GDPR in PANTHEON – Post Version 10.100.30

PREFACE

The General Data Protection Regulation (GDPR) of the EU is a welcome step for rights related to personal data protection, because it introduces limits to otherwise reckless collection, processing, and sale of our personal data. GDPR ensures legal protection for EU citizens, but it also raises awareness and the standards relating to personal data protection worldwide.

It's true that it imposes additional obligations on businesses, but with the right tools, compliance is not too difficult to achieve. This is especially true for companies using PANTHEON, because most have fewer than 250 users, which makes the GDPR requirements significantly less strict. Please keep in mind your local laws when reading this manual.

We try to equip PANTHEON with everything that's necessary to keep track of the most stringent requirements in the retail, medical, service, and financial industries. You can define permissions regarding personal data consultation yourself. The default settings allow all consultations and therefore need to be changed.

INTRODUCTION

Do you know what you need to do before you start configuring settings in PANTHEON?

On 25 May 2018 GDPR came into effect. In order to collect and process data, you will need to define the purposes for collecting the data, how you process and store them, to whom you transfer them, and get the consent of every user for individual activities. You will have to clearly and transparently show the conditions and purposes for handling personal data. Additionally, you will have to clearly separate them from existing business terms.

In accordance with GDPR, inactivity does not constitute consent and pre-ticked consent boxes in contact forms are not allowed, requiring you to clearly state the purposes for which you want to use personal data. Users whose personal data you're storing must agree to each individual activity relating to data collection and processing.

The data you collect by consent cannot be used for any other purpose other than the one for which they were collected.

The only exception for getting consent is that a legal basis exists for collecting certain personal data. For example, you don't require an employee's consent to collect their personal data which is transferred to state authorities (e.g. tax number, address, birth date) or is required to issue invoices. However, you need to know exactly when this applies. You will also have to clearly explain this type of data collection to personal data holders and disclose it upon their request.

In order to protect their privacy and allow access to their data, you have to ensure the 'right to be forgotten' and the 'right to data portability'.

The right to be forgotten allows individuals to request all data related to them that is being stored on your databases be erased. The right to be forgotten does not apply to archived data that has to be consistent with original documentation (in accordance with statutory terms).

The right to data portability is the right of an individual to request all data pertaining to them in a format that can be transferred to another data processor. It is primarily intended for social media and personal service providers (e.g. credit check, financial and medical service providers, fitness software providers, meaning those providers who rely on user data), as it is designed to prevent users from being locked into a particular platform due to the history they've established with a particular service. Commercial, manufacturing and other service-oriented companies have a much easier role in this respect.

Let's look at the difference between the aforementioned information and archive system as well as CRM systems:

Let's take a look at an example of a typical process involving the personal data of a natural person:

A customer signs up for a loyalty membership card and give their consent for data processing. The data will be recorded in a CRM system and, by extension, in PANTHEON. The customer will conduct several transactions (sales) that will most likely be recorded in both systems, but definitely in PANTHEON, which will be used to issue the invoices. 10 years after the last transaction or at a request of a customer to be forgotten, the customer's PANTHEON invoices will be archived (a DPO will ensure that invoices are kept 10 years after being issued), while the customer themselves will be rendered anonymous in PANTHEON and the CRM. Their invoices will therefore remain unchanged in the archive to be used for analytical purposes, but won't be able to be processed. Anonymous customer behavior data are company data/property and have to be archived and protected as such. After the legally mandated deadline, the DPS erases them from the archive, destroying them permanently.

General Advice

The following advice will help you protect the personal data of your users, so that they can't be abused and you're not liable for damages:

• Collect only those data that you absolutely need.
• Ensure that you have explicit consent or a legal basis to collect personal data.
• Ensure the right to be forgotten, the right to data portability, the right to consult the personal data and its uses.
• Appoint a data protection officer.
• To collect personal data of minors younger than 16 years, ensure that you have their parents' consent.
• Educate all your employees about GDPR requirements.
• Stay informed about personal data protection.
• Ensure that your PANTHEON complies with GDPR.

