Recently, there’s been a lot of talk about GDPR among entrepreneurs who do business in the EU. The regulation has raised many fears and questions due to its significant effect on personal data processing procedures and restrictions. XTRF can help you address the upcoming changes. With XTRF 8 (available in May), the transition of your company to be GDPR‑compliant will be smooth and straightforward.
What is GDPR and why should I care?
GDPR stands for General Data Protection Regulation. It is an act of the European Parliament, the Council of the European Union and the European Commission, which aims to improve data protection for all individuals within the European Union by making it well‑defined and unified among all the EU member states. The goal is to give control of personal data back to the people.
If you cooperate with partners based in the EU, then you have to take GDPR into consideration when running your business.
Is the XTRF system GDPR ready?
XTRF 8 will be fully prepared for GDPR, thus allowing your company to meet the new legal requirements. The provisions of the regulation will be applied by the following functionalities:
- Collecting and tracking consent from clients and vendors for processing of their personal data.
- Accessing and correcting personal data by clients and vendors via the Client Portal and the Vendor Portal.
- Erasing personal data from the XTRF system upon request by the data owner (client, vendor or employee).
- Exporting personal data to a structured, commonly used and machine-readable format (CSV).
XTRF 8 will be released in May 2018, before GDPR is enforced.
XTRF Guarantees Privacy by Design
GDPR encourages organizations to take a ‘privacy by design’ approach, which means that privacy and data protection should be a key consideration of any project, both in its early stages and throughout its lifecycle. In XTRF, the design process plays a crucial role in system development and assuring high quality. Providing privacy and data protection to our clients and to their partners has always been a key priority for us. For this reason, we have included a special phase in the design process to investigate how changes in system behavior may affect the privacy and security of personal data.
We have also defined three design principles strictly focused on GDPR:
- XTRF system must allow for fulfilment of GDPR requirements, but must not impose a way how they should be fulfilled.
- XTRF system may simplify the fulfilment of GDPR requirements by delivering functions that facilitate or automate GDPR-related operations, but they should be enabled only when specifically requested by the user.
- XTRF system may suggest and recommend to the user how to configure the system so that it meets GDPR requirements.
Erasing personal data from XTRF system upon request
by the data owner (client, vendor or employee)
According to GDPR, a person (data owner) can request to erase their personal data from a data controller’s system. Being an XTRF user, you may be requested by your client, vendor or employee to do so. XTRF will help you fulfil the obligation by allowing you to erase the personal data of a client (Client Contact Person), vendor (Vendor Contact Person) or employee from the system, including:
- Client, vendor or employee profile
- Client or Vendor Contact Person
- Projects, Quotes, Opportunities
Additionally, it will be possible to archive Projects and Quotes, which will move all associated files (including those containing personal data) to an external location, where they can be safely deleted.
Note: Invoices are a special case, because they are often required by the legal regulations to be stored for a longer period of time. XTRF allows erasing Invoices independently from personal data upon request by the data owner.
Collecting and tracking consent from clients and vendors
for processing their personal data
GDPR requires a data controller to obtain consent from the owner for the processing of their personal data. Every consent needs to be:
- Active opt‑in
- Easy to withdraw
XTRF will offer a set of features that can help collect and track consent from clients and vendors for the processing of their personal data, while ensuring that GDPR requirements are met:
- Clients and vendors are presented with a list of mandatory and optional conditions of consent when they register to the Client or Vendor Portals or when the terms of any consent are updated and require re‑approval.
- Clients and Vendors can view and edit a list of consent conditions via the Client or Vendor Portals (including withdrawal).
- A Data Administrator (user who has the role of Data Protection Officer) can manage a list of consent types from Clients or Vendors. Some forms of consent can be optional. The list can be updated when necessary.
- A Data Administrator can manage a list of client and vendor consent conditions, and update them on their behalf when necessary.
- Some actions in XTRF system can be consent‑conditional, i.e. their execution depends on whether a specific person gave consent to a specific action (including specific use of their personal data).
Exporting personal data to a structured, commonly used
and machine‑readable format (CSV)
Personal data needs to be portable according to GDPR. This means it should be possible to export them to a structured, commonly used and machine-readable format upon request by the data owner.
XTRF Smart Views (which are used, among other things, to display lists of vendors, clients and their Contact Persons) offer an export function that can be used to satisfy the GDPR requirements. You can select one or more persons and export their data into the CSV file format.
Consult your lawyer
The information presented in this article refers to XTRF system functionality and focuses on how it can help fulfil the GDPR requirements. We advise you to consult your lawyer to ensure your company conforms to all GDPR provisions and local regulations.