Personal data provided to, or collected by, our Services is controlled by Hanley Payments Ltd, The Grange, Grange Road, Great Malvern, WR14 3HA.
What is GDPR
The General Data Protection Regulation (GDPR) is Europe's new framework for data protection laws. Although it has been in effect since its publication in May 2016, it will be enforced from 25th May 2018 when it will replace the 1995 data protection directive.
The EU's GDPR website says the legislation is designed to "harmonise" data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information.
The UK Information Commissioners Office (ICO) has produced a comprehensive but easy-to-follow guide on how to get your business ready for GDPR compliance.
The key points, explored in further detail in other linked articles in our helpdesk, are:
- be able to demonstrate compliance to customers from whom you collect personal data
- be clear about the legal basis for collecting and processing personal data
- the data subject's right to see what data is held on them, and how it is collected/shared
- the data subject's right to extract and take their personal data elsewhere in electronic form
- the data subject's to have their data corrected if necessary
- the data subject's right to be have their data erased (subject to some constraints)
- have processes in place to deal with data breaches within established timescales
- significantly increased fines for non-compliance with GDPR
What information do we collect?
We collect several types of information about visitors to our website and/or users of our products and services. We may collect this information either directly when you provide it to us or automatically as you navigate through the website or our applications.
- agency and personal contact details
- user email addresses
- agency system users
- payment information (via a third party)
We collect your agency and contact details
When signing up for a demo on our website, we collect your personal first and surname, your agency name, email address and contact telephone number.
When you register for the first time to your product account, we will additionally capture branch address details and VAT registration information which allows us to provide invoices as required for our accounting purposes. Furthermore, additional branches may be added to your account and the contact and address details relating to these branches are stored also.
This information is collected on the basis of contractual necessity to allow us to provide the requested service to you.
We will also send regular product updates, typically on a monthly basis, to all system users, as product enhancements in the form of new features or enhancements to existing features often result in former users returning at a later date. Current users are contacted on the basis of contractual obligation, and previous users are contacted on the basis of legitimate interest.
Any user can unsubscribe from these product updates at any time by clicking the Unsubscribe link which is present on all such communications.
We collect your email address
If you subscribe to our company and product demo via the demo link on our website, we collect your email address in order to provide this subscription service to you.
This information is collected on the basis of consent, and you can unsubscribe at any time by clicking the Unsubscribe bottom in the footer of all newsletter communications.
We process payment information via a third party
We collect recurring (typically monthly) payments for subscriptions to our products, and ad-hoc payments for one-off purchases such as SMS text credits, postcode lookup credits, or custom template development.
These payments are processed via our third party payment processors - Global Payments for credit card payments, and allpay Ltd for direct debit mandates.
Your payment details are not stored within our own internal systems.
All payment information is stored only on the secure third-party processing service provider platforms; we do not store accessible payment data. Where payment details are sent directly to us from customers via email (not recommended) these are deleted from our systems immediately.
This information is processed by our sub-processors on the basis of contractual necessity in order to receive payment for services provided.
We collect information about your staff account users
All user accounts on the system will have email addresses collected and processed in order to provide a unique login username, and to allow sending of emails on their behalf from within the system, and receipt of emails from the system and Hanley Payments in relation to the system's operation.
These email addresses are also processed by our email delivery provider, SendGrid, to perform delivery of any email communications initiated from within our products, e.g. sending statements to landlords, tenants, suppliers, etc, to grant additional user account access, or to raise support tickets to our helpdesk team.
This information is processed by Hanley Payments, and additionally processed by our sub-processors on the basis of contractual necessity in order to allow emails to be sent from within the system to your customers and to our admin teams.
Do we share your details?
We do not share any personal data with third parties for direct marketing purposes.
We do share personal data with a carefully selected list of sub-processors in order to provide core functionality within our product, and to fulfil our contractual obligation to our subscribers.
What sub-processors do we use?
We work with a number of carefully selected sub-processors who provide core elements of our product and service offering to our customers. These sub-processors will receive only the minimum amount of relevant personal data to fulfil the task for which their service is employed.
We are currently working to ensure that all sub-processors are compliant to the standard required for GDPR.
- MS Azure - cloud services platform
- Trello - issue tracking and software development
- allpay - direct debit processing
- Google - core company email services
- G Suite - core company office software
- Allan Brown Accountants - company accountancy and bookkeeping
- Send Grid - system email delivery
- Kashflows - integration within accountancy software
- Text local - SMS provider
How do we keep your data secure?
