GDPR - Data protection guide

What is the GDPR?

The General Data Protection Regulation (GDPR) is a EU regulation which will come into effect on the 25th May 2018. The GDPR aims to protect the personal information of all EU citizens. The regulation gives the individuals control over how their personal data is collected, stored and used. Personal data is any piece of data that could identify a person, when used alone or along with other details. This regulation does not apply to business related data, only to personal data.

Total Synergy is committed to being transparent with users about where personal data is stored in Synergy. In this help topic we explain how Total Synergy processes personal data, and what tools are available for people to view / control what personal data is stored by Total Synergy.

Total Synergy is committed to protecting our customers' data and follow the GDPR requirements and industry standards to protect customers' data. The data collected by Total Synergy is stored in the Microsoft Azure cloud when using Synergy Cloud Services. For information about Azure compliance with GDPR see Microsoft Azure GDPR guide.

Tips:

This document has been written by Synergy staff (who are not lawyers). The below details are a guide only on how to manage the GDPR regulations for personal data saved within Synergy.
Total Synergy offers tools and information as a resource, but we don’t offer legal advice. We recommend you contact your legal counsel to find out how the GDPR affects you.
View the full details of the GDPR regulations here.

Sections in this guide

What personal data does Synergy store?
Controller or processor in the Synergy application?
GDPR new individual rights for personal data and how they effect Synergy
Synergy add-on partners and the GDPR

Tip: Click on a section above to jump straight to those details.

What personal data does Synergy store?

Synergy stores three types of data that could contain personal details. Synergy personal data types are:

Profile data
- Synergy stores basic personal data as part of the Synergy Cloud Services profile. These details are entered by the user upon sign-up.
- Anyone that has a login to Synergy Cloud Services has a user profile with their work email address and their name entered.
- An optional profile picture can be added using the third party service Gravatar. Learn more about Gravatar.
- Learn more about the Synergy profile.
Staff data
- Each Synergy database / organisation stores business data about its staff members.
- Some personal data could also be stored as part of setting up this business data.
- This data is stored as part of the staff record which is setup in the Synergy desktop application.
- The organisation might store a combination of personal and business data in these records.
- Learn more about Synergy staff records.
Contact data - all contact types (Company, Personnel, Individual)
- Each organisation in Synergy stores business data about its external contacts.
- Some personal data might be stored as part of this business data.
- This data is stored as part of the contact record, which is setup in the Synergy desktop application.
- The organisation might store a combination of personal and business data in these records.
- Learn more about Synergy contact records.

Depending on what type of user you are in Synergy will depend on which of the following applies to you for personal data e.g. If you are a staff member at the organisation you are unlikely to also have details about you also in a contact record. Details about the data we collect and the purposes for which we use personal information are available in the Total Synergy privacy policy.

Controller or processor in the Synergy application?

The GDPR refers to the terms Controller and Processor. Here we will look at what these terms mean, and if Synergy is a Controller or a Processor for each of the personal data stored.

Controller - This is an organisation or business that is collecting data from EU residents.
Processor - This is an organisation that processes the personal data on behalf of a data controller.

Synergy plays a different role for handling your personal data based on the data type:

Profile data
- For your Synergy profile data, Synergy is the controller of the data.
- Synergy requests some fields in your user profile as mandatory when you sign-up for a Synergy account, such as name and a work email address.
Staff data
- For the staff record data in your Synergy organisation, Synergy is the processor and your organisation which contains the staff record is considered the controller.
- The organisation (owner/users) that entered your staff record in Synergy will complete the mandatory fields of name and work email address. Other details about a staff member can be entered as optional fields. Only people that work for that organisation can view the staff record or update the data, making the organisation the controller of the data.
Contact data - all contact types (Company, Personnel, Individual)
- For a contact record, Synergy is the processor and the organisation in Synergy which contains the contact record is considered the controller.
- The organisation (owner or users) can enter a contact record in Synergy, and the only mandatory field for a contact is the name. Other details about the contact can be entered as optional fields. Only people that work for that organisation can update the staff record details, making that organisation the controller of the data.

