Is your software GDPR ready? #3 – Locating your data

Where is your data actually located?

This one will apply if you use, or if you’re thinking of investing in, cloud software or storage services.

We’re so used to buying into this idea of the ‘cloud’ as if it’s somewhere untouchable and almost, quite literally, in the air – but actually, all it really means is your data is stored on a server that’s not on your premises and the hardware is not managed directly by you.

As dreamy as it is to think of all that data floating around in a protected extra dimension up in cyberspace, unfortunately, it’s all very much down to earth and subject to GDPR.

Why? Because how and where you store your data comes under scrutiny under GDPR, as defined in the 6th principle that states that data must be processed and stored “using appropriate technical or organisational measures”.

Basically, under GDPR, neglecting scrutiny on your data hosting providers can leave you in as bad a position as if you left your filing cabinet full of customer information open on the shop floor under the Data Protection Act.

Keeping your cloud services GDPR compliant

The question you need to ask of your cloud service providers is: where are their data centres and who manages them?

Any good software or app provider will be upfront about this, and even where they use reseller or mediated hosting services to provide cloud hosting to you – such as Microsoft Azure or Amazon Web Services – they will be happy to tell you which country or territory their data centres are in and who manages them.

Your providers should also be able to tell you what – if any – additional processes, accreditations and or standards they have in place for managing their data centres and servers. A great example of this can be seen on Mailchimp’s page about how they protect the security of your data.

Importantly, if you use any plug-ins on your website to process personal data (for example, your ‘contact us’ forms), you will want to look into whether they use any cloud servers as well – looking at the providers’ Terms & Conditions or Privacy Notice on their website is a good place to start.

You’ll also want to check whether your service providers are meeting their own obligations under GDPR – for example, whether they have registered with a relevant regional supervisory office as data controllers. In the UK, where the supervisory agency is the Information Commissioner’s Office, it’s really easy to search the register of data controllers with just the company’s name.

Although it might seem like this can cause more headaches – when, after all, you’ve already bought, or you’re looking to buy, software in order to solve some headaches – ultimately, the data you’re handing over belongs to you, and you are responsible for choosing the right cloud service providers to look after it on your behalf.

Why the benefits of cloud services with GDPR still outweigh the risks

With the right cloud services provider in place, the benefits to your ongoing GDPR compliance can far outweigh the risks. First and foremost, you’ll get the benefits of saving the time, resource and money required for looking after physical servers on your premises: your cloud servers will always be kept up to date with security patches and software updates (and you will save on the cost of replacement at the end of life).

Secondly, you will have the confidence in the ongoing security and care of your software and data by knowing that the servers are managed effectively and properly to the expectations set out by GDPR.

This isn’t to say that, even with the right cloud service providers in place, you can guarantee that there won’t be any breaches or problems in the future – threats to cyber security are ever-growing and changing at an astonishing rate.

However, it does mean that in the event that your data is compromised through your cloud service providers, you will be able to demonstrate that you made an informed decision when you chose to use them and have therefore done your part in meeting the principle of data protection by ‘design and default’.

We’re hiring! Could you be our Business Support Assistant?

We're hiring!

Vacancy: Business Support Assistant (Part Time)

We’re looking for an enthusiastic individual with a shining personality to join our close-knit and busy team in Chester!

Who are MCPC Systems?

We are a friendly, independent and family-owned software house that develops, supplies and supports bespoke software applications to local government and SMEs.

We are committed to helping organisations, whatever their size, get the very best from their services and operations using quality, cost-effective digital technologies. Our team ensures that customers get so much more than a software package when they choose us. 

