Data protection by design offered by Merlin
This October is Cyber Security Awareness Month and our focus is on an important aspect of cybersecurity – data protection, privacy regulation and compliance. You have probably heard about Europe’s GDPR by now. But what about more recent legislation such as the CCPA (US), LGPD (Brazil) and the POPIA (South Africa)?
While it is each organisation’s responsibility to be compliant, it is important that the software and business tools you use ENABLE and ASSIST your compliance. We asked Merlin’s data controller, and Director of Global Operations, Martine Pnematicatos for her thoughts.
1 Tell us, Martine, what is GDPR compliance?
The General Data Protection Regulation, (GDPR), is legislation adopted by the EU in May 2018 covering personal data, security and use.
The regulation was brought into practice to protect individual’s privacy as well as unify the way personal data is protected, stored, distributed and used. Personal data is defined in the GDPR as any information that can identify a ‘natural person’, such as their name, email, IP address or physical attributes.
The GDPR applies to any organisation that processes, stores, or transmits personal data relating to EU residents regardless of that organisation’s location. If an organisation breaches the regulation, you could be fined up to 4 per cent of your annual global turnover or up €20 million, whichever is the highest value.
2 Is Merlin Software as a business GDPR compliant?
Yes, although our business is not based in Europe, we have European clients, so we made sure that all our processes are GDPR compliant such as:
- Only communicating with potential customers if they have requested this;
- Flagging potential customers as Do Not Contact if they request this;
- Being able to produce a Request for Information Document;
- Ensuring all data and client data we work with is password protected;
- Setting up protocols in the business that comply with the many requirements relating to GDPR – including protocols for any data breaches.
3 What about the software – how did you make the software compliant?
Making Merlin Software GDPR compliant was a 12-month challenge. We wanted to make sure that Merlin was able to provide the functionality needed by our clients so they could be GDPR compliant within their businesses.
For example, the GDPR provides rights for individuals. These include the right:
- To be informed;
- Of access;
- To rectification;
- Of erasure;
- To restrict processing;
- To data portability;
- To object; and
- Rights concerning automated decision making and profiling.
We enhanced the software for our clients so that they could provide these rights to their clients and their employees.
There are also strict rules on holding and processing personal data, and eight different lawful bases that you can do so:
- Consent;
- Contract;
- Legal obligation;
- Vital interests;
- Public task;
- Legitimate interest;
- Special category data; and
- Criminal offence data.
So, we updated Merlin Classic software to enable our clients to indicate why they were holding data, prove where consent was provided, allow people to opt-out of marketing communications, unsubscribe from emails, and highlight on their records why they were being contacted.
For example, our clients can clearly show how, when and where they collected the data. They can show how long data has been stored and on what basis they are being marketed to, such as legitimate interest.
4 GDPR places a great emphasis on accountability and security. How secure is Merlin as a Software as a Service provider in its own right – and how can it provide this level of accountability and security for clients?
Merlin servers are hosted in a tier one data centre operated by Rack Space who adhere to the most stringent security protocols. The servers are protected behind firewalls and the data is backed up regularly. There is device redundancy at the data storage and server level.
5 What about CCPA compliance which came into force this January in the US?
The California Consumer Privacy Act, (CCPA), was brought into law in June 2018 driven by the continued rise in consumer data breaches and growing privacy concerns of individuals.
The CCPA provides the following rights for individuals:
- Transparency;
- Access;
- Object;
- Deletion; and
- Portability
The legislation focuses on preventing the sale of personal data and discriminatory repercussions for exercising rights.
The CCPA grants the right to request deletion, free of charge. It requires that website operators include a do-not-sell link to their website and that website privacy policies are updated every 12 months. Individuals also have the right to access the information an organisation processes about them in the last 12 months.
It also grants individuals the right to move their data free of charge via an electronic, readily usable format. Merlin can support all of these requirements.
6 Other countries such as South Africa and Brazil have recently announced their data protection policies. Are you planning to incorporate these regulations into Merlin?
Of course, we will. It is our policy to ensure our clients can operate within their country’s legal structures using our software. It’s for this reason we built all the GDPR functionality, and we will do the same for any other country, although we think that many of the GDPR requirements cover a lot of other countries’ requirements as well.
Brazil’s Lei Geral de Proteção de Dados (or LGPD) brings much needed clarification to the Brazilian legal framework. The LGPD attempts to unify the over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others.
In South Africa, POPIA aims to promote the protection of personal information processed in South Africa and gives actionable rights to the right to privacy enshrined in the Bill of Rights. It aligns South Africa with global data protection best practice and applies to any organization processing information in South Africa.
7 You are the Data Protection Officer for Merlin, what does this mean?
Yes, I am. It’s a rather dull responsibility, but it is a crucial aspect of our business. I have to ensure I am up to speed with the latest GDPR which change often. I have to ensure that we have all the documentation and protocols in place.
There is much paperwork involved, and I have to ensure we have this completed when need be. I am also responsible for handling any data breaches that could occur.
8 How do you maintain compliance within the Merlin team?
It’s a demanding task as I am continually checking that everyone is following the protocols we have set. We are at the point of data protection by design and by default. This means that we incorporate privacy measures at the design stage of a new project, enhancement or policy, rather than bolting them on afterwards.
We train all new staff members on GDPR and data protection, offer annual revision training for staff and have detailed plans in place if there is a data breach.
9 What do you think are the benefits of a company that focuses on data protection?
The benefits are enormous. Every person should have the right to have their data protected and not processed without their consent. So, I am proud that we support this.
As a business in the SaaS sector, our focus on data protection and cybersecurity gives us greater credibility. We build trust with our customers who know that the security of their data is an essential priority for us.
Potential customers feel more relaxed about moving over to a cloud-based product when they know that security and data protection is part of our corporate responsibility. Why would you choose a software provider that is not compliant or can offer this level of protection and security?
We have found that implementing data protection in all our activities, including marketing, has helped us assess the data that we hold. It frees up data storage space – and that can save money. Moreover, when someone requests information or a demo about Merlin, they know they are not going to be marketed to without their consent, can unsubscribe at any time and that it is fully protected.
10 Where do you see data protection legislation going in the future?
I can’t see data protection becoming any stricter, although it might be refined and clarified in some areas. GDPR is already very extensive in its protocols.
What will change is that consumers are becoming more educated. They know that they can ask what data you hold and request it is removed from your database. Businesses must be prepared for this – we are prepared here at Merlin.
I am surprised there is not more news about companies breaching GDPR, and I think this will change over the next few years. Indeed, we might see more prosecutions of smaller to mid-size organisations.
If you would like to see Merlin Software’s GDPR/data protection functionality in action, then you can arrange a demo by contacting our Head of Sales, Mark Thomas, at markt@quickmerlin.com or completing the demo request form.
Important information
If you require further information on :
GDPR: The Information Commissioner’s Office
CCPA: Attorney General