GDPR Requirements

Where’s the data located?

Relate Software (DRIVE CRM & Practice Management, Accounts Production, Corporation Tax, Personal Tax & Company Secretary) customers’ data is all stored and controlled, by each customer, on databases located at sites determined by each customer. Relate Software does not hold or access any of your customers’ data. You may use third party hosting providers and it is essential that you establish that such hosting entities manage their data in order to comply with GDPR requirements.

How is it stored?

DRIVE/RAP/CT & PT Data is stored in Microsoft SQL Server Databases. COSEC Data is stored in a Microsoft Jet Database.

Who can access it?

Access to the data you stored in order to operate Relate Softwares’ products is completely controlled by you. Relate Software products support the use of strong access control by you to your customers’ data. You should also ensure that any data stored by third party hosting providers is only accessible using strong access controls. You are responsible for ensuring that all your customer data is securely stored.

How is it protected?

Access to the Relate Software products and services is easily controlled by you as the products allow the easy setup of users with strong passwords as well as restricting access to sensitive features. External protection of the data in terms of network security, folder access, SQL Server Access is completely under your control or your third party hosting provider. Relate Software recommends that all its customers should establish a clear Information Security policy in order to reduce or eliminate the potential for breaches of GDPR requirements.

What if there’s a service disruption, a breach, or permanent data loss?

Your Relate Software products all operate on systems that are developed and designed to operate on technical infrastructure that is operated and controlled by you. Accordingly, you should ensure that your Information Security Policy should consider how you will respond in the event that one of the events described above occurs: e.g. establish a data back-up policy to limit data loss, develop a business continuity plan to respond to service disruption.

Where’s the back-up? Is it within the EU or in an adequate country?

As your data is either stored on your systems or hosted by a third party provider, you should develop a back up policy to address this issue. You should also ensure your hosting provider has a similar policy.

What if Relate request my data?

Where possible Relate Software will attempt to assist you to resolve any software issues by remotely accessing your data through your infrastructure. Access is limited to Authorised Relate Software personnel. In the event that Relate Software requires a copy of your data for troubleshooting purposes; Citrix ShareFile is used to ensure data security. No other mechanism for receiving data is permitted. Any data received using any other means is immediately destroyed. We have configured Citrix ShareFile to only use AWS Servers in the EU to comply with GDPR. Data transferred to us via Citrix ShareFile is encrypted and protected using unique secure links. Access to this data is limited to Authorised Relate Software personnel and all data is destroyed within 48 hours once troubleshooting has been completed.

Data encryption of email attachments

DRIVE E-Mail supports both SSL and TLS E-Mail Encryption.

Archiving of client data beyond usage limits

As DRIVE contains Accounting Critical information it may be necessary to manually anonymise Client Information however a planned GDPR update to DRIVE will facilitate the automated anonymising of Client Information. Currently scripting is made available to Clients who wish to clear-out or archive communications history again this will be facilitated within the GDPR Update.

Permission passing for client mailer opt-ins

DRIVE already facilitates the marking of Clients in terms of opting in for e-mail correspondence, this will be further enhanced by the GDPR Update which will allow for revision dates and a more seamless integration with the Datamining tools.

Easy provision of client data when requested

Using DRIVE’s Datamining facilities and Communications Reporting a Client Request can be fulfilled but again this will become more Automated in the GDPR Update.