GDPR

WHAT IS GDPR?

The General Data Protection Regulation (GDPR) is a major update to EU privacy law, which aims to protect the personal data of individuals, which is being used by various organisations. It has been around for a while as a Directive but it is now an enforceable Regulation, in effect from 25 May 2018.

GDPR aims to make privacy regulations more unified, accessible and relevant to today’s modern world. It imposes stricter compliance requirements on organisations (Processors and Controllers) that store and use the personal data of data subjects. Personal data is any information related to an individual, which can be used to identify such an individual – the data subject.

The major impact of this new Regulation lies in how companies approach personal data; data subjects have enhanced rights regarding the collection, usage, storage and deletion of their data. Additionally, organisations have greater responsibility to implement and demonstrate compliance as well as “privacy by design”.

SIMPLEPAY AND GDPR: OVERVIEW

In terms of Article 4, SimplePay is a Processor of personal data. As the name suggests, Processors process data on behalf of other organisations (Controllers).  Our clients – that’s you, the employers, accountants and payroll bureaus – fall under the umbrella of Controllers. In exercising our responsibilities as a Processor, we also aim to ensure that you remain compliant with the same ease to which you’ve become accustomed.

That’s why, although we have always taken our privacy obligations seriously, we embarked on a thorough and multi-faceted programme to identify and rectify any shortcomings in our policies and / or processes. Luckily, as privacy and confidentiality are cornerstones of our system and culture, we found we were already largely compliant. Below are some of the projects we’ve undertaken to ensure any compliance gaps were closed:

All client data is stored off site in AWS’s datacenter in Ireland and is backed up regularly. Full details of our privacy and security measures can be found in our Privacy Policy and Security Statement.

EXERCISE OF DATA SUBJECTS’ RIGHTS

Under GDPR, individuals have enhanced rights in respect of the data they share with processors and controllers:

In light of these rights, we have implemented internal policies and workflows to allow us to respond to requests within the required timeframe. The process will be substantially similar for all requests: you, as the customer, will need to contact our support team with the request. The support consultant dealing with the request will then verify the nature of the request (i.e. to which of the above rights it applies) as well as certain security information. Once confirmation is received, the consultant will escalate the matter to our GDPR administrator who will assess and action as appropriate within the required period.

Compliance with most of the above rights was already possible using existing functionality (reports, Self-Service etc) however, we have added some additional functionality to ensure full compliance:

Requests in terms of the above will need to be made by full access users. Any employee queries will be directed to the relevant full access administrator on the account for actioning in their capacity as a Controller. If a situation arises where such a request cannot be complied with by the administrator (Controller), SimplePay will assess and assist to the best of our ability.

EU REPRESENTATIVE

As we are based outside of the EU, Article 27 required that we appoint an EU representative to handle certain data subject requests and queries. In compliance with this, we have appointed DPR Group to act as our representative. Any queries requiring the input of our representative, should please be directed to them as follows:

DPR Group
Phoenix House
Monahan Road
Cork
T12 H1XY
Republic of Ireland

Please note that if you choose to mail your enquiry, it is essential that you mark your letters for “DPR Group” and not “SimplePay”, or your enquiry may not reach them. Please refer clearly to SimplePay in your correspondence.  

We will gladly provide a copy of the written confirmation of appointment if necessary.

THIRD PARTY APPS, SUPPLIERS AND INTEGRATIONS

We have researched and confirmed that all apps and suppliers we use as well as those with which we integrate are either already fully GDPR compliant or in the final stages of achieving compliance in time for May 25th 2018. Below you will find links to the GDPR pages of our partners, integrated apps and internal tools:

SaveSave

SaveSave

SaveSave

SaveSave