What is GDPR?

GDPR became enforceable on 25th May 2018, so now is the time to take action!

GDPR (General Data Protection Regulation) is all about protecting personal data and handing control of it back to the subject of the data. Most businesses with customers and staff will need to take a look at their processes as a result of this new regulation.

ExpensePoint has prepared for the new regulation to come into force, and we want to share what we have done by charting our progress

How did ExpensePoint get ready for GDPR?

In preparation for GDPR, ExpensePoint we took a number of broad steps. That included:

  • Updating our privacy policy to ensure that our customers and partners know exactly what we do with their data
  • Minimizing the amount of data that we collect and use
  • Improving the encryption that we use when storing data
  • Reviewing our usage of data to ensure that it’s all legitimate

More specifically, what actions do we need to take to ensure that we are compliant?

We wanted to ensure that we took all necessary actions by 25th May 2018 deadline and – these are listed below, with updates on our progress:

  1. Update our Privacy Policy to reflect the changes in data protection requirements
    – Completed
  2. Ascertain whether we need to appoint a Data Protection Officer (DPO)
    – Done: we have assigned one of our regular Infosec team members the DPO duties.
  3. Find out what personal data we have, where it is and who has access to it
    – Audit undertaken
  4. Consult with an expert on what actions we need to take (if any) to be compliant
    – Completed
  5. Generate a plan of remedial action (including time frames)
    – Completed
  6. Execute this plan
    – Completed
  7. Publish compliance
    – Completed

Processor or Controller?

To make sure that we were ready for GDPR, we were required to look at whether we were a Data Processor or a Data Controller. We concluded (with the help of industry experts) that we are mostly a Data Processor and at a very small level a data Controller.  This means that as a Processor, we process data at the request of the Controller (in this case, the company that is using ExpensePoint that is also managing their user’s data).  We have no interest in the personal data that we have that we are processing.  As a Controller we are managing the data of the individuals who are managing the ExpensePoint system on behalf of their respective companies, for example a billing contact or a system Admin who require contact from us on an ongoing basis.

What data does ExpensePoint have that is covered by the GDPR?

When a user or company signs up to ExpensePoint, they are required to fill out some basic details (such as usernames, email addresses, first names, last names of each user using the system).  Other non-required personal information that is not required by ExpensePoint may also be added to the ExpensePoint system and in such cases are added at the discretion of the system user’s company (the Data Controller).   We do not use any required data for anything other than allowing users to log in to the platform, and to contact them via system notifications as a normal course of business as it relates to the basic use of the ExpensePoint system.

Users will be able to see what required personal data is being held in the system and will be able to contact their system administrator (Data Controller) to request information to be modified or deleted at their request and the system administrator (Data Controller) will have full capability to make such changes.  In some cases Administrators may not be able to delete user information from certain records within the ExpensePoint system due to individual laws of each EU country for the purpose of i.e. tax, and financial reporting requirements.  The Data Controller is responsible to inform its users as to what non-required personal information is contained in the ExpensePoint system as this information is not required by ExpensePoint for the system to be used, however the adding of this information may be required in order for the system to perform additional tasks deployed by the Data Controller.