Time & Attendance Systems & GDPR Compliance
Bodet will help you with your GDPR responsibilities relating to personal data within a Time & Attendance Solution
The General Data Protection Regulation (GDPR) is now in force for all European citizens, and has huge implications for the way that all organisations manage personal data. Since Time & Attendance Systems contain data pertaining to your employees (and sometimes visitors), it is critical that you consider these new regulations in their operation and maintenance, whether you have an existing system or are considering one.
Within GDPR, there are two clearly defined roles relating to personal data. Firstly, there’s the Controller. This is the party implementing a processing activity and defining its terms (e.g. an HR Director deciding to use Bodet’s Time & Attendance System). Secondly, there’s the Processor. This is the entity chosen by the Controller to undertake the defined processing activity (e.g. Bodet through the maintenance of their T&A Software).
As a Controller, your organisation is accountable for the collection, storage and processing of personal data. This obviously includes a Time & Attendance System through staff and visitor data, and Bodet’s solutions are designed to assist you with these responsibilities.
Data security is obviously a large concern, and an intrinsic element of our system. Access rights are configurable, but restricted by default. Aspects such as the length of client sessions and data retention periods can be fully configured. Full traceability is maintained through transaction logs, and data transfer is encrypted through HTTPs and VPN.
To maintain employee privacy, required data fields are kept to a strict minimum, but record templates can be adapted to your needs. This will assist in the creation of your Privacy Impact Assessment (PIA), which is mandatory for every organisation to assess the risks to data protection. To comply with the ‘Right To Be Forgotten’ article, software administrators have the ability to delete all or some data relating to an individual on request. Data portability is provided through integrated reporting and data exports in standard formats (PDF, XLSX and CSV).
Should you use a maintained Time & Attendance System, and therefore elect a secondary company as a Processor, your organisation still has a duty to prove that the data you are responsible for is properly managed and protected. This means you need to ensure that your Time & Attendance supplier is GDPR compliant. As a Bodet customer, you can have total assurance that we are fully compliant as a Data Processor. We are also able to provide full transparency in how we have achieved this, to assist with your responsibilities.
Our first step was to appoint a Data Protection Officer (DPO), to act as a single point of contact for our clients for all GDPR matters, and coordinate our GDPR compliance strategy. Any company that processes personal data must keep an up-to-date list of data processing partners with this one point of contact. Through our DPO, we have implemented a Personal Data Management Policy to achieve a high level of compliance through an ongoing process. We have also informed our employees about data protection and security as part of our obligations under Privacy by Design. Our updated contracts now contain specific clauses relating to protection of personal data to provide further clarity.
For our security responsibilities as a data processor, the measures in place include an Information System security policy, highly secure hosting centres with ISAE3402 and ISO27001 certification for our cloud solutions, and regular security audits undertaken by independent security experts. All of our clients’ data remains within the EU at all times, avoiding additional measures that organisations would otherwise need to put in place.
Since GDPR is a very complex subject, we have created a white paper covering implementation of GDPR regulations relating to a Time & Attendance System. This can be downloaded for full information on how we assist our customers with their compliance, and how we fulfil our own responsibilities as a Data Processor.
If you would like a free demonstration to see how our Time & Attendance Systems can help with the specific requirements of your organisation, please contact us and we would be happy to visit you.