Is there expected to be any updates to support the GDPR regulation expected in May? Support in terms of users of Manager, managing PI as a Data Controller.
Thanks, Stuart
I am not aware of anything that is required in Manager regarding GDPR that does not already exist.
Put simply GDPR is about the following:
Privacy of Data - The only real data is the customer contact information - which can be deleted - see Data Deletion Policies. it would not be practical nor necessary to delete any other information as you will always need the sales/purchase invoices etc.
Security of Data - You will have to ask @lubos whether cloud data is encrypted at rest or just during transmission i.e. https as I don’t know. If using Server or Desktop edition you will need to review your computer/server security policies to prevent being hacked. In addition, you need to ensure that you are properly backed up to prevent loss of data through hard drive failure, malware encryption etc.
Data Retention - You need to decide on a data retention policy. This is appropriate for things like emails, old files on computer etc. I don’t believe that its workable, desirable or even practical to delete business years older than six years as there will always be cases for looking back for budgeting, income analysis etc. So I don’t think that data retention applies here especially as the only thing that you potentially need to remove is customer name, address and other contact details. All of which you can do manually as described in Data Deletion Policies.
Data Deletion Policies - At the moment, you can only de-activate Customers (you can’t delete them), but you certainly can delete their contact details and rename the customer. So perhaps your Deletion Poilcy can be to delete contact details. I would not advise renaming customer as they might come back with a query about something they bought years ago and there is reasonable use in that its not always possible or legally practical to remove a customers name etc. What if you need to contact them re a faulty fridge causing fires warranty. With regards to company users using Manager, while they are working for the company, you are ok with their data and only delete them when they leave the company.
Audit of Data - I believe that the Cloud Version (not sure about Server version) have some kind of auditing functionality and you certainly can restrict access. You also need to have an audit file of exactly what information is being contained by your company and where etc.
Can you advise what you think needs to be changed in Manager re GDPR.
Thank you, very useful. My original question was one of whether it has been reviewed in light of GDPR that the Manager solution could support and polices or assist the user in achieving GDPR.
One aspect of GDPR is to facilitate requests of what information is held about a customer, I believe that has to be facilitated within a month (which is reasonable). I could imagine a report or similar that could be run for the customer to provide a summary of what is held, ie, contact information, sales orders, sales invoices, etc…?
I’m sure there are others.
Thanks.
Stuart
Yes this is what I was talking about with regards to auditing. You do an audit and you say you have a person’s email address in your Email System, Manager Accounts and in the Big red file marked Correspondence - that’s it. So when someone requests that information be deleted, you can review your Audit Documentation to review what is stored and where it is stored. I would create a Word Document documenting what information is stored and where it is stored and documenting how you would secure in the event of fire/theft/malware etc.
As far as your question goes, no Manager cannot be used to ensure that you are compliant with GDPR. Manager is an accounting program that is universal for every country in the world and the only country specific things would be Tax codes and languages. It would not be cost effective to design any accounting program to assist with Legal Compliance of every country in the world particularly as the developers would not have the legal expertise for each country and I don’t believe that GDPR was ever intended to cover information contained within accounting records as all the information would be considered justifiable to keep on the basis of legal grounds and for record keeping.
As far as GDPR and Manager is concerned, the only information that is relevant would be customer contact details but as highlighted in my faulty fridge fire scenario there is a justifiable reason for keeping the customer contact details. In short, I can’t actually see any GDPR aspect that is relevant to manager as all the information within Manager has a justifiable reason for being kept on record.
While it’s important to get GDPR right, I would not worry too much about GDPR in terms of trying to delete all information pertaining to a customer. The whole point of GDPR is to force business to be more aware of what information is stored and where it is stored, is it secure from fire, hacking, malware, theft etc and how easy is it to remove in the event that a customer request removal. In the case of Manager, I honestly cannot think of a single thing that a customer would ever request be deleted from Manager other than obfuscating their contact details.
The key factor is documentation, data security and data retention. Hope that helps
1 Like