GDPR new individual rights for personal data and how they affect Synergy

A. Right of access

Right of access in the GDPR means that individuals have the right to know what data about them is being processed and how.

In Synergy we can provide the individual their personal data using the extract or using 'on screen' methods below. Synergy personal data options and how to obtain these details:

Profile data
1. To see a Synergy profile you need to be logged into Synergy Cloud Services at www.synergycloudapp.com
  - Select the 'profile' option from the top right 'profile toolbar menu'.
  - The profile data stored is viewable in the edit profile page only by the logged in user.
  - Only the work email address and staff name is shown in the profile.
2. The profile picture is not stored in Synergy. The profile picture is managed by Gravatar, a third party service for profile pictures. Learn more about Gravatar.
Staff data
1. Staff details can be seen after logging into the Synergy desktop application >selecting the practice menu > selecting the 'Staff & Application Security' option > Choose to open the specific staff member my double clicking that person in staff.
2. Staff records can only be viewed by people with the security access level of Director or System Administrator. All other access levels will not have access to this Synergy feature.
3. The personal data for a staff record is normally entered in these staff tabs:
  - Staff > General
  - Staff > Contact Details
  - Staff > Notes
4. To receive an extract of this data, please contact the controlling Synergy organisation which can extract the data for you (using the export to excel). A Synergy staff member who has Director access (or higher) can export / view the required details.
5. Export the staff details to Excel by using a Synergy report called "Staff report - GDPR Export to Excel".
  - Download the report from online library by opening Reports from the menu > and select the 'Download' button in the top right corner of the reports page. Check the box next to the "Staff report - GDPR Export to Excel" and click the 'Download' button.
  - The report has now been added to your list, and if you have Director or System Administrator access in Synergy you can run this report.
  - Double click the report to run it.
  - (Optional) Add a filter on the column 'Staff Name' to restrict the results to only that person.
  - Click 'Run' to create an Excel file with the staff general details and contact details.
  - (Optional) Run a second standard report called "Staff Notes" to extract the notes for that person to Excel too, if notes with personal details have been entered in Synergy. In most cases Notes are entered with only business details included and this is not required.
6. Note: Staff details can also be seen in Synergy Cloud Services. The staff name and business contact details (email, phone, mobile) are displayed if you click on a staff name in the cloud app. The personal / residential details about a staff member are not shown in the cloud app.

Contact data
1. Contact details can be seen after logging into Synergy in:
  - Contacts - Desktop application - Select the contacts or personnel options in the menu to view a list. Double click an item to open it an see the details. Edit / update of a contact can only be done in the desktop application.
  - List views - Desktop application - When a contact is shown as a column in the list in Synergy you can click the name if it is shown in green colour to open the contact record. e.g. Project list page, Invoices list page and more have the column contact included in the default view.
  - Contacts - Synergy Cloud Services - Cloud app - Use the contact list to open a contact and view the details in a read only view. A limited cut down view of the details shown in the desktop application is available in the cloud app.
2. Contacts can be added and updated by any staff members that work at that Synergy organisation using the desktop application. The cloud app in Synergy Cloud Services allows for an additional read only view of the contact details, the details can only be updated in the desktop application.
3. The contacts can have personal data stored under these sub tabs:
  - Contact > General tab
  - Contact > Personnel
  - Contact > Documents
  - Contact > Notes
4. To receive an extract of this data, please contact your controlling organisation which can extract the data for you (using the export to excel).
5. Export the contact details to Excel by running a Synergy report:
  - Open the Reports feature and select the 'Download' button in the top right corner.
  - Check the box to download the following reports; "Contact Report - GDPR Export to Excel" and "Personnel Report - GDPR Export to Excel".
  - Click the download button to save the reports into your library.
  - Select the Contact reports tab to see both the downloaded reports.
  - Run each of the reports with a filter applied for the contact or personnel name applied to restrict the results. This will export the general details about the contact into an Excel file.
  - Note: If you require additional details from the other contact tabs (like contact documents for example) there is not a report on this. Please check those details in the Synergy desktop application.