Some steps to take to ensure GDPR compliance:

1. Appoint a data protection officer who will be responsible for personal data protection in your company.
2. Figure out which personal data your company collects: review all your workstations and other data carriers.
   1. Delete any databases containing personal data for which you do not have consent.
   2. Get (renewed) consent for personal data you wish to continue using.
3. Be thorough when deciding which personal data will be visible to employees and available for processing.
4. Educate all your employees on how to properly collect and process personal data.
5. Assign a username and password (at least 8 characters long, consisting of letters, numbers, and at least one special character, such as #, $, %) to each employee using PANTHEON. Set up a system that will require a password change every 3 months.
6. Set up the documentation settings so that your archive is created correctly.
7. Set up your PANTHEON in a manner that will ensure compliance with GDPR. Use settings that will be discussed in more detail below.

PANTHEON contains the tools that will allow you to operate in compliance with GDPR. The tools for GDPR compliance are located in several places in PANTHEON:

• Administration Panel
• Subject Register
• Employee Records

1 ADMINISTRATION PANEL

A new menu with the name GDPR has been added to the Administration Panel. It's a submenu in the Security menu and contains 4 more submenus:

• Consent Register
• Manage Consent
• Blocking
• Recurring Erasure

Picture 1: Administration Panel - GDPR

1.1 CONSENT REGISTER

Picture 2: Consent Register

You can adjust the consent register for different levels or modules of the software:

• Subjects (S.)
• Contacts (C.)
• Employees (E.)

The register contains the following data:

Relevant authorizations are required to manage consent. Consent management is handled by the "Consent Register Management" node in the authorization tree.                                                                 

Picture 3: Tree structure within Authorizations

1.2 MANAGING GDPR

This is the main form for GDPR in PANTHEON. It contains a list of all individuals contained in PANTHEON databases. This module allows us to manage their consent, print out all documents where they are mentioned, erase them from records or block erasure in certain cases, such as when they are in a legal dispute that has to be resolved before we're able to erase the personal data

Picture 4: Managing Consent

Only subjects that are defined as individuals, their contacts, and employees are listed here. Here we can enter consent given by subjects/contacts/employees.

When selecting a subject in the upper half of the form, a list of their given consent is displayed in the bottom half.

If reference records for the subject exist, an IRIS message will appear offering several options.

Picture 5: Message box during subject erasure.

The Subject Register after the process of rendering the subject anonymous. The subject's data are anonymous and its status is set to Inactive.

Picture 6: The Subject Register after the process of rendering the subject anonymous

Issued documents linked with the anonymous subject contains no data referring to the anonymous subject in their headers, while the line items of the document remain unchanged.

Picture 7: Example of an issued document after the subject is rendered anonymous.

Which PANTHEON feature is used to render data anonymous?

To encrypt subject data, we used the "Automatic Subject ID Generation" feature available in the Administration Panel | Settings | Subjects.

Picture 8: Subject ID generator settings.

A GDPR constant field has been added here (for users who already use this type of encryption). Based on this constant, users will know that a subject has been rendered anonymous.

The length of the ID used for this purpose can be defined here. If the ID length is not defined, the program will create a 30-character ID starting with the GDPR constant followed by a 26-character-long numeric code (e.g. GDPR_0000000000000000000000003). If the length of the ID is defined by the user, the resulting ID will reflect that (e.g. GDPR_1).

1.3 DOCUMENT PRINTOUT

Picture 9: The "Print Documents" button in the consent management form.

Clicking the "Print Documents" button will open a preview with a list of all documents linked to the selected subject.

Picture 10: Example of a report for an individual/subject for whom we're managing consent.

1.4 BLOCKING

The Blocking tab contains a list of blocked subjects. Subjects are blocked because, for one reason or another, they can not or may not be rendered anonymous. Once a subject has been blocked, it cannot be used in the program any longer. The subject cannot be selected on documents, but it can still be seen on reports (e.g. Invoices Issued Report). The subject cannot be rendered anonymous. Only once a subject is unblocked, it can be rendered anonymous.

Picture 11: Blocked subjects.

The form contains the subject ID as well as when and who blocked it. The note field can be used to enter a description (e.g. the reason for blocking). Additionally, information pertaining to when and who unblocked the subject as well as the reason can be entered.

Subjects can be unblocked using the "Unblock" button.

Picture 12: The "Unblock" button in the blocked subjects form.

