The Regulation is applicable to all businesses, irrespective of size and industry, which -in the context of their activities- collect, handle and process, directly or indirectly, personal data of natural persons (or "Data Subjects") within the European Union. GDPR establishes a single legal framework, under which businesses will have to manage this data from now on. The responsibility of the Controller of the data in every business exists both at organizational and technical level.
SoftOne has harmonized its applications with the new security Regulation, by providing a set of mechanisms to help businesses fully meet the requirements of GDPR and safeguard the personal data of natural persons.
Soft1 responds to the regulatory framework as a whole, introducing in the latest 518 version new specifications and security / operation mechanisms implemented or upgraded specifically for GDPR. In particular, by upgrading to the 518 version and in accordance with the Article 25 of the Regulation1, the existing in the database information will be automatically classified into 3 levels (Personal, Sensitive, Non-Classified). The classification will take place particularly in customer, supplier, contact, employee and draft entries fields (tab "Display", "GDPR Type" field property in the Table’s basic data in the Database)
1 It concerns the protection of personal data by design and by default, along with the related obligation to ensure that such data are not accessible to an indeterminate number of individuals.
The extra features outlined:
- Ability to classify extra fields from Soft1 Designer or the design of a List / Browser.
- Classification of fields that are personal or sensitive data and belong to Personal Companies, Natural Persons and Freelancers.
- Ability to restrict access and editing rights for the User and / or the User Group,
- Procedures in regard to the consent of the Data Subject,
- Backup and restore process,
- Ability to restrict access to photos and documents,
- Ability to delete sensitive and personal data from Soft1,
- Ability to track successful logins and logouts to Soft1.
How to classify the extra/ local fields in Soft1
As a Controller, to classify any field in Soft1 as personal or sensitive, select the field from the S1 Designer and declare the nature of the field’s information in the <Display> tab.
The classification of Local Fields, i.e. the ones that you have designed in Soft1 Browsers and/or Reports, is available in the design tool.
How to restrict access based on the Company legal form of the Trading Party.
According to the GDPR, company data are not subject to the Regulation. Exceptions to this rule are Personal Companies and Freelancers who are at the same time natural persons.
In order to restrict access or processing of the fields that consist of personal or sensitive data and belong to the above categories, select one of the following three options in the <Company legal form> (Trading Party tab): Natural person, Personal Company or Freelancer. Soft1 will automatically anonymize the sensitive or personal data fields replacing them with asterisks (******).
How to restrict access to Users or User Groups
In Soft1, fields that have been classified as sensitive or personal data are available for viewing and editing based on the rights given to the User and/or User Group.
In the following example, the user "Barton Kelly" will have restricted access to the sensitive and personal data of the Employees.
Soft1 will automatically ensure anonymity of the relevant information in the screen forms of the individual modules, as well as in the corresponding Browsers and Reports of the application, replacing the sensitive or personal data fields with asterisks (******).
In any case, the restriction that will be declared on the User's tab will prevail. For instance, a User that has restricted access to the employees’ personal data, will not have access to this data, even in the case, he is part of a Group that is not subject to any restrictions.
How to record the Subject's consent and the acceptable ways of communication
According to the Regulation (art. 6 & 7), the Data Subject must have given consent to the retention and processing of his or her personal data. "Consent" is defined in Article 4 of the Regulation.
After contacting the Data Subject and getting his consent, you can record it in the Contact Info tab (or the Identity tab for the Employee). At the same time, fill in the ways of communication (i.e., phone calls, emails, SMS) that the Data Subject does not consent to.
For all the ways of communication that the Data Subject does not consent to, Soft1 will perform checks e.g. example when sending emails or SMS and entering outgoing phone calls.
How to restrict access to photos and documents
Photos and related files can now be classified as personal/sensitive. From the <Attached files / Comments> tab, right-click on the file you want to set access restriction to, select Properties and declare the Classification level in the "GDPR Type" field.
Attention! By selecting <Save in Database>, Soft1 will save the file in the path: Company Processes > Attached files > Documents file. You should, therefore, restrict access to that file for all users who shall not have access to documents/photos that are personal/sensitive data.
How to track field modifications and successful Logins / Logouts to Soft1
Through the Job Tracing procedure, you can track the imports, modifications, and deletions performed by users in fields and objects, as well as record successful logins and logouts to the application.
How to perform Data Anonymization <Right to be forgotten>.
In accordance with the Article 17 of the Regulation, the Data Subject may request the erasure – anonymization of his or her data stored in the database. Right-click on a record of a Browser / List and select <Data Anonymization> to delete the data of any trading party, contact, employee and/or draft entry.
Attention! Executing this job will cause irreversible results.
The job will permanently delete all non-mandatory (sensitive/personal) fields of the entity and replace all the mandatory ones (e.g. Customer Name) with asterisks (anonymization). It will also delete entries from the application log, as well as relevant documents and photos.
The process of Creating and Restoring a backup copy.
Creating and restoring a backup copy in Soft1 has become stricter and is now available only after login and only to the Administrator of the installation. As of now, both processes also require the User’s password.
How to Encrypt Communication between Soft1 and SQL Server
To encrypt communication between Soft1 or Application Server with SQL Server, the following options are provided:
- In the [DBCONNECT] section of the Soft1 connection file (*.xco file) with the database, you may add the following parameters:
- USESSPI=1 to specify that the connection will be through Windows or Active Directory authentication.
- ENCRYPT=1 to specify that the connection will be encrypted and that SSL certificate will be used as security technology.
- TRUSTSERVER=1 to specify that a self-signed SSL certificate will be used by the server. If you do not enable this parameter then the client will not log in due to the rejection of the server's self-signed SSL certificate.
- In case you choose to buy a certificate from a provider (e.g. Comodo, Verisign, etc.), you do not need to add the TRUSTSERVER=1 parameter to the connection file (.xco). However, you should follow the relevant Microsoft instructions regarding the proper installation of the certificate: https://support.microsoft.com/el-gr/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-mii
- Soft1 supports Transparent Data Encryption (TDE), provided exclusively by SQL Server Enterprise Edition.