Data Protection
Data Protection Impact Assessment
ClockShark Timekeeping and Dubsado Business Management
Submitting controller details
| Name of controller | Buton Ltd |
| Subject | Data Processing in the USA |
| Name of controller contact | Gergana Antonova |
Step 1: Identify the need for a DPIA
| Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA. |
|
Buton Ltd is replacing existing applications with new applications to make data processing more efficient. As is common with SME companies many applications that meet the requirements of the business are from the USA. Both ClockShark Timekeeping and Dubsado Business Management applications fall into this category and both applications have many implementations in the UK. ClockShark is a small US based company with many UK clients. Their Privacy Policy mentions compliance with the California Online Privacy Protection Act and the USA Childrens Online Privacy Protection Act but not the EU or UK GDPR. In November 2021 ClockShark was taken over by the Australian company SimPro which has an office in the UK. Although SimPro’s Privacy Policy has not been updated to include the UK GDPR it does look to be compliant with the EU GDPR. ClockShark has not yet been integrated into the SimPro company and operation. Dubsado has a UK representative (EDPO UK Ltd) but its documentation only mentions the EU GDPR and the EU – US Privacy Shield and has not been updated to mention the UK GDPR. Note: USA companies still have to mention the EU – US Privacy Shield for USA privacy law reasons. |
Step 2: Describe the processing
| Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? |
|
For both applications Buton will collect and maintain the data as described in our Article 30 Record of Data Processing Activities and our Privacy Policy. The data is provided by the data subject. The data for both ClockShark and Dubsado will be stored in the USA. ClockShark data is stored in the Microsoft Azure cloud. Dubsado data is stored in the Amazon Web Services (AWS) cloud. |
| Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover? |
|
ClockShark – is the processing of timekeeping data including the team member’s GPS location. Dubsado – is the processing of:
Refer to the Article 30 record for the data fields. The timekeeping data is collected daily on ClockShark and the data is updated monthly on Dubsado. |
| Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? |
|
The data collected is for self-employed contractors and clients. The data is necessary for execution of contract with the self-employed contractors and meeting client contract expectations, so the individuals would expect to have their data used in this way. No vulnerable groups or children’s data is collected. Both the ClockShark and Dubsado applications have security measures that are expected in 2022 enabling roles and responsibilities for all levels of users and 2 FA for elevated access privileges. |
| Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? |
| The data processing enables Buton to deliver contracted work for clients and to contract with self-employed contractors and pay those self-employed contractors. |
Step 3: Consultation process
| Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts? |
| This document is prepared by an Information Security specialist and reviewed by the Managing Director of Buton Ltd. |
Step 4: Assess necessity and proportionality
| Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers? |
|
The lawful basis for processing is:
The processing fully meets the purpose of processing. Only the data necessary to complete the objectives of the processing is collected. Both the ClockShark and Dubsado are new implementations and the data to be collected is well scoped and documented in the Article 30 record of processing and the Privacy Policy. Data is transferred internationally to the USA. The transactions are encrypted end to end. The Privacy Policy is available for employees and clients to review and this provides full information on the data transferred to the USA. The security measures of both ClockShark and Dubsado are state of the art for apps supporting the SME market enabling Buton to keep the data secure. There are not apps from UK based companies that provide a similar level of functionality at the same cost as these two apps. |
Step 5: Identify and assess risks
| Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. |
Likelihood of harm Remote, possible or probable |
Severity of harm Minimal, significant or severe |
Overall risk Low, medium or high
|
|
USA law enforcement agencies access the data of ClockShark and / or Dubsado because a Buton Ltd employee or client is involved in criminal or terrorist activity. However, the data transferred could also be obtained very easily from the employees’ and clients’ social media accounts with the exception of the right to work in the UK visa and passport data for self-employed contractors. Currently, there are around 30 self-employed contractors plus clients. Buton Ltd is not UK GDPR compliant due to the transfer of data to the USA in Clockshark. However, the data transferred could also be obtained very easily from the self-employed contractors and clients’ social media accounts. Currently, there are around 30 self-employed contractors plus clients. Dubsado is not UK GDPR compliant due to documentation not being updated to include UK GDPR. The Dubsado data processing agreement has the EU standard contractual clauses rather than the UK ICO’s versions. Dubsdao has a UK representative, EDPO (UK) Ltd as a point of contact for any UK GDPR compliance issues. |
Remote Remote Remote |
Minimal Minimal Minimal |
Low Low Low |
Step 6: Identify measures to reduce risk
| Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 | ||||
| Risk | Options to reduce or eliminate risk | Effect on risk | Residual risk | Measure approved |
| N/A | N/A | Eliminated reduced accepted | Low medium high | Yes/no |
Step 7: Sign off and record outcomes
| Item | Name/position/date | Notes |
| Measures approved by: | Integrate actions back into project plan, with date and responsibility for completion | |
| Residual risks approved by: | If accepting any residual high risk, consult the ICO before going ahead | |
| UK GDPR compliance advice provided: |
Bryan Altimas Riverside Court Consulting Ltd |
DPO should advise on compliance, step 6 measures and whether processing can proceed |
|
Summary of DPO advice: There is a very small risk US law enforcement and security agencies could access the data (as per the Schrems II decision). Buton is an SME company providing cleaning services. It is very unlikely a client or any the 30 self-employed contractors would be of interest to US law enforcement and security agencies. The data that would be of interest to US law enforcement and security agencies, such as name, address, location data and other data is accessible from the self-employed contractors’ and clients’ social media accounts rather than obtaining it from Buton’s business systems. The security controls of Buton Ltd and the app providers minimise unauthorised access to the data. |
||
| DPO advice accepted or overruled by: | If overruled, you must explain your reasons | |
| Comments: | ||
| Consultation responses reviewed by: | If your decision departs from individuals’ views, you must explain your reasons | |
| Comments: | ||
| This DPIA will kept under review by: | The DPO should also review ongoing compliance with DPIA | |
