GDPR and BrightPay

Data Protection has always been a concern for BrightPay and we’ve always aimed to act with complete integrity in this regard. Like all companies, in preparation for GDPR we have had to complete a total review on how we gather, maintain and use data.

Data Files

Firstly, BrightPay does not have access to your data files, except where they have been submitted for support reasons. We have no control over the authority, the quality or safety of the data input. You and you alone are responsible for the accuracy and completeness of your records. Whilst we have security measures in place to protect your data, it remains your responsibility to keep your sign-in details secret, to sign off from the BrightPay product when you are not using it and to ensure there is no unauthorised access to your computer.

How we’re preparing

Some of the key changes that we’ve made that will affect our customers include;

• From time-to-time when assisting with an employe query, in order to fully resolve the query the only solution for us is to request a backup of our customer's file. Whilst we did have security protocols in place for this, we felt that we could make them even more secure. We've created an in-program support feature that allows users to automatically send a backup of their payroll to us through a secure channel. The benefits being that customers don't have to upload the backup to their email where they may forget to delete, but mainly on our side; the backup is saved centrally on a secure server and then automatically deleted after one week. In our 18/19 software, we are also including a new secure password recovery option. We have also worked on increased encryption of data files, just in case some hacker does manage to access your files.
• We are currently finalising our privacy policies and these will be going live on our websites shortly. The new privacy policies make it clear to any individual whose data is processed by BrightPay how we use your data, who we share it with and how long we keep it for. We've really worked to keep the wording as plain and simple as possible.
• We are in the process of completing internal IT audits on every company PC, deleting any unnecessary data. Going forward our plan is to run these audits regularly, as it is a great way for us to keep track of all the data that we hold and ensure we are not retaining anything unnecessary.
• We have looked at how information is sent to and retrieved from our secure servers, be it for the purposes of maintaining our website or our CRM system. We have now changed all of our servers over to more secure Microsoft Azure servers. We have also introduced IP white listing, meaning that knowing the login credentials is not enough, the request must come from a trusted location.
• We have introduced extra consent fields in different areas of the software / websites. Going forward, with the exception of essential software updates, customers will not be contacted unless they have specifically opted in. Of course we think that our newsletters and webinar invites are quite informative, so we would definitely recommend that you sign-up.
• Internally, we will be holding staff training and update sessions to ensure our staff are fully aware of the new legislation and how it impacts their role.
• If you are a Bright Contracts customer we will be updating the data protection policies within the software over the coming months.