Key details of the role

Salary: £11,734 (£22,000 FTE)

Term: Permanent employee, subject to 3 month probationary period

Location: Saltney (just outside of Chester), Flintshire with home-working opportunities

Hours: 20hrs per week (flexible, with opportunities to increase hours down the line)

Start: ASAP

Must have a car

Your responsibilities

    • Supporting our business development by prospecting, generating and following up sales enquiries in line with our marketing and sales targets
    • Setting up meetings and product demos, and compiling quotes and proposals for customers
    • Managing our blogs and website content, and our social media accounts (LinkedIn, Twitter, Facebook & YouTube), and tracking their performance
    • Building our local and industry presence and network by attending networking groups and meetings in the area
    • Supporting other members of our team with general administration tasks
    • Helping to retain our existing customers and contracts through account reviews

What we’re looking for in you

    • A commitment to MCPC’s vision, mission and goals for the future of our business
    • Excellent communication and customer service skills, including in person, telephone and email manner
    • Fantastic organisation and administrative skills
    • An interest and savviness for social media and content marketing on platforms including WordPress, LinkedIn, Twitter and Mailchimp (with willingness to undertake further training if needed)
    • Good general education and/or experience in maths, English and business administration
    • An enthusiasm for teamworking and building relationships with other members of our team, our clients and industry influencers
    • Sharp attention for detail and problem-solving
    • Proficiency in Windows desktop and all the usual Office applications (Outlook, Word, Excel)

Naturally for our line of business, some knowledge and experience of computing, software and development for Windows platforms, alongside an understanding of public sector/local government, is an advantage. However, don’t let this put you off!

If you meet our other criteria and have a shining personality to mix with our small team, we’ll provide the training and learning opportunities you need to succeed in this role.

How to apply

Please send your CV and cover letter to Charlotte Girow, Director of Business Development: [email protected]

Closing date for applications: Friday 6th July 2018

Interview dates: w/c 9th July 2018

Start date: ASAP

Data protection

We’re committed to protecting and processing your personal data in line with the standards set out by GDPR. When you submit your application to MCPC, and if you enter employment with us, we’ll process your personal information as we have set out in our Privacy notice for employees, workers & contractors.

Polite (but important) notice to recruitment agencies and vacancy advertisement services

This vacancy is open to direct applications only. We work with an established and approved list of recruitment agencies and vacancy advertisers, and we ask you not to contact MCPC or any of our staff for direct marketing of your services or candidates in relation to this advert.

Is your software GDPR ready? #2 – Managing the ‘right to be forgotten’

How does your software allow you to manage the ‘right to be forgotten’?

The right to be forgotten is more formally known as the ‘right to erasure’ in GDPR. It means that when an individual requests for you remove or stop processing their personal information, you must be able to do it within 30 days of their request.

It all comes back to the focus of GDPR being to enhance the rights that individuals have over their personal information and data.

Therefore, like when managing the ‘right to access’ for your data subjects that we discussed in part 1 of this series, you must also be able to comply with any requests for erasure free of charge unless you can demonstrate that the request is ‘manifestly unfounded’ or ‘excessive’.

Can I refuse a request to be forgotten?

GDPR does set out a number of instances where an organisation can refuse a request by an individual to be forgotten – for example, if your processing of their information relates to exercising the freedom of expression, or if you’re complying with legal obligations. A full list of reasons is available on the Information Commissioner’s Office website.

That shouldn’t be an excuse for complacency though, as it’s likely that most of the processing you do will not be covered by these exemptions.

So when does the right to be forgotten apply? For the most part, it will be when you’re processing an individual’s personal information with consent as your lawful basis for doing so (for example, if you’re marketing to that person).

It will also apply if you started processing or storing someone’s personal information with legitimate interests as your lawful basis for processing (such as fulfilling a customer’s order or investigating a complaint), but at the time you receive the request to be forgotten, those legitimate interests are no longer relevant or you cannot identify any overriding legitimate interests that would justify your refusal of the request.

The problem with ‘deleting’ personal information in order to ‘forget’ it

As far as the personal information contained in your software or database packages is concerned, you might think that complying with an individual’s request to be forgotten is as simple as hitting the ‘delete’ button for their record(s).

In some cases, this may well be true and it’s an easy job done. However, before settling on this as your approach to handling requests to be forgotten, it’s worth looking at whether simply deleting records has any further implications in your software.

