PaySubsOnline GDPR Update

What We're Working On


GDPR comes into effect on the 25th of May – a date that is rapidly approaching.

With this in mind, the team have been working with a certified data practitioner to ensure our system and internal processes support compliance with the new General Data Protection Regulations (GDPR).

Here’s what we’re doing:

  • Developing enhanced functionality to help clients manage deleted contacts
  • Creating new Terms and Conditions that help clients comply with contractual obligations with as their Data Processor
  • Creating a new Privacy Policy to ensure our clients’ members/contacts know what we do with their data and their rights
  • Creating a Privacy Policy template for clients to use with their members/contacts
  • Ensuring our internal processes and agreements with sub-data-processors are compliant

New Functionality

The 5th principal of the GDPR is ‘Storage Limitation’ – shortly defined, this states you can ‘only retain information for a period that is reasonable’.

So, when a person gives notice they are leaving your organisation, you need to decide what information you need to retain and for how long – need being the keyword (this is typically defined in your Privacy Agreement).

Reasons to retain personal information may be for accounting or insurance purposes. It might be the case you need to retain some but not all of the information, so we are developing functionality to help manage this.

What’s New

When deleting a person from the database, there will be the following options:

  • Delete personal data excluding first and last name
  • Delete personal data, excluding first name, last name and email history
  • Delete personal data, excluding first name, last name, email history and log data
  • Delete all information from the system

We’re also giving clients the option to delete email history directly from the contact’s record.

Why It’s Better

Option 1 – By removing all personal data, excluding first and last name, the data subject (i.e. the member or contact on the database) is no longer identifiable when looking at their database record. This allows clients to retain their record for a given purpose, for example, accounting.

Of course, you could go into a person’s record and delete all their field data manually, but we want to save our clients time.

Option 2 – If you send emails containing personal information that, combined with the data subjects first and last name, can identify the individual, we recommend selecting this option.

Option 3 – The system keeps logs of common admin tasks and who carries these out on the system. To help identify contacts in the logs, we use their email address which, combined with the first and last name, creates an identifiable record for a person. Option 3 allows you to delete these logs.

Option 4 – If you are happy to delete all information relating to a contact, including payment information, select this option.

Updates to our Terms and Conditions is the processor of personal data for our clients.

‘Processor’ means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the Controller.

The Controller, in this case, is our client.

Under the GDPR, clients must provide with clear instructions regarding the processing of data. They must also inform members/contacts (the Data Subjects) of who is processing their data, why and how.

Our updated Terms & Conditions will detail these instructions on behalf of our clients’ organisation along with the obligations of as a Data Processor and their role as the Data Controller.

Updates to our Privacy Statement

Our new Privacy Statement encompasses all the different visitors to our website, including all administrators that have access to the system and client’s members/contacts.

Information within the Privacy Statement includes how we use this data and the rights people have.

Helping You Stay Compliant

In addition to our Terms & Conditions and Privacy Statements, we are also creating a Privacy Statement template to use if clients don’t have one in place or simply need to update it.

It’s also important to have the correct consent statements on forms.

These include different consent statements for different types of personal data – for example, General Personal Data vs. Special Personal Data (i.e. medical information).

We will be providing all our clients with statements which can be edited to match their specific requirements.

As May 25th approaches, we’ll be keeping you up-to-date with our progress.

In the meantime, why not download our free PDF detailing ‘GDPR Risks and Mitigation’? To download it for free, click the button below.

Download our free club's guide to GDPR Risks and Mitigation here!

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *