Phorest and GDPR

GDPR is coming into place on May 25th, 2018. Below are the updates Phorest are making both to the product and to some of our internal processes to support your salon once GDPR comes into place.

Some of the updates below have been developed and some are in our development pipeline with the target delivery being before the May deadline.

 

Access Controls & Auditing

  • Phorest already has a robust access control at a per staff basis, to ensure they can only see data that is relevant to their role in the salon.
  • We have added additional access controls for viewing of sensitive client data on the client card under their consultations.
  • We already have an extensive audit functionality in Phorest, but we will extend to even more areas of the system.
  • We are also building a brand new real-time activity stream, which will let you, the salon owner, see a real-time news feed for your salon. You will also be able to search and filter this timeline to see who made changes to client data and when.

 

Consent for Data Use and Marketing

  • Your client’s rights regarding marketing are of paramount importance, that is why Phorest will be fully compliant with GDPR regulations. Opt-in will become the default, which means your clients will be at all times in control of marketing they receive from your salon.
  • Phorest will include the ability to opt-in for your clients in a number of places:
    • There will be a dedicated consent area in the consultation forms
    • There will be a desktop prompt for your staff when checking a client in
    • There will be an opt-in option in the clients online booking account
  • The Phorest marketing system will only be able to send to clients who have opted in, protecting you from accidentally contacting people you shouldn’t.
  • Any salons using out 3rd Party APIs will have full access to these new marketing options.

 

Right to be Forgotten

  • Under GDPR your clients have the right to ask that you ‘forget’ them. This means all identifiable information of theirs be removed from the system.
  • Phorest will add a ‘forget me’ option for any client, selecting this will remove every piece of personal information about them while maintaining your financial history.
  • Please check with your insurance company as to how long you need to keep client data before removing, in case of litigation.

 

Right to Rectification

  • We will allow your clients to update their personal data through our brand new Consultation Forms

 

Right to Access

  • Your clients can request their data exported. We will add an export feature to the client card to facilitate this.

 

Right to be Informed

  • Should there be a breach of data, we will have to follow our data breach reporting process.

 

Portability

Your clients can request their data to be exported from your system at any time. We will export it in CSV (comma separated value) format.

 

Storage of Personal Data

  • You will need to check with your insurance company as to how long client data needs to be stored. Phorest will allow you to set an ‘expiry date’ on client data, after which time, it will be removed from your database.

 

Security and Hosting

  • The vast majority of our services and data are hosted in Amazon Web Services (AWS) facilities in the USA and Europe (depending on where your business is located). Phorest services have been built with disaster recovery in mind.
  • All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
  • Customer data is stored in multi-tenant datastores, we do not have individual datastores for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customers data. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.
  • All data transferred to or from Phorest is encrypted in transit using 256 bit encryption.

 

Reporting a Data Breach

If we have experienced an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data we will initiate our data breach process without undue delay.

  • an outline of the breach including the categories and an approximate number of individuals/data records concerned.
  • a contact point for obtaining more information
  • recommended measures to mitigate any possible adverse effects from the breach

 

Data Breach Process

  • We use Amazon Web Services identity and access management to secure and trace access.
  • If a breach is detected we will first do an impact analysis.
  • Once impact is known we will mitigate risk however possible.
  • If deemed necessary we will report the data breach through our Data Protection Officer.

 

Credit Card Storage and Use

  • Phorest is not subject to PCI obligations. We do not store credit card details in any form. We outsource this to Stripe and Realex to process payments. Details on Stripe’s privacy policy can be found here and security policies here. Realex’s privacy policy can be found here and security statement here.