Any responsible software provider will be taking every possible precaution to safeguard your data, treating your data as if it were their own. Data security cannot afford to be an afterthought, and we take our responsibilities very seriously in this regard, since your trust and both your business and ultimately our own business depends on it.
We consider encryption of all data both in transit and at rest, i.e. preventing hackers from intercepting and reading data when it is being sent over the Internet, and also preventing anyone from accessing it while it is being stored over time in the database.
The server itself has a Secure Sockets Layer (SSL) digital certificate installed, which is indicated by the trusted padlock in the browser address bar. This means that all data transmitted between your browser and our servers is encrypted "on the wire" while the data is in transit over the Internet.
Once data gets to our server itself, all data transfer between the various servers in our platform (e.g.load balancer, application servers database servers or file servers) are encrypted using SSL technology also.
User passwords which must be provided when logging into our system are encrypted using a one-way algorithm which means that they cannot be reversed and recovered, even by ourselves.
All sensitive data such as bank account details is also stored in a securely encrypted format within the database, so that without the appropriate decryption key and matching decryption software these details cannot be read by anyone who might manage to hack in deep enough to snoop into the database directly.
Data protection by design
A key part of the GDPR is ensuring that data security is considered right from the outset in the design stage, to ensure maximum security throughout the application.
We have custom built our application infrastructure from scratch using the many resources available on the Microsft Azure environment, and can take advantage of the great resilience and availability mechanisms provided by that platform.
On top of that we have built our application code, which powers the logic of the system. We have considered encryption as outlined above, and restrict access to various data and functionality depending on user roles and privileges which are configurable within the system by admin users.
We also consider the typical hacking approaches commonly adopted by individuals who may seek to gain unauthorised access to servers with ill intent, and conduct vulnerability scanning to validate our countermeasures for these types of intrusion.
Hanley Payments’s servers are located within Microsft Azures UK data centres, which are extremely well protected both physically and digitally.
We conduct regular vulnerability scanning within our development workflows, and we also employ the services of a well regarded cybersecurity company to perform penetration testing on the live system to find any weak points which may be exploited by hackers.
With the even more stringent standards being demanded now with GDPR, this is an area we plan on devoting increased resources towards in the near future to bolster our confidence in our system security, and your confidence in turn.
How can we export your data?
To put a data extraction request in place, simply email firstname.lastname@example.org and we will be in touch to verify your request and get the data securely over to you.
Even the data protection regulations which have been in force for over 20 years now advise that we should not hold personal data for any longer than is absolutely necessary, and this is important for two reasons. Firstly, from the data subject's perspective it is reassuring to know that their data is not being exploited for purposes other than what it was originally provided and is no longer necessary for. Secondly, from the data controller's point of view, it makes sense to concentrate on protecting the data which they need rather than also having to worry about protecting data they don't really need to have any more.
GDPR is even more strict on this. Data must not be held or processed without a clear legal basis, which is typically one of the following:
- explicit consent of the individual;
- contractual obligation to be able to provide services to the customer;
- legitimate interest where the data is deemed important enough to retain for the company's obligations to other third parties, e.g. financial accounts.
When customers cease their subscriptions to use our services, the first of these two legal bases disappear, so we will wipe all personal data and retain only the bare minimum to meet our core requirements, e.g. invoices issued to and payments received from customers.
Deletion (anonymisation) of data and files
When a customer ceases an account, the account is marked with a "cleanse date" 60 days from the cease data, after which all personal data will be removed from the account. The account owner will be informed on cancellation that the data will be queued for deletion and will not be recovered after this period.
We do not actually delete the data fully from the database, but rather anonymise it to completely remove all personal identifiers such as names, email addresses, postal address, phone numbers, dates of birth, etc. This anonymised data cannot be reconstructed to identify the individuals to whom it belonged originally.
We have opted for the anonymisation option rather than full deletion since the large volumes of activity and transactions can provide invaluable insights into the performance of the application, as well as the property industry within which our customers operate, and all of this can help us improve our product offering for the future.
All files and documents which have been uploaded by customers to the product platform will be completely and irreversibly removed from the file storage server.
