GDPR COMPLIANCE
What is GDPR?​
The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone’s personal data safe, by requiring companies to have robust processes in place for handling and storing personal information. It’s also designed to protect us as individuals from being contacted by organizations without our express permission.
The GDPR is bigger than its predecessor, the Data Protection Act 1998 (DPA 1998), and ushered in a wave of new rules which are significantly different in certain areas, such as:
-
A wider definition of ‘personal data’ covers more information than ever before.
-
Data processors (i.e., firms that process personal data on behalf of another business, such as an outsourced payroll service) will be required to comply with the GDPR, whereas they weren’t required to comply with the DPA 1998.
-
Businesses based outside of the EU will have to comply if they offer goods or services into the EU.
-
When obtaining ‘consent’ from individuals, it must now be explicit and specific - it’s all about ‘opting in’ (and knowing exactly what we’re signing up for) rather than ‘opting out’. The old rules placed the onus on the individual to ask to be removed from a mailing list. In future, businesses must ask for consent from the very start.
-
A duty to report data breaches to the Information Commissioner within very strict timeframes.
-
A new ‘right to be forgotten’.
-
The statutory need for certain businesses to appoint data protection officers, responsible for overseeing the new requirements for record-keeping and data impact assessments.
-
An easier process for individuals to claim compensation from a non-compliant business; and tougher penalties for non-compliance.
4time+ Compliance​
4time+ safeguard users’ data and protect their privacy rights. We build our system and processes with data protection by design and by default. Our system provides data encryption, data backup, and security measures to safeguard user data.
Some of GDPR Key Requirements
-
Pseudonymization by Default: 4time+ replaces personal identifiers with artificial identifiers. We also ensured by default limiting user access and permissions to data they are not authorized to access.
-
The Right to Be Forgotten: 4time+ provide tools to our users that isolate and delete personal data as needed. We also use tools in our system to isolate and delete company data upon company request to be forgotten.
-
The Right to Be Portable: 4time+ is configured to allow users the ability to export their personal data from their account to provide to another service provider or to do as they wish. We provide CSV, PDF, and print options for data export.
-
Mandatory Data Breach Reporting: 4time+ uses Datadog for top-of-the-line cloud security. We are vigilant with always-on security monitoring that detects attacks at any time. Datadog provides continuous scanning to identify misconfigurations, as well as suspicious file and process activity in real time. We detect threats quickly to inform our users of any data breach as soon as it happens.
-
Privacy by Design: 4time+ ensures privacy by design and default by ensuring there are no automatic opt-ins and minimizing the data needed for its processes. We have taken into consideration data protection throughout data processing.
-
Establish a Data Processing Agreement: 4time+ created a GDPR-aligned Data Processing Agreement.
4time+ first role is of a Data Controller. As a company, we require some information from our customers to create their account on 4time+ such as company name, email address, phone number. This information makes us the Data Controller.
The second role we serve at 4time+ is Data Processors. When you our customer uses 4time+ to collect and store your data to process time and attendance transactions this makes the customer the Data Controller and 4time+ the Data Processor.