GDPR Compliance

The 5-step method for GDPR Compliance and FAQs

5-step method for GDPR Compliance

1. Know what you hold

30: Records of processing
5: Principles
6: Lawfulness
7/8: Consent
9/10: Special categories

2. Understand relative risk

24: Controller responsibility
11/25/35/36: By design and default
26: Joint controller
27: Representative
28: Processor
29: Authorisation
31: Cooperate
32: Security

3. Allow subjects to exercise rights

12: Transparency
13: Privacy notice
14: Not originator
15: Right of access
16: Right to rectify
17: Right to forget
18: Right to forget
19: Flow changes
20: Portability
21: Right to object
22: Automated decisions

4. Create change

  • Create a fluid state
  • Reinforce expected behaviours
  • Communicate expected behaviours

5. Embed change

33/34: Breach reporting
35: DPIA
36: Consultation

Frequently Asked Questions

What is GDPR and why was the GDPR drafted??

The EU’s General Data Protection Regulation (GDPR) is an attempt to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Currently, the UK relies on the Data Protection Act 1998, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
The drivers behind the GDPR are twofold. Firstly, the EU wants to give people more control over how their personal data is used. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).

What is Flowz developed in??

Flowz is a web service-oriented application (SOA) hosted in Internet Information Services (IIS) utilising SQL Server database services and has been developed using ASP.NET MVC – a Microsoft web application framework which implements the model–view–controller (MVC) design pattern. The MVC model defines web applications with 3 logic layers:

  • Model (business layer)
  • View (display layer)
  • Controller (input control)

The Model layer is implemented as a set of services using Windows Communication Foundation services (WCF) to specify communications protocols, for example SOAP over HTTP, and security mechanisms etc. Individual services deployed on multiple virtual machines facilitates resilience, scalability and availability of the Flowz SOA solution.

Supported web browsers include Internet Explorer 11+, Edge, Firefox, and Chrome with more to follow.

Flowz offers full support for HTML5 and has been redesigned with improved usability, accessibility and responsiveness.

No plug-ins or Java components are required.

When will the GDPR apply?

The GDPR will apply in all EU member states from 25th May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation – instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.

Who does the GDPR apply to?

‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU citizens.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act, with potential fines being far greater.

What Single Sign-On does Flowz Support??

Through the use of open industry standards and specifications such as SAML 2.0, Flowz can leverage customers’ existing Single Sign-on solutions to manage access to our application.

Support includes SAML 2.0-compliant Federated SSO solutions such as Microsoft Active Directory Federation Services (ADFS) and Shibboleth.

Why is Flowz so cheap??

We decided at the outset to be a high quality system at a low price, so we try to keep the entry cost of Flowz as low as we can for you.  We want to get as many people as possible using the system and be cheaper than all of our competitors.

Is Flowz a UK product??

Yes, all development is done by our UK-based Technical Team.  Our office is situated near Trafalgar Square in Central London and all Flowz customer data is stored securely in our Tier III UK Data Centre, located in Central London, with a failover Data Centre based in Kent.