Tip: Synergy has three types of contacts: Companies, personnel, and individuals. Each of these contact types can have the same personal / business details stored within the record.

B. Right to rectification

Right to rectification in the GDPR means that the individual may request that incomplete data be completed, or that incorrect data be corrected.

In Synergy we can provide the individual their personal data following the extract options listed in part 1 above - right to access. Synergy personal data can then be corrected or updated by:

Profile data
1. To rectify your profile data login to Synergy and use the toolbar menu in the top right of the page and select > profile.
2. Use the Synergy Profile page to update the details as required. Learn more creating an account for Synergy Cloud Services to create a Synergy profile.
Staff data
1. To rectify the data in your staff record, please contact System Administrator or Director access level staff member at the Synergy organisation (controller).
2. The controller of the data can login to Synergy and use the Staff feature and sub tabs as required to update the details on your staff record in that Synergy organisation. Learn more about using Synergy staff records.
Contact data
1. To rectify the data in a contact record, please contact a Staff member at the Synergy organisation (controller).
2. The controller of the data can login to Synergy and use the Contacts feature and related sub tabs to update the details as required on the staff record. Learn more about using Synergy contact records.

Tips:

In your Synergy profile you must always have your name and one email address listed.
Staff and contact records allow you to edit all the general details saved for the record, and the saved record must always have a name.

C. Right to object

Right to object in the GDPR means that an individual may prohibit certain data from being used.

In Synergy we can provide the individual requesting their personal data following the options in part 1 above - right to access. Synergy personal data can then be updated or removed from Synergy by:

Profile data
1. The name shown can be changed in the profile page. Edit the name as required in Synergy Cloud Services > Profile page.
2. The work email address is entered by your System Administrator in the Synergy Desktop Application.
3. The profile picture displayed is controlled by a third party tool Gravatar. Use Gravatar to remove / change the picture shown.
4. Learn more about using the Synergy profile page.
Staff data
1. The personal data in the staff record is optional. Staff can contact the System Administrator or Director access level staff at their organisation (the data controller) and request that they remove any of the optional personal data stored in their contact record.
2. Staff records require that a name is entered on each record.
3. Learn more about using Synergy staff records.
Contact data
1. The personal data in the contact record is optional. Contacts can talk to the any staff with access to Synergy at the organisation (the data controller) and request that they remove any of the optional personal data stored in the contact record.
2. Contacts require that a name is entered on each record.
3. Learn more about using Synergy contact records.

Tips:

In your Synergy profile you must always have your name and a work email address listed.
Staff and contact records allow you to edit all the general details saved for the record, and the saved record must always have a name.

D. Right to be forgotten

Right to be forgotten in the GDPR means that the individual may request that an organisation delete all data on that individual as quickly as possible.

In Synergy we can provide the individual requesting their personal data following the options in part 1 above - right to access. Synergy personal data can then be deleted by:

