GDPR & Using a Personal Device to Access Conote Pocketbook
In setting up our application, we went to great lengths to ensure that it surpasses current regulations, as well as, in the way it operates. We have invested in significant external support to enable us to achieve this goal. To access the Conote Pocketbook, Companies can either provide devices to their team or alternatively, employees can use their own devices. Both these options follow GDPR guidelines due to how the Conote Pocketbook has been built.
We have two different parts to our product:
Our web app is accessed (like a website) through our secure and private servers, and this involves no data storing on the personal device. You can only access the data through the website which is layered with extensive security measures.
The app (available to download from the app store). It is a data entry only app and as a user, you are unable to store personal data from the website through it. Only data created via the app that hasn't been synced to our servers is stored locally. However, users tend to sync their data to the website shortly after they obtain it. This means that the data is only on the device for a minimal time as it is deleted once synced.
When using your own device, the ICO (Information Commissioner's Office https://ico.org.uk/ ) asks for one main principle to be met among the seven other principles:
'Appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data.' It means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised. This is relevant if personal data is being processed on devices which you may not have direct control over.
To protect personal data, our app has a number of appropriate security practices in place. Below, I have addressed each of the relevant ICO's points:
1. The device owner’s data and the organisation’s data should be separate. Staff should not be able to inadvertently or deliberately move the organisation’s data into their personal storage on the device or onto separate personally owned devices.
Our app is its own entity, all the data is stored locally within the app and can only be accessed within the app via a login page. Once the data is synced with our servers (likely straight away, if in signal) the data will delete from the device. Staff cannot move data out of the app onto personal property.
We also isolate data by user so multiple people, in theory, could share the same device with multiple user logins and only have access to the data they have inputted. Additionally, when the app is deleted, so is all the data.
2. Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
As the Data Controller, you have control over who sees what data. If you had a Producer lose their device, you would be able to remove access to that data immediately.
As well as this, our app is password protected and, of course, the device should have its own pin number. This means, not only can you wipe the access, you also have two password layers to get through.
3. Limit the choice of devices to those which you have assessed as providing an appropriate level of security for the personal data being processed.
Given that Producers and those on location need to obtain release forms in order to do their job role, it would be appropriate for them to access the data. Our app is supported by a wide range of modern smart devices and have all the same GDPR and Security functionality available to them. The app works on up to date IOS/Android systems and it is always advised that users have a pin set up on their own device as an additional security measure.
To reiterate, for additional control of personal data, our app restricts each user to only see the data they have already inputted. They wouldn’t be able to see what their colleague has saved on the same device.
We are totally confident that our product is fully GDPR compliant. If you would like to discuss our Security and GDPR measures further, please feel free to get in touch.