Expresso and the General Data Protection Regulation
Expresso is a division of Pulse Business Software Limited
How the GDPR affects your Expresso Installation
Author: Riaan van Rooyen
The General Data Protection Regulation (GDPR) was passed into law by the European Union Parliament in April 2016, with enforcement date beginning May 25, 2018.
This document tells you how your company’s use of Expresso is affected by the General Data Protection Regulation.
Where your Expresso is Hosted
Your Expresso installation is hosted on Microsoft’s Azure platform in UK South (London).
Data in Your Expresso Installation about your employees, customers and suppliers
The personal information stored in your Expresso Installation is under your control (In GDPR terms, you are the controller and processor), and can include:
You should have your own GDPR policies and procedures in place relating to your storage and processing of customer and supplier data, because your business may have multiple data repositories and processes besides your Expresso installation.
If you use your Expresso installation to e-mail or send text messages to customers, you should ascertain that they have consented to the communication.
Data in Pulse Business Software’s support portal about you and your employees
In order to support you and your team, Pulse Business Software holds information about you and your employees (but not your customers or suppliers). The information we hold is:
We do not share this information with any other companies or individuals.
Personal data will be destroyed on request, but we will be unable to support an Expresso user whose personal data is not on record.
This data is stored in secure data centres in the UK and South Africa. The specific data centre addresses are available on request. Please e-mail accounts@Expresso-tech.com.
By continuing to use Expresso, you consent to this information being kept by Pulse Business Software. If you would like us to provide you with the specific information held relating to your company, please e-mail accounts@Expresso-tech.com, and it will be provided to you in Microsoft Excel or CSV format.
Shared Data Security Responsibilities
As a Hosted service provider (cloud provider), we take responsibility for the following:
Your responsibilities are:
What this means is that your business takes responsibility for granting, revoking and changing access rights to log in to your installation of Expresso, as well as remaining accountable for personal data that you store and process in your Expresso installation.
Notification, Records Maintenance, Reporting
Notification of personal data breach to a competent supervisory authority
Should a data breach occur, in which personal information is compromised, Expresso will report such breach to you and the relevant authority within 72 hours.
Maintain Record of Processing Activities
Where personal data is processed by Expresso Business Software, an audit trail is recorded.
Data Protection Impact Assessments
The data stored and processed by Expresso is not likely to result in a risk to the rights and freedoms of individuals. However, as new processes are developed, the impact of these processes will be assessed to establish their effect on individuals. If relevant, an Impact Assessment statement will be included in the release notes of newer versions of the software.