Profile data
1. Synergy users can use the edit profile page and remove any personal data as required.
2. Synergy users can delete their profile by:
  1. Select the profile menu by selecting you profile picture in the toolbar top right corner, then select 'Profile'.
  2. Select the 'Delete this profile'.
  3. Click 'delete' on the confirmation pop-up.
  4. You will now be logged out of Synergy, as you no longer have a valid account.
3. Important note: Deleting a profile doesn't delete any Synergy organisations. Any content you added into an organisation will remain (e.g. timesheets and expenses will remain entered for that organisation). The content already in the Synergy organisation is business related data, and is retained for legal reasons.
4. Learn more about using the Synergy profile page.
Staff data
1. Staff members in an organisation can contact their employer organisation (data controller) to delete their personal data.
2. The employing organisation (data controller) can change the staff record details in Synergy if they have System Administrator or Director access levels.
  1. Select the Practice menu group and select the Staff & Application Security option.
  2. Locate the staff member that wants their details updated in the list and click the record to open it.
  3. Review the record, and edit / remove any personal (non business related) information in the staff record as required.
  4. Delete any notes or other contact details from the other tabs if they contain personal information about the staff member as well.
3. The employing organisation need to retain business related data as required by law.
4. The staff record cannot be deleted if it is linked to timesheet entries. It can be set as inactive if the staff member has now left the organisation. The organisation needs to keep the staff record with at least the employees name and work email address in Synergy, as data has been created in the system linked to that record.
5. Learn more about using Synergy staff records.
Contact data
1. Contacts can get in touch with the organisation who has them included as a contact record (company / personnel / individual types) (data controller) to delete their personal data.
2. The organisation (data controller) can get a Synergy staff member to:
  1. Use the Contacts menu group and to open either the:
    - Contacts option - which lists all the company and individual type contacts.
    - Personnel option - which lists the employees at the company contacts that you deal with.
  2. Locate the contact record in the list and double click the item to open the record.
  3. Edit the contact record and review / delete any personal information by making the fields blank (as required). The contact records must remain with at least the 'name' details completed.
  4. If required also remove any notes or contact documents or personnel linked contacts that contain personal details.
3. The contact record can only be deleted if it is not linked to any other Synergy records: Personnel, Projects, Invoices etc. Set the contact as inactive if the contact should no longer be used in Synergy. The organisation needs to keep the contact record with at least the name in Synergy, as data has been created in the system linked to that record.
4. Learn more about using Synergy contact records.

Tips:

Staff records cannot be deleted once a timesheet has been entered. Mark the staff member as terminated / inactive if they have left the organisation. Edit the staff record to remove the personal information. A name and work email address is required to remain on the record.
Contact records can only be deleted if they are not linked to any personnel, projects, or invoices. Mark the contact as terminated / inactive if they should no longer be part of projects. Edit the contact record to remove the personal information. A name is required to remain on the record.

E. Data portability

Right to data portability in the GDPR means that the individual may request that personal data held by one organisation be possible to be transported to another organisation.

In Synergy we can provide the individual requesting their personal data following the options in part 1 above - right to access. Synergy personal data can then be exported by:

Profile data
1. The Synergy cloud services profile does not contain personal data. There is no export required for this feature, as it only shows the staff members name and work email address.
2. Learn more about using the Synergy profile page.
Staff data
1. To receive an extract of your staff record data, please contact your employer. The organisation that has the Synergy subscription can export these details to Excel.
2. Export the staff details to Excel can be done by a Director level staff member at the organisation (the organisation is the controller of those details). Export the details to Excel by:
  1. Download and run a report by opening the reports feature, and select the 'Download' button in the top right corner.
  2. Check the box next to the "Staff Report - GDPR Export to Excel" report and then click the download button.
  3. Go the Staff reports tab, and then double click the report to run it.
  4. (Optional) Add a filter to the report to restrict it to only export a particular 'Staff Name' to Excel.
3. Learn more about using Synergy staff records.
Contact data
1. To receive an extract of the contact data, please contact the Synergy organisation. A staff member at that organisation can then export these details to Excel.
2. Export the contact details to Excel can be done by a Director level staff member at the organisation (the organisation is the controller of those details). Export the details to Excel by:
  1. Download and run a report by opening the reports feature, and select the 'Download' button in the top right corner.
  2. Check the box next to the following contact export reports, and then click the download button.
    - Contact Report - GDPR Export to Excel (Use this for company and individual type contacts)
    - Personnel Report - GDPR Export to Excel (Use this for personnel type contacts)
  3. Go to the Contact reports tab, and then double click the report to run it.
  4. (Optional) Add a filter to the reports when they are run to restrict it to only export a certain 'Contact Name' or 'Personnel Name' to Excel.
3. Learn more about using Synergy contact records.

Synergy add-on partners and the GDPR

Synergy can export or send contact and staff details to third party products e.g. accounting interfaces, MS Outlook interface, or other integrations. If you are using an interface to export Synergy data, then please review the other software company / product website for more details on how they are managing the GDPR requirements.

Want to learn more?

Looking for more help? Try reviewing the following topics: View Topics

Open topic with navigation