Kelio and the GDPR
Accelerate your GDPR compliance with the help of Kelio software!
The implementation of a workforce management and access control software solution involves the use and processing of personal data. Organisations within the European Union must therefore comply with the requirements of the GDPR – the EU General Data Protection Regulation.
The GDPR regulation for HR and access control software
Any organisation that processes the personal data of its staff within the European Union is subject to the provisions of the GDPR, which requires:
- security of personal data collected
- adherence to legislation relating to personal data
- implementation of a responsible management approach in respect of such data (including an alert procedure in the event of data breach)
- appointment of a contact person – a single point of contact.
Kelio software and compliance with the GDPR
The use of workforce or access control software does not in itself guarantee compliance with the GDPR but does prove a valuable aid to managing personal data correctly. Such software makes it possible to:
- redefine a framework for the processing of personal data
- centralise hosting and better protect such data (secure system, access rights, etc.)
- respond more quickly and more easily to requests to exercise rights.
The Kelio software solutions for Time and Attendance management, HR management and access control have been designed to assist organisations in their compliance with the GDPR, by setting a framework for the processing and protection of employee personal data.
"Privacy by design" in Kelio
Article 25.1: Privacy by Design consists of taking into account rights and obligations concerning personal data from the moment a processing activity is created or modified, and taking proactive measures to prevent any incidents relating to breach of privacy.
Mandatory data input fields restricted to those fields essential for the processing of an employee's contract. To comply with the right to consent (opt-in), and to avoid optional data being input without the consent of data subjects, the configuration of Kelio user profiles can disallow the input of optional data.
Ultra-precise management of user rights, allowing for the assignment of hyper-customised rights and the communication of relevant data to authorised persons only (assignment of rights by profile, by individual, by reason type, by data field, etc.). By default, the software proposes restricted access rights. Kelio allows you to give individual employees read-only or edit access to their HR file, for example.
"Privacy by default" in Kelio
Article 25.2: All personal data, in whatever format (paper, digital), whether sensitive or not, must be kept secure. An organisation must ensure that access to such data is protected (access control by badge, cabinets locked by key) but also preserve paper records against deterioration (protection from fire, water, etc.).
High data security in Kelio software: whether in licence mode (encryption of data, regular security audits, required authentication, etc.) or in SaaS mode (highly secure hosting with ISAE3402 and ISO27001 certification, highly secure firewalls, backup redundancy, etc.).
Physical security of your buildings with Kelio access control, promoting protection of personal data: lost access badges deactivated, authorised access rights aligned with staff attendance planning, monitoring of access events in the event of an incident, etc.
Exercising of rights relating to personal data
Article 12: Data subjects who have communicated their data (employees, customers) have certain rights in respect of their data. They are able to access, rectify, request erasure of their data, etc. The organisation must ensure that it is able to respect these rights at any time and for all processing activities and this within a maximum period of one month.
Right of access (Article 15) / rectification (Article 16): with Kelio, you can assign rights to employees allowing them to freely access their personal data and/or the right to modify their employee file with complete autonomy.
Right to be forgotten (Article 17): the deletion of data and all technical traces can be performed in Kelio software. This can be carried out by a Kelio administrator, at the request of an individual with proof of identity. In HR, this right is restricted by the statutory obligations regarding retention and deletion of documents. Kelio includes a customisable automatic clearing function, to trigger the deletion of data once the relevant retention period has expired.
Data portability (Article 20): the reporting and export of data in standard formats (PDF, Excel, CSV) is provided in Kelio, allowing the extraction of data by software administrators.
Assistance with producing the minimum documentation requirement
The GDPR introduces the notion of accountability of the organisation. It has a duty to be proactive in terms of data protection and to demonstrate this by means of a requirement for minimum documentation.
Provision of a pre-completed template of the data processing register for Kelio, to help with completing the minimum documentation requirement as specified in the GDPR (Article 30).
Bodet Software's response to the GDPR
Companies and organisations (the "Data Controller") retain full responsibility for the management and protection of personal data, whether the processing activity is performed in-house or subcontracted to a third party.
Bodet Software is a "Data Processor" for its customers within the context of the services it provides in respect of hosting in SaaS mode, software integration and support/maintenance. Beyond the existing security measures already in place (software security, surveillance of premises, backups, regular security audits, etc.), Bodet Software has implemented additional measures with a view to increasing its adherence to the requirements expressed by the GDPR:
- Appointment of a Data Protection Officer (DPO), as per Article 37, and a data protection steering committee. Our DPO is the point of contact specialising in personal data protection. This individual is responsible for ensuring maintenance of privacy and the correct application of the rules laid down by the GDPR. This person establishes and oversees the Management Policy for personal data within the organisation. For all information:
- Building awareness of staff in its design team, its consultants/technicians and support advisors regarding the requirements for confidentiality and management of personal data
- Contractual undertakings in respect of its customers as "Data Controllers" as per Article 28: (commitment to notification, etc.).
Specific points of detail for professionals who process the HR data of their personnel
Beyond the management of data in Kelio, other technical and organisational measures must not be overlooked:
- Awareness-building: members of your staff involved in working with HR or access control software on a regular basis and who process personal data must be made aware of the requirements of the GDPR and be familiar with the mechanisms in place with regard to personal data security. This is especially relevant where certain personal data relating to employees is sensitive, such as data relating to biometric controls (digital fingerprints), trade union affiliations or medical data (Article 9).
- Lock out: an organisation cannot retain irrelevant or unnecessary data and must therefore delete the rights of any employee who leaves the organisation in order to no longer retain their old access rights. This is also the case for an employee who has a change of section or job title: it will be necessary to delete their former rights and create new rights as relevant to the new position.
- Automatic clearing: each type of data and document has a retention expiry date. The organisation must ensure that automatic clearing is set up at the expiry of each retention period for different information types. This reduces the risk of any breach.
- The appointment of a DPO: this is recommended in all cases, but is only a mandatory requirement in certain cases as detailed in Article 37, particularly for public authorities or bodies, for organisations that manage sensitive data or for those where the core activity requires regular and systematic monitoring of data subjects on a large scale (e.g. hospitals, etc.).
- Notification of data breaches: in the event of a data breach (data is leaked, altered, unintentionally destroyed or lost), the organisation must assess the significance of this breach and its impact before, where relevant, notifying its supervisory authority.