Welcome to the Innoflex Quarterly Newsletter
Since our last newsletter in February we have had a very busy time delivering Project Sydney, hosting our first Customer Training Days, recruiting new clients and preparing the business for the new General Data Protection Regulations (GDPR) that come into force in May 2018.
You can find more detail on this and its impact later in this newsletter.
Project Sydney is our project to move all of our clients to a new improved hosting platform. The benefits of this are numerous and include our ability to scale the operation far more effectively. With new clients coming on board all the time this was an important decision we made to ensure we do not adversely affect the operations of existing clients.
Having completed the work out of hours over two weekends I’m pleased to say that all of our external clients have now been migrated across to the new platform, with minimal disruption to the service we provide.
The new hosting platform, Microsoft Azure cloud is also far more secure and gives us much greater resilience.
The other very important outcome of this is that we are now fully compliant as a Data Processor, with the needs of GDPR.
As promised in the last newsletter this edition provides an overview of the requirements of the new GDPR.
Reflex 360 client Training Days
Our client training days in March went well with great feedback and learning on both sides.
As a result, we now plan to hold these courses on a regular basis.
The next date for your diaries is the 22nd May, when we will be hosting our next training day.
Whilst this day is really aimed at new customers with no experience of Reflex360, we are of course able to accommodate some extra places for existing customers. If anyone who has used the system for a while feels they would benefit from a refresher day, please get in touch with us at the usual contact addresses shown below.
Introduction to GDPR
The new General Data Protection Regulations (GDPR) take effect from the 25th May 2018. Replacing the existing Data Protection Act, it gives all consumers new rights to access information held about them, makes it mandatory for businesses to manage data securely and has stiff fines for those who do not fall into line.
Whilst Innoflex does not provide advice on this topic, hopefully you will find the guidance produced here to be a useful introduction to the requirements of the GDPR and help you understand your next steps.
As a provider of a Software as a Service product, (SaaS) Innoflex operate as a data processor. All our customers, are therefore data controllers.
If you already have strong data security processes in place, then the GDPR is really just building on these and the effort involved should be about amending existing processes and documentation.
The core principles of the GDPR are that personal data should be used only for the purpose intended, with exceptions only where specific consent has been gained.
So, for example if you sponsor a local childrens football club, you must not use any data you have collected from that as a source of data to market your building services, unless of course individuals have explicitly agreed that their information may be used for marketing purposes as well.
What are the main requirements?
Full details of the regulations can be found here, but at a high level the general guidance for data controllers are as laid out below.
The aim is not to stop you processing data, but to make sure that you only process data you need and are entitled to hold, that you hold it securely and you let your data subjects know what you have and what you do with the data. This list is far from exhaustive and is provided only as a starting point for your own compliance projects.
One thing, very clearly stated is that as a data controller you must be able to demonstrate compliance with the requirements of GDPR if requested.
What can you use the data for?
You may only use the data collected for legitimate purpose. In other words, you may not use it for marketing purposes, you may not sell it. You can only use it for the purposes of property repairs, development etc. in line with your legitimate business operations, unless you gain specific consent to use the data for other clearly stated purposes. Click here for more information
What data do you currently hold?
In our industry we hold basic information about customers such as; phone numbers, email addresses, home addresses, communication preferences. We do not tend to hold bank account details, credit scores, proof of right to citizenship etc.
This data can only be held by you if it is required for you to perform a legal duty, such as fulfilment of a contract, unless you gain specific consent for other uses.
How safe is the data?
At Innoflex we have improved our security significantly in the past few weeks by moving all clients to the Azure platform, which will assist you in meeting GDPR requirements through data stored in a secure environment, with secure and regular backups.
However, this does not remove the need for you to ensure that you only allow authorised staff access to Reflex360 and the data stored on it by ensuring secure user logins and passwords.
You also have an obligation to ensure that all of your staff who handle personal data are correctly trained Click here for more information
You must gain consent
You will notice in your own digital lives that when giving consent for an organisation to contact you, usually for marketing purposes, that the days of unticking a box and ambiguous consent messages have gone. The onus is now on clear opt in wording, asking very clearly, if a data subject consents to you collecting their data.
When it comes to consent, you need to check your contracts, agreements for services etc. As a general rule in a situation where you are given an instruction via MA Assist, consent has been gained to use the relevant data from the insurers for the purpose specified. Through the Agreement for Services, that consent cascades to you because we have a legitimate reason to hold and use the data. However, for other sources of work, for example housing associations, private works etc. you must ensure you have consent to use the data provided to you. Click here for more information
Data Subject Rights
There are several rights that exist now under the GDPR that did not exist under DPA. Two important ones to remember are; the Right to Erasure, or the Right to be Forgotten and Subject Access Requests
If you get a request for a Subject Access Request you can no longer charge to provide this information, although you may charge a reasonable administration fee and you must comply within a month of the request.
If a data subject requests that you erase all their data then again you must comply, subject to confirmation of why they want to be erased and confirmation that they are in fact the data subject. It may be that in the case of a 12 month guarantee on the work completed on their behalf, that erasing them might be detrimental to them. Be sure to establish the reasons why they want the erasure. Click here for more information.
If you feel that there has been any breach of your data, then you MUST inform the ICO within 72 hours of discovering the breach. Click here for more information
So what should you do next?
1 – Discover – identify what personal data you hold and where it resides. Remember that it is unlikely that Reflex360 is the only source of data you have.
2 – Manage – Govern internally how personal data is used and accessed.
3 – Protect – Establish security controls, including physical controls, to prevent, detect and react to vulnerabilities and data breaches
4 – Report – keep required documentation, manage data requests and be able to provide breach notifications.
The guidance provided above does not constitute any form of legal advice. We have spent a lot of time with GDPR and think we have been thoughtful about its intent and meaning. But the application of GDPR is highly fact specific and not all aspects of and interpretations of GDPR are settled. As a result these notes are for guidance only and should not be relied upon as legal advice or to determine how GDPR might apply to your business.
This quarterly top tip is around the creation of a supplier/contractor in in the partners tab.
Contract v Supplier
You should use the Contract type when you wish to subcontract work to a 3rd party to carry out works on your behalf.
The Supplier type should be used for companies from which you make material purchases.
On the odd occasion it might be the case that the company is both a sub-contractor to you and a supplier of materials.
If this is the case, instead of creating 2 Contractor/Supplier (one being for subcontracting the other being for purchases) you can select the company to be both.
Simply hold Ctrl (control) on your keyboard and select both types in the box and this will then show both has highlighted.
Click on the Save icon at the top of the screen and this will save your changes.
You may find this useful to do if you ever need to do a credit for a subcontractor.
As Reflex360 only allows credits against a Supplier, you can go into your existing subcontractor, add the Supplier option in the type list and then create your credit on your case.
Afterwards you can choose to remove the Supplier option or keep it on there for later use.
The latest newsletter from Innoflex covering training days and GDPRRead more
The first of our quarterly newsletters.Read more
We are delighted to announce the launch of our new website for Innoflex Systems, the developer of the best general contractor software.Read more
Construction project manager, Cipher UK, is now using Reflex360, the general contractor project management software for the construction industryRead more
Get in touch to arrange a Demo of either Reflex360 or Scoper- or if you'd like an informal chat about who we are and what we do - we would love to hear from you: