On May 25th, the General Data Protection Regulation (GDPR) comes into effect. The new laws oblige businesses to amend the way they interact with data in a world with an increasingly technological outlook.
As such, we have reviewed, audited, and documented our processes, and have made appropriate changes. How the GDPR affects S4Labour and its users.
How the GDPR affects S4Labour and its users
Under the GDPR, S4Labour is considered to be a data processor, as we give our clients access to our software, and hold their employees’ data on our servers. Our customers are considered to be data controllers.
What we’re doing…
We have documented all personal data that we hold, its source, and who can access it. We never share any personal data with any third party organisations unless advised to do so by clients.
Access Rights on S4Labour
We have reviewed the different user access levels in S4Labour, and the data users can access, ensuring it is appropriate and relevant to their role. This also applies internally; we have revised what our own staff can access and amend.
We require a secure transfer of data from clients. As data controllers, it is the responsibility of clients to be compliant in this.
Logging into S4Labour
We have evaluated our current log-in process and will be making appropriate changes. We will differentiate the password process security process based on system access rights, with greater authentication required for higher level users.
We are currently reviewing our contracts with customers and amending terminology where required to ensure compliance. We will be contacting clients ahead of May 25th with revised contracts where necessary.
Data Protection & Security Policy
Our policy has been reviewed and updated in line with GDPR.
We are updating the privacy policies on our websites for increased transparency and full compliance.
Communication & Marketing
We are reviewing how we communicate with our customers and will implement a policy of communicating system information to users in a way that is fully compliant with GDPR and maximises visibility of important messages.
And now for the technical part…
Our data is stored on EC2 General Purpose SSD encrypted volumes using an AES-256 algorithm, so all stored data is encoded at rest. We take a snapshot every day, which is also encoded, which can be used for disaster recovery. In the worst-case scenario, we can lose up to one day’s worth of files. Hourly backups are made to Dropbox, and transferred using SSL/TSL 256-bit AES keys. Dropbox is encoded using 128-bit AES keys. S4Labour itself uses SSL/TLS SHA 256 encoding to protect data in motion, and is certified using a 2048 RSA certificate authenticated by Go Daddy Secure Certificate Authority.