The trick is identifying how best to meet your obligations for complying with the right to be forgotten without impacting the value of other non-personal information and data you have in your software.

For example, if you’re using a CRM package to manage your sales process, you should investigate whether deleting an individual’s record will also delete records of activity associated with it – such as conversations, quotations, order history or other points of contact.

Of course, you may have to remove some of this information as part of processing the request (specifically, if those records also contain personal information). But you should also check if this will consequently affect your top-level statistics and reports, such as those used for measuring any of your key performance indicators.

A better way to manage the right to be forgotten?

If deleting records outright will negatively impact the overall benefits that you get from your software, then it would be worthwhile looking into other options for managing requests to be forgotten.

One of these options would be seeing if your software contains options for anonymising records of personal information. This would mean having the ability to remove or permanently mask all the personal data in your records, while any other details on that record will stay untouched.

On the proviso that you will not be able to identify the person through the remaining information after you’ve anonymised the record, in many cases anonymization will be preferable to straightforward deletion.

However you choose to fulfil to requests to be forgotten, importantly, the options that are available to you in your software will depend on how your supplier has designed and structured the database that operates in the background.

For instance, if you do choose to remove rather than anonymise records, you should try to find out what your software does in the background when it ‘deletes’ something: does it actually delete it, or does it just hide it from your view? This matters as it may determine if information could accidently be recovered from by someone who wasn’t aware it was removed following a request to be forgotten.

What goes on in the background of your software may not be entirely obvious from what you see on your screen, so it would be worthwhile getting as much information as you can from your software providers before planning your procedure for requests to be forgotten.

Is your software GDPR ready? #1 – Subject access requests

Is your software GDPR ready? Q#1) How easy is it to retrieve all the information you have about one person?

 Under GDPR, any individual can write to you and ask for a copy of all the personal information that you have about them, as well as the reason why you have that information about them and who else has access to that information. This type of request is known as a ‘subject access request’, and is covered under GDPR’s ‘right of access’ for data subjects.

Individuals might make these subject access requests to your company to check the accuracy of the personal data you have about them, or to verify the lawfulness of the reasons why you have that information to begin with.

This actually isn’t too different to an individual’s rights under the outgoing Data Protection Act (DPA) – so, really, individuals have had the right to do this for a number of years already.

The key difference here is that under the DPA, companies could issue a nominal charge for complying with this service; under GDPR, you have to comply with subject access requests for free unless you can demonstrate that it is a ‘manifestly unfounded’ ‘excessive’ request, as per advice from the Information Commission’s Office.

On top of that, businesses are obligated to deliver on this service promptly: you must be able to supply all the information you have about that the individual to them within 30 days of their request, and in an easily accessible format (for example, in an email or by post).

Unfortunately, the fact is that handling subject access requests under GDPR is an inconvenience that your business must be prepared to shoulder.

Making subject access requests as painless as possible

However, regardless of whether you expect you might be handling these requests regularly or once in a blue moon, there are still ways you can prepare now so that you’ll be able to deliver on your obligations easily and quickly, without draining your business’s time and resource – and therefore keep the costs of doing so to a minimum – while also protecting yourself against any potential liabilities or fines for not doing so.

Getting a written procedure together to build a step-by-step process for handling subject access requests is by far the best way to prepare for any you may face – but to do that, you’ll first need to check where and how – and, importantly, why – you store personal information, and part of that will include the software that you use for these purposes.

The need for promptness in answering subject access requests and returning information in ‘easily accessible’ format is where it becomes important to look at the features that are provided within the software packages you use to handle personal information.

Relevant software packages to look at will include not just your customer relationship management (CRM) system, but likely also your finance and accounting system, libraries on your computer or network, email archives and email marketing apps, as well as any ancillary apps you use to run your business (for example, at MCPC we use a ticketing system for managing support requests from our customers).

First of all, you’ll want to test how easy it is (or isn’t) to find all the information you have on an individual in your systems, and then you’ll need to look into the options you have for exporting that information quickly and concisely.

