Here's a run down of what's changed at Timetastic, driven by GDPR in the last few months:
Please note this is a live document and regularly updates as we move towards 25th May 2018.
If you are conducting your own GDPR assessments then please also read this article on GDPR.
Changes to date
We have always used hashing to store passwords, but the introduction of GDPR forced us to look further and so we introduced full encryption at rest for the databases using Transparent Data Encryption.
Keep me logged in
We used to store a cookie automatically on users machines to keep them logged in. We switched that off and instead implemented a 'keep me logged in' option on the login form.
To increase security of Timetastic we've started using a service called Cloudflare. Cloudflare helps speed up Timetastic while at the same time helps protect against denial-of-service attacks, customer data compromise and abusive bots https://www.cloudflare.com/security/.
We spotted that our existing employee contracts didn't contain a confidentiality clause covering client data. That's been rectified, all staff have since singed a dedicated Confidentiality Agreement.
Terms and Conditions
We updated these on 20th April 2018 to include the specific requirements laid down in article 28 of the GDPR.
Work in Progress
Audit and Access logs
The very nature of Timetastic means that users can login and see their data and activity, and the Excel reports already contain most of the information most will ever need to satisfy themselves. But to ensure data controllers are able to fully meet their obligations in seeing all the processing activities Timetastic undertakes we are implementing a full audit log, available in Excel format.
We had no deletion policy on our customer service requests (I suspect this may be the case for many organisations) these requests could indeed contain personal information, was well as email addresses and contact details people sometimes forward spreadsheet and images.
We are in the process of implementing an automated service to delete all customer service emails 12 months after they were created.
We're defining a scope and schedule for regular vulnerability and/or security scans to be performed internally.