Data will be retained in a number of encrypted backups for a period of up to one year to assist with troubleshooting purposes. These backups are stored in a separate location within the platform, and access is restricted to a small team of trusted admin users within the company and not to the general development team.
Suspended accounts are not queued for deletion since these may be reactivated. Suspensions often happen when otherwise active customers. However, the suspension list is reviewed monthly and accounts which remain suspended for a period with no contact with customers will eventually be ceased and then queued for deletion in the normal manner outlined above.
Data breach policy
Any breach of personal data must be reported to the UK Information Commissioners Office (ICO) within 72 hours of the business becoming aware of the issue. Failure to notify can result in a penalty fine of up to €10m or 2% of global turnover. Negligent or intentional violation of GDPR can result in a fine of up to €20m or 4% of turnover.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals if we act as their data controller, or the appropriate agency(s) which acts as the data controller for those data subjects without undue delay. It is then the responsibility of the data controller to notify their data subjects if appropriate.
If the breach involved any unauthorised access which contravenes the Computer Misuse Act, we would also notify the Police.
Our internal processes would also involve identifying the source of the data breach and the extent of any data which has been compromised, which in turn would determine the risk to the data subjects affected. The vulnerability in our systems or procedures would be identified as quickly as possible, and immediate attention given to resolving that vulnerability. All information relating to the source of the breach and steps taken to resolve it would form part of the report to the ICO.
Of course, we take every precaution on an ongoing basis to ensure that all personal data is stored safely and securely, to prevent a breach occurring.
GDPR for your customers / tenants
GDPR compliance is ultimately the responsibility of the data controller who has collected data belonging to individuals, even if they have entrusted processing of some or all of this data to a data processors.
In this case, an agency is the data controller who has collected personal data from its customers, e.g. tenants and landlords. However, the agency will in turn employ the services of software providers such as ourselves at Hanley Payments to help you in the running of your business, and this will involve entrusting this personal data to our care. Since the tenant and landlord data subjects are ultimately your responsibility, you must satisfy yourself that we are trustworthy, i.e. GDPR-compliant.
Any requests from data subjects such as tenants, landlords, or suppliers must be submitted to and processed by the agency as the data controller for these individuals. Any such requests made directly to Hanley Payments will be redirected to the appropriate data controller for consideration.
However, we can provide some guidance on how you can handle the most common requests. You should make it clear to your data subjects that any such requests should be formally submitted to your business either in writing or by email, and set the expectation on the response time.
Establishing the legal basis for processing personal data
For all data which you collect, store and process regarding individuals' personal data, you should be clear about the legal basis for collecting this data, and quite often it is does not come down to gaining explicit consent as people often believe.
Storing contact details such as names, addresses, emails and phone numbers is often completely necessary in order for you to be able to deliver your service to your customers and you don't rely on consent for this; rather, it is processed on the grounds on contractual obligation. Beyond your contract, you may need to retain financial information and again you don't require explicit consent for retaining invoices and transaction history, since this is processed on the grounds of legitimate interest.
However, be very careful that you consider ALL data which you are collecting and only hold the minimum amount necessary for the purpose, and only for as long as you need it. You may not have justification for holding bank account details once you have stopped making payouts to former landlords, so you should delete those elements, but you may have grounds for maintaining his phone number.
Also, be very sure that you don't use data for purposes other than those which you have specified to individual. You cannot share emails with third parties for marketing purposes if you have not made it clear at the signup stage that you are doing this, since you must have consent for this type of activity, and in that case you clearly would not.
Amending incorrect information
This is achieved within our products by simply updating the relevant contact information on the record in question, e.g. a tenant or landlord contact details form.
Requests for data to be erased / forgotten
Not all requests to be forgotten need to be processed fully; it depends on whether you have a legitimate legal basis for retaining some or all personal data which supersedes the data subject's erasure request.
The most obvious example is a landlord asking to have his personal details removed from your system since he is no longer a customer. However, if you have issued invoices to and collected payments from this individual then you have a valid legal basis to retain some personal data so you can correlated invoices to this person for accounting purposes.
A compromise may be to remove that data which is now redundant, e.g. email addresses, phone numbers, registration details, bank accounts, date of birth, and perhaps even postal addresses, but retain either the landlord name or some form of reference identifier which allows your business to match invoices and payments to the individual if required.
Access to data stored on an individual
This information should be made available to the requesting data subject in an electronic format within a reasonable period, typically 30 days, free of charge.