How do you deliver information for subject access requests?

Probably the best format to choose wherever possible will be PDF: if you’re answering the subject access request by email, PDFs can easily be read by anyone using readily available tools (unlike other file formats), and it’s also print-ready format if you plan to answer the request by post.

If the export only options for saving personal information from your chosen software are uncommon file types, or present the information in a way that’s hard to read and understand, you’ll need to look at ways in which you can improve this before responding to the request. Otherwise, it could be argued that you haven’t met your obligations.

In this case, if you suspect this may be a risk going forward, it would be worth speaking to your software provider to see what they can do to make it easier for you. As much as handling a subject access request might seem a headache to begin with, it would be a terrible use of your or your team’s time to be shoehorned into manually extracting, formatting or copying information held in your systems to comply with your obligations under GDPR.

Other things to think about in subject access requests

Beside the information you keep in your software, you’ll also have to supply copies of any personal information you have in paper records as part of subject access requests.

As part of preparing your procedure for handling subject access requests, it’s worth looking at how efficiently you can find, and make copies of, any information held in your paper-based systems. This is bearing in mind that you may need to update that information if the individual comes back to you with requests to do so, and that you will also need to tell the individual if you don’t have any information on them.

Is your software GDPR ready? Read our upcoming blog series to find out!

By now you’ve probably heard a lot about GDPR, but have you thought about how it will affect the software you use?

GDPR is one of the single biggest changes to the business landscape in recent years and it’s had many businesses in a twist – including software providers such as sales platforms, email marketing platforms, and any software your keep business data in – probably because it’s hard to imagine a type of business that isn’t going to be affected by it some form.

Software providers have an even greater obligation under GDPR, as like marketers and data analysts, the GDPR also affects the very products and services we provide to you as customers – not just the way we do business ourselves. It’s therefore in our best interest to be transparent and forward-thinking about we’re going to help you manage your obligations under GDPR with our software products and services.

Whether we realise it or not, we buy and use software products produced all over the world – often at the simple click of a button. GDPR is an EU directive – although this doesn’t mean it will go away after Brexit as the UK have already signed into British law.

Ultimately you are responsible for how you manage, process and store personal information under GDPR. The key here is knowing what your obligations are and checking that the software solutions you use or choose to buy going forward will help you meet your obligations. This is rather than the far more risky approach of assuming your software will have you covered when you need it – which could leave you liable for hefty action and fines if anything goes wrong with the software you use.

Why GDPR matters for your software

Good software packages are probably some of the most valuable tools in any business’s kit of tricks – including yours. From customer relationship management (CRM) systems to accounting packages, productivity apps to full-scale enterprise resource planning (ERP) systems, in your business you will likely have a number of software systems that you rely on to deliver you services effectively.

Equally, most of the software you use will have at least some form of personal data in it.

Under GDPR, personal data means any information that can be used to identify a living person – including obvious pieces of data such as names, addresses, contact details, but also more specific data such as photographs, biometric information and voice recordings.

Understanding what kinds of personal information you process and how you store it are the only first steps to getting your business GDPR ready. Thereafter, most best practice guidelines will suggest putting policies and procedures in place to help you manage your relevant obligations under GDPR going forward.

Naturally then, your policies and procedures should also cover how you manage personal information in electronic or digital forms – basically, in software or databases – as well as your paper records.

In a specific sense, this is important for demonstrating how your business meets the GDPR’s explicit requirement for ‘data protection by design and by default’.

In essence, this requirement means that protecting personal data must be at the centre of your considerations where your business undertakes any activity that includes the processing of personal information – including which software you choose to use for doing so.

What we’re going to cover in our blog series

Over the next five blogs, we’re going to cover some of the things you should expect from the current software you use in your business, as well as things to think about for any new software you purchase going forward with GDPR in place.

We’ll be thinking about how software can help you (or not help you) to manage your new obligations under GDPR – including managing subject access requests, cloud services, the right to be forgotten and more.