1.5 AUTHORIZATIONS

Authorizations for managing subjects can be found in the Authorizations tree structure.

Picture 13: GDPR authorizations tree structure.

1.6 AUTHORIZATION - SHOW PERSONAL DATA (PD)

Users whose authorizations were restricted will see personal data in the Subjects register under individuals as shown below. All personal data except the Subject ID are hidden.

Picture 14: Example from Subjects register as seen by a user with restricted authorizations.

Users with restricted authorizations also won't have access to Recipient/Issuer data on goods documents.

Picture 15: Example from Issued/Receiving document as seen by a user with restricted authorizations.

1.7 SUBJECT REGISTER AUTHORIZATIONS - SHOW EMPLOYEES

A new authorization has been added to the Subjects register authorizations: Show Employees. We can assign authorizations to users to show subjects who are categorized as Employees in the Subjects register.

If a user has the authorization level None, they won't be able to see subjects with Employee Files in the Subjects register.

Picture 16: Show Employee authorizations.

1.8 OTHER AUTHORIZATIONS

Other authorizations (e.g. Blocked Subjects Consultation, Consent Register Management, PD Access List Report, and Personal Data Usage Report) apply to menu items in the Administration Panel | GDPR.

2 SUBJECTS REGISTER

The Subjects register contains the 'Natural person' parameter in the section dedicated to general information. This parameter is used to determine whether a subject is (the box is checked) or isn't (the box isn't checked) a natural person.

Picture 17: Subjects register – General

The subjects register also contains a window to look up information about consent or blockades recorded in the Administration Panel.

Picture 18: Subjects register, Consent/blockades window

3 EMPLOYEE RECORDS

3.1 SUBJECT REGISTER AUTHORIZATIONS - SHOW EMPLOYEES

A new authorization has been added to the Subjects register authorizations: Show Employees. We can assign authorizations to users to show subjects who are categorized as Employees in the Subjects register.

If a user has the authorization level None, they won't be able to see subjects with Employee Files in the Subjects register.

Picture 19: Show Employee authorizations.

3.2 EMPLOYEE CONSENT

Companies only need their employees' explicit consent in cases when they have no legal basis to process their data, such as when they process data about:

• Family members for gift-giving purposes
• Private phone numbers or e-mails of employees,
• etc.

It is important to first verify what types of employee personal data is being processed, for what purpose, and on what legal basis.

The Administration Panel has consent management options for processing personal data for which we have no legal basis.

Picture 20: Consent options in the menu for employee consent management

Consent for individual employees can be managed in the Employee Consent tab.

Picture 20: Employee consent management form in the Administration Panel.

All consent configurations in the Administration Panel are also transferred to employees' personnel file in the Consent form:

Picture 22: The consent form in the personnel files

3.3 DATA ERASURE

To prevent misunderstandings pertaining to employee data erasure and to prevent the erasure of relevant data, let us reiterate some things.

3.3.1 APPLICANT DATA ERASURE

Personal data about applications must be erased after the interviewing period (and any appeal process) is concluded. For this purpose we have prepared a special wizard in the Applicant data entry form with which you can erase applicant data.

The wizard allows you to erase all data collected from applicants who applied to a particular job. This includes applicants' CVs and any supplementary documents that we stored on our hard drives and that was accessible in the Documents tab of the Applicant form.

Picture 23: The applicant data erasure wizard

3.3.2 DOCUMENT ERASURE

When processing personal data pertaining to employees, we have to pa special attention to copying and storing documents, such as personal identification cards, passports, etc.

Before entering the data into PANTHEON, we have to verify which data we need to process for legal purposes and only enter that which is necessary to fulfill our legal obligations.

A Document erasure wizard is part of the Documents panel:

Picture: The document erasure wizard in the Documents panel of the employee files

3.4 HIDE EMPLOYEE FILES DATA

If we want to hide personal or sensitive data from certain users, we can create a template. The solution is available anywhere in PANTHEON and can be used on any form with individual fields.

Open the Edit Template form to define which fields are visible and which aren't.

Example: We want to prevent certain users to see first and last name data by displaying it as a code. To do that, we uncheck the checkboxes for first and last name for those users and use a new template.

Those users will no longer see employees' first and last names, just a code.