Configurating Essence for GDPR

The GDPR gives people specific rights about their personal data. Essence gives you the possibilities to be compliant with these rules and regulations. This post will give you some tips & tricks on what you can do to make your Essence Portal GDPR compliant.

Which rights should you consider?

Some of the rights of the GDPR, like the right to protest, have more to do with how a company's internal processes are in place. Of course, you can configure a BusinessController to support such processes. But that in itself is "just" standard configuration.

For the following rights we will give you some Tips & Tricks on how you can configurate this in your Essence Portal.

  • Right of Access
    The right to access personal data and about how this data is processed
  • Right to Erasure
    The data subject can request erasure of personal data related to them on any number of grounds.
  • Right to Portability
    A person can transfer their personal data from one electronic processing system to another

Right of Access

A person can at any time request which personal data is stored. To comply to this you can do one of the following.

Use a Customer Portal

If a company expects a lot of such requests, a Customer Portal would be a good solution. By giving contact persons access rights to their personal data they can access and check this information at any time desired. Of course, there will be extra license costs. But these license costs might balance out with the costs of people handling all these requests.

Other benefits of using a Customer Portal. You can also give people the options to erasing their data by clearing data (like mobile phone number and email) where possible. And pseudonymise their data (like replacing a full name by initials) for mandatory fields. More on that later on.

Here's how we have implemented this in our Customer Portal. We give out personal user accounts so each person can only change his/her personal data. Except for specific people who can do this on a company level. We implemented this because this way a company can still view and maintain the data of their employers without the need to give every employer access to our Portal.

Use the Silver Print options

If you don't want to give people from outside your company direct access to their data, there's another option. You could also create an HTML template and make it available as a Print option. This also gives you the option to use it as an Email template so you can email the information to the customer. Here's an example of how we implemented this in our own portal.

Use the Export Options

Another option if you don't want to give direct access is to export data from your Essence Portal to Excel. That way you can generate Excel files that you can download and send to the person requesting the data. 

If you choose to use a Customer Portal, this option is also a nice addition because you can limit the results using the information of the logged on user. For example, have them only download personal data from people from their own company. You can read more on how to do that in this blog post: Q&A: Can we use SilverSession in Excel Export Queries?.

Right to Erasure

First of all, this doesn't have to mean deleting all the data. If the records are referenced by other tables, you cannot simply delete the records since this would corrupt your database.

So besides deleting the actual data, you have 2 different options:

  • Anonymization
    Make the record completely untraceable to the original data. For example, you could change the full name of a person to "--".
  • Pseudonymisation
    Remove the personal data but replace it with something that can still be used to understand within the context who the data is about. For example, replace the full name of a person with the initials or the job title.

Use methods to "erase" data

The best way to anonymise or pseudonymise data is to create a specific method for it. These are predefined updates where you can control how the data is modified. You also have the advantage that you can specify if the Method can be executed by using constraints. For example, if a contact person is linked to an active contract or support question, the data has to remain intact until the conditions for that are no longer valid.

Use BaseEntity Relations to clean up invalid references

If it is possible to delete data, you might want to remove references to the deleted record. You can do this using BaseEntity Relations. Using these you can nullify (clear) the data in those records that reference the data to be deleted. In our Online Boarding training, this is explained in the video about BaseEntities.

Right to Portability

To give people a digital copy of their data, you can make use of the Essence Export options as mentioned above.