You’ll pick up helpful tips and things to think about when looking at how you use your current software, as well as what to ask potential vendors when looking at buying new software.

Free Event: General Data Protection Regulation (GDPR) in practice

“GDPR in practice: how to kick start your compliance journey” 

With the countdown fast approaching, here at MCPC Systems we thought we’d share our GDPR journey with you, the steps we’ve taken so far and what we’re planning to do moving forward.

We’re hoping by doing this it will help you kick start your own path towards compliance and avoid any unnecessary headaches – or more importantly, fines.

So we are hosting two FREE to attend event opportunities on Tuesday 6th March at our new office base on River Lane at Viscount House, Saltney, Flintshire.

To learn more  & book spaces please follow this link Spaces are limited so please don’t delay in reserving your place.


MCPC’s 2017 Christmas opening hours

Wishing you a very merry Christmas and a happy new year!

A very happy Christmas to all of our customers, suppliers, colleagues and friends at MCPC

With less than a week to go before Christmas, it’s time to wish all of our customers, suppliers, colleagues and friends a wonderful festive season and a fabulous new year.

After a fantastic 2017 – where we welcomed many new customers to our midst, introduced two new software products – Aardvark and Orka – to our range, moved premises and launched a brand new company image – we’re looking forward to getting stuck into 2018 with even more excitement.

MCPC’s offices will be closed for business from 12:00pm on Thursday, 21st December until 8:30am on Tuesday, 2nd January 2018. You will still be able to email your support requests to [email protected] while our offices are closed for immediate attention when we reopen in January.

We looking forward to speaking with all of our customers – new and old! – again in 2018, and we wish you all a joyful Christmastime in the meantime.

Move Complete

We have moved successfully and are settling into our new base. All lines of communication are open, including telephone lines. However due a current intermittent issue with the phone line supplied by BT, an alternative number is available to call should you experience any problem contacting us.

We apologise for any inconvenience caused by our move to larger premises. Thank you for your understanding at this time.

Important Notice: Office Closure Friday 24th November, 2017

MCPC Systems (UK) Ltd are on the move

After three happy years at our current location we are moving to new premises. This move is to allow us to  accommodate our recent growth in personnel and our future plans. Our new base is located further upstream on the River Dee and the postal address will be

The Annexe,

Viscount House

River Lane, Saltney

Chester, Flintshire


To facilitate this move, our office and helpdesk will be closed all day, Friday 24th November, 2017. We apologise in advance for any inconvenience this temporary, but necessary, closure may cause.

Our telephone number/email addresses remain unchanged and we look forward to answering your calls from our new offices when we re-open on Monday 27th November.

Despite the new postal address we will still be in Flintshire, Wales! Cymru am Byth.

2017 Best Allotment Site In North West Winners Announced

2017 Winners of Dave Cartner Memorial Shield

MCPC Systems are delighted to announce that this years winners of the “Dave Cartner Memorial Shield” for the best allotment site in the North West of England is the Moss Park Allotments in Stretford, Manchester.

A big congratulations goes out to their plot holders, committee members and volunteers who have contributed to their success. We’re looking forward to coming on site for the presentation of the award, prizes and pick up some tips.

A worthy mention and well done to 2nd placed site Walton Road Allotments, Sale and runner up site Tindall St Allotments, in Salford. A big thank you to fellow sponsors of prizes J Maher Ltd

The competition is an annual event organised and run by the North West Counties Allotment Association the regional representatives of the National Society of Allotment & Leisure Gardeners (NSALG). Entrants are required to submit a 200 words an four images

MCPC Systems became involved at the behest of our founder, Dave Cartner, who very sadly passed away as the first competition got under way in 2015. The family of Dave and staff at MCPC Systems were  honored at the subsequent suggestion, that the shield awarded to the winners would commemorate his name and lifelong passion for Horticulture.

We had a great time visiting last year’s winner Stan Pennington Allotments in St Helens, so it is with much anticipation that we look forward to visiting the winning site later this month.