GDPR Compliance

GDPR Compliant Software - LuitBiz

What is the EU General Data Protection Regulation (GDPR)?

The EU GDPR is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). The GDPR is uniform law across the EU and beyond, with new requirements for documenting IT procedures, performing risk assessments, rules on breach notifications, and tighter data minimization – establishing a single law to enforce European data protection rules and regulation and the right to personal data protection. One of the biggest differences in the new GDPR compared to the existing Data Protection Act is the increased liability and fines for data breaches. There is likely to be a significant shift in focus towards preventative measures and auditing how and where your data is destroyed and stored.

GDPR legislates common sense data security ideas, especially from the Privacy by Design school of thought: minimise collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.

One of the more complex issues with the new GDPR is what’s being called "extraterritoriality". Under Article 3, the GDPR will apply to any personal data transferred outside the EU. So under these new rules, if a US company collects data from EU citizens, it will be under the same legal obligations as though the company had headquarters in any country of the EU — even though they don’t have any servers or offices there! Extraterritoriality is particularly relevant to core web services such as search, social networking, etc, but you can map these to your own processes to figure out who would be affected.

The GDPR has a tiered penalty structure that will take a large bite out of offenders’ funds as the rules apply to both data controllers & processors.


Who does it affect?

The GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of their physical presence in the country.


How does it affect you?

It means there are new regulations and requirements for collecting, recording, and storing personal data and processing activities, new regulations on breach notifications, penalties on violations, and more.

What type of data is protected?

Personal data – or as it’s called in the US, personally identifiable information (PII). This include names, addresses, phone numbers, account numbers, personal data documents and more recently email and IP addresses. PII is available in the 3 basic pillars of a business entity - their customers (in CRM), their employees (in HRMS) and their documents (in DMS).


What are the fine levels?

Violations of Articles: 8,11, 25 to 39, 42 and 43
€10m or up to 2% worldwide annual turnover of proceeding year, whichever is higher

Violations of Articles: 5,6,7,9,12-22, 44-49, 58, and member state laws adopted under Chapter IX
€20m or up to 4% worldwide annual turnover of proceeding year, whichever is higher


How can you protect yourself?

GDPR involves protecting the PII contained in the 3 main pillars of your business - your customer data, your employee data and your documents. You need to secure the PII contained in these 3 entities to ensure GDPR compliance. However, securing PII in these 3 entities separately with different software could be quite a headache in a short amount of time. Moreover, collating data from multiple sources is quite time consuming and inefficient. With LuitBiz, you can secure the PII contained in all these three basic pillars of your business using just one software over the cloud. LuitBiz DMS helps you to comply with GDPR for your documents, while LuitBiz CRM takes care of your customer data compliance in accordance to GDPR and LuitBiz HRM ensures that your employee's PII is secured according to GDPR rules.

According to GDPR rules, data needs to be controlled, complaints and logs need to be stored, intrusions must be detected and notified, DPIAs need to be made available to employees and data subjects must have "right to personal data" and "right to be forgotten". All these requirements have been taken care of by LuitBiz's easy-to-use interface and gets you started in the path of GDPR compliance within minutes of implementation.


Simplify GDPR compliance monitoring with a complete set of essential tools to manage your customer data, documents and employee data — unified within a single solution "LuitBiz" that's easy to deploy, use and manage.


What is a document management system and how can it help with GDPR compliance?

A document management system stores, retrieves, manages and tracks electronic documents and electronic images of scanned paper-based information, tracks document lifecycle and audit trail and ensures timely approval of documents via automated document workflows. A document management software ultimately controls and organizes documents throughout an organization.

Let's get you started by asking you the following questions on how you are currently handling your documents:

  1. Can you easily find your documents whenever you require them?
  2. How long does it take for you to find a document and how much does it cost you in terms of time, money and manpower to find it?
  3. Are all your documents in a centralized location for easy retrieval?
  4. Once you track a document, are you sure you've got it all, meaning all the information pertaining to the document?
  5. Do you know how many copies and versions of that document exists in different locations and who has access to them?
  6. Can document access be restricted in your organization to protect PII?
  7. Under your current system, could sensitive documents get into wrong hands and result in data leakage?
  8. Are you easily at risk of a security breach?

If your answer to the questions (1), (3), (4), (5) and (6) is a "NO" and your answer to questions (7) & (8) is a "MAYBE" and you have no idea about your answer to question (2) above, you definitely need a document management system to manage your documents and ensure GDPR Compliance. If you do not manage your documents now, you will end up in the risk of paying huge fines for non-compliance as mentioned above.

If your current DMS doesn’t support these GDPR compliant features, now is the time to find a new solution, before it’s too late!

If you haven't tried out LuitBiz DMS yet, sign up for a free 15-day trial. Once you have signed up, our self-service video guides will walk through LuitBiz and how show you it can support your business in a GDPR world.



GDPR and CRM: How to Manage Customer Data in 2018?

GDPR provides citizens of the EU with greater control over their personal data and assures that their information is being securely protected across Europe, regardless of whether data processing takes place in the EU. Personal data (PII) can be a name, email, address, date of birth, personal interests, unique identifiers, digital footprints, etc. Typically, this is the kind of data you store in your CRM system.

But, GDPR only impacts big companies, right? WRONG!

If you use a database to store prospect or customer information, then you cannot ignore GDPR.

According to a survey from the Global Alliance of Data-Driven Marketing Associations (GDMA) and Winterberry Group, 92% of companies use databases to store information on a customer or a prospect.

