This is the skip to content link for screen readers

Introducing the new GDPR e-learning course

Watch again

Q & A

Q: How does Workrite store the data of our employees?

A: The WorkRite data is stored within a pseudonymised database held in the Microsoft AZURE cloud within the EU, encrypted to AES256 at rest.

Q: How long should we keep DSE assessments?

A: Posturite will retain the data for an indefinite period while (a) you remained in contract to the organisation and (b) you have not provided the organisation with a retention period that you require. Should you provide a retention period definition for your data, this would be applied. How long you as the customer should retain the data is a matter for your HR/HSE team.

Q: If there is a defined date for deletion of DSE's will the WorkRite software do this automatically?

A: Provided you have provided us with a retention period for your data, we can apply automated controls to delete your data once the retention period has been reached.

Q: Can you list the personal data stored within the DSE assessments and explain the legitimate reason for keeping this once GDPR is implemented?

A: Each customer has a variation of data recorded however, the primary ones are Employee Names, Employment Addresses, Telephone numbers, Employee Email Addresses, Job titles, Health details. These details may not be only a legitimate reason for holding the data but could be a legal requirement in relation of HSE requirements in terms of DSE regulations.

Q: Do you have a data register for DSE assessments, if so can you share it?

A: No and No. We would not see any reason for creating such and if we did, it would be against all the data protection regulations to share such wide-ranging information.

Q: 6. In the GDPR course under 1. What is GDPR? Lawful basis seems to be missing a point. My understanding from ICO is there is a 6th basis- legitimate reason. Please advise?

A: Article 6 of GDPR states that 'Processing shall be lawful only if and to the extent that at least one of the following applies':

  1. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Legitimate interest is wide ranging however, an example I will use is that a HR department may need some non- legally required information from you to provide you with some employee benefits.

Q: Is there a reason that legitimate interests is not included in the list of lawful basis?

A: We will be revising the content to include this.

Q: I am using Workrite for a client DSE. do my reports prevent those with admin access from opening unless they are part of the users’ consent?

A: The collection of data in relation to the DSE assessment may be obtained under a legal requirement (HSE) so another person may need to review the data in exercising that legal requirement to perform a regulatory required action on making sure that you are not at risk. Where there is a legal requirement, consent may well not be required.

Q: Will DPA 1998 still stand alongside GDPR, or will DPA 1998 be replaced in its entirety by GDPR? or will DPA be replaced / updated by DPA 2018?

A: Yes, in some places it will until such time as the DPA 1998 is repealed by the DPA 2018. However, where there is currently a conflict, GDPR will take precedence, where GDPR does not cover such an issue and the DPA 1998 does cover that subject, the DPA 1998 still stands. One such is instance is the requirement to register with a supervisory authority, not covered in GDPR, but still required un DPA 1998.

Q: How does GDPR affect Health & Safety / accident / incident investigation?

A: It doesn’t, where there is a conflict between UK statute law and GDPR, the UK Statue law will take precedence for instance, HMRC, HSE etc.

Q: How does this impact sub-processors? So, for example small freelancers who process on behalf of the processor?

A: Small freelancers NEED to register with a Supervisory Authority, here in the UK, it is the ICO if the small freelancer processes ANY Personal Information. In short, where any Personal Information is processed, GDPR applies regardless of quantity. To see if you need to register, follow this link and answer the 35 or so questions and this will provide some guidance.

Q: How is the integrity of the data maintained?

A: By manging access and recording who has done what, when and where. Additionally, regular backups are taken so should anything untoward occur, we can restore promptly.

Q: Question on consent for processing children’s data - article 8 states that parental consent is only required in relation to the offer of information society services only - the slide implies that parental consent is required for all processing of children’s data - please advise?

A: Article 8 of GDPR covers children’s consent, especially if they are under 13 years of age and between 13 and 16. GDPR states “the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child”. So, in effect, at that moment in time, who has parental responsibility over that child. Now, this covers consent, where there is a legal requirement or vested interest (say a child is taken to A&E by a school / club), then consent would not be required.

Date & time

Friday 27 April 2018, 12.30pm


Ryan Church, WorkRite Sales Manager, Posturite

Chris Jones, Technical Director, Posturite


As you may already know, we’ve recently launched a new General Data Protection Regulations (GDPR) e-learning course to help employers and their employees understand what may be required of them when the new regulations come into force in May.

In this webinar our software experts Ryan and Chris will introduce some of the course content and discuss how GDPR will replace our existing Data Protection Act course.

We will also take this chance to explain how GDPR will affect some aspects of WorkRite, and how this will serve to strengthen the security of any data shared with us.

About the speakers

Ryan Church

Prior to joining Posturite, Ryan spent three years as a personal trainer and a further three in the telecoms industry. This gave him a sound understanding of both the human body and the various technologies that can be found in the marketplace, all of which can be closely related to the products and services provided by Posturite’s WorkRite division. His role now is primarily to ensure our customers understand the features and benefits of our suite of e-learning courses and systems.

Chris Jones

Chris, our Technical Director, has a wealth of technology experience across a wide variety of SMEs, including manufacturing, charities, restaurants and financial services. Having gained a BSc in Computer Science, Chris specialises in matching technology solutions with business needs. With a keen interest in AI, automation and logistics, Chris enjoys exploring how these technologies can be applied to the real world.