easify Ltd operates it's business to be GDPR compliant in our role as a controller and processor of personal data.
The following information applies if you do not use an Easify Cloud Server, that is if you have installed the Easify Server Software in your premises on your own server, PC or laptop.
GDPR specifies that any computer systems that are used to process personal data must be located (domiciled) within the EU, so as long as your Easify Server is located within the EU it will meet that requirement.
All communications to and from your Easify Server, whether over the local network or from a remote Easify Client are TLS encrypted.
We use a 3rd party provider for postcode lookups if you have them enabled, the postcode lookup provider is located in the UK and they have attested that they are GDPR compliant.
Easify software does not send any personal data back to us either directly or via telemetry.
If you use integrated card terminals with Easify, no personal information is transmitted from Easify to the card processor during a card transaction.
In terms of the GDPR requirement that personal data has a right to be forgotten under certain circumstances, Easify is designed to be highly non-restrictive in terms of how you can edit and delete data.
GDPR also requires that individuals need to opt-in before you can store and process their personal data. Easify by design has features that allow you to record opt-in information e.g. for individuals that opt-in to receive email newsletters you can record additional opt-in information using the customer notes section. Note that individuals that are party to a contract e.g. requesting a quotation or estimate, or placing a sales order will not require opt-in information to be separately recorded, however if you are in any doubt we recommend you seek the advice of a qualified GDPR consultant.
The above information is provided for guidance only, and should not be taken to represent legal advice. We recommend that you seek the advice of a dedicated GDPR practitioner if you have any questions related to how GDPR affects your specific business.