Therefore, if you use a CRM solution, then it should support the collection and management of personal data in a secure way. GDPR impacts marketing, sales and customer service departments and all personal data needs to be handled in a more professional manner.

GDPR requires organizations to maintain a plan to detect a data breach (DPIAs), regularly evaluate the effectiveness of security practices (manage complaints and record logs), and document evidence of compliance. Instead of specific technical direction, the regulation puts the onus on organizations to maintain best practices for data security pertaining to their customer data.

GDPR will come into effect from May 25, 2018.

If your current CRM system doesn’t support these GDPR compliant features, now is the time to find a new solution, before it’s too late!

If you haven't tried out LuitBiz CRM yet, sign up for a free 15-day trial. Once you have signed up, our self-service video guides will walk through LuitBiz and how show you it can support your business in a GDPR world.

The consent management feature of LuitBiz CRM allows businesses to have a defined purpose for collection of PII while the complaints management and logs management features of LuitBiz CRM allows the Admin / DPO to constantly document evidence of compliance and send emails to Supervisory Authorities (SAs) from the software itself.


How to put your HR on track for GDPR compliance with employee data?

GDPR impacts all aspects of your business including your employees. It is an opportunity to move in the right direction, put data in the spotlight, offer improved data management and insights and the chance to rethink how you acquire, store, and maintain data.

In order to hasten your company’s road to HR compliance for processing employee data, make sure you:

  1. Know what you have: Inventory the personal data you have on employees as it sits is critical to the process of updating your employee data management.
  2. Have one view into data: Corral employee data into one system rather than having them in various data storage sources. That will make it easier for you to safely apply and comply with the GDPR regulations.
  3. Determine access: Not everybody should have equal access to employee data. Determine who in your organization needs access to which categories of personal data and put in place controls to manage that access.
  4. Communicate: Communicate the benefits of implementation of GDPR to all company personnel and clarify employees’ roles and responsibilities. This includes addressing their grievances, increasing employee engagement, and encouraging employee involvement in the functioning of the organization.
  5. Train: Train and have a change management plan across all business units. Employees need to know their data responsibilities when moving data around. In addition to pushing back on resistance to change, you will need to create incentives to ensure employee engagement.

This focus on data will allow HR to become more strategic, providing many more data points around top-of-mind topics such as engagement and diversity. Businesses going through the process of meeting GDPR compliance will not only boost productivity and performance, but also increase trust with employees and customers that comes from being a privacy-centered organization.

Employers will need to very carefully assess their current HR-related processing activities and identify the gaps with the GDPR. On the basis of this gap analysis, they will need to update their existing procedures and implement the required mechanisms to comply with the new obligations. Failure to do so may result in significant fines or other enforcement measures that could materially impede their business. The sheer scale and breadth of the changes will require a significant investment of time and resources to ensure a company's data processing policies and IT landscapes are compliant with the new rules.

However, there is a easier way out! Switch to LuitBiz HRM & ESS - a cloud based human resource and employee self service software built from ground up to ensure GDPR compliance.

If you haven't tried out LuitBiz HRM yet, sign up for a free 15-day trial. Once you have signed up, our self-service video guides will walk through LuitBiz and how show you it can support your business in a GDPR world.


How does LuitBiz help you become GDPR compliant?

Let’s take a look at some of the key elements of the GDPR and how LuitBiz addresses them:

Fine Article What it means How LuitBiz helps
2% 25
Data protection by design and data protection by default
Data Minimization, user access limits and limit period of storage and accessibility Identify who has access and who should have access to regulated documents, customer data and employee data; manage permissions; manage risks like group access; user monitoring, customer data transfer, encrypted directories and data, etc.
2% 30
Records of Processing Activities
Implement technical and organizational measures to properly process personal data. Identify, discover, and classify sensitive and GDPR eligible documents via full text search functionality; classify customer data, monitor, analyze, and report on user activity on documents, customer and employee data; establish and automate document & data retention policies; generate reports based on type of documents & data, access activity, and more.
4% 17
Right to Erasure and "to be forgotten"
Be able to discover and target specific data and automate removal. Identify, discover, and classify sensitive and GDPR eligible documents & data; define and automate document & data retention policies. Configure end-to-end document & data deletion rules and easily implement and enforce them for document & customer / employee data retention or deletion.
2% 32
Security of processing
Ensure least privilege access; implement accountability via data owners; provide reports that policies and processes are in place and successful. Reduce risk and manage access controls: automate and impose document workflows, customer data approval workflows, employee activity workflows and proactively enforce ethical walls and security policies.
2% 33 & 34
Data breach notification
Prevent and alert on data breach activity; have an incidence response plan in place. Document & data activity monitoring, complaints management, access monitoring, detect suspicious logins, ability to send breach notifications to Supervisory Authority (SA).
2% 35
Data Protection Impact Assessment
Assessment of the purpose, scope and risk associated with processing private data and documents. Ability to hide documents and keep them private, document access discovery and monitoring, customer and employee data protection, ability to publish DPIAs for employee reference.
4% 15 & 16
Right to Data access and rectification
Be able to give access and rectification rights to data subjects regarding their data and documents. Ability to retrieve documents & data in seconds and email them to the concerned data subjects for rectification, historical data on emails sent to data subjects regarding their documents.
4% 44
Data transfers to third country or international organization
Permit transfers only to entities in compliances with regulation. Document & data access policy enforcement via LuitBiz access control.