MRI Software and GDPR

GDPR refers to the General Data Protection Regulation, EU 2016-679, which took effect on 25 May 2018. GDPR applies to all companies located within the European Economic Area (and the UK until the end of the Brexit transitional period on 1 January 2021) but it also has extra-territorial reach and extends to any person organisation accessing, utilising, or processing personal information of EEA data subjects. GDPR outlines the rights due to a data subject with respect to their own Personal Information and the obligations of the data controllers and data processors with respect to that same Personal Information.

Personal Information, under GDPR, is any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is a person (not a business) who can be identified, directly or indirectly, by using the data without reference to separately stored information. Some examples of Personal Information would be a name, an identification number, location data, an online identifier. All data points must be viewed in light of whether that data would, without reference to separately stored information, be likely to relate to an identified or identifiable natural person.

Possibly. If the product that you are using from MRI contains Personal Information (see previous question) of an EEA data subject, then it will likely fall under GDPR. Personal Information might be stored in obvious locations, such as fields identified by the personal data label like name and address, or Personal Information may be stored in less obvious locations, for example as unstructured data such as comments, notes, custom fields, or file attachments. As the data controller, the client (you) ultimately determine what Personal Information you will store within the system and where you store it. Your record management policies should identify where you have recorded Personal Information.

As the data processor, MRI has taken and is continuing to take steps to protect the Personal Information that is intended to or likely to be stored or input into the MRI system or provided to MRI and its subcontractors. As such, it is important for you to consider the intended use of the software as an aid to your overall compliance with GDPR. As always, MRI is happy to assist you in determining recommended uses of the software fields and storage locations.

MRI is most commonly acting as the data processor and processes Personal Information in order to perform its obligations under the governing agreement between the client (you) and MRI. MRI processes information as permitted under that governing agreement. For SaaS (cloud) or MRI-hosted clients, the Personal Information is held within MRI’s systems and data centres (see more information on data centres below). For on-premise (or client-hosted) clients, the Personal Information is held within your own systems and not held by MRI. Additionally, clients will send Personal Information to MRI for implementation, testing, or support purposes.

MRI does act as a data controller also where it holds data on its clients to perform its contracts, such as if an individual is named as a billing contact in our internal CRM system or where individuals information is collected for marketing purposes so we can share updates with you or invite you to events. You can access our privacy policy here.

The type of Personal Information held will vary depending on what product lines you are using as well as how you individually are utilising the system. With that in mind, we have provided a table below that outlines what Personal Information is likely to be contained within MRI’s product lines and which data subjects are likely to be impacted. We will add additional information outlining the type of data and data subject which are likely to be held within the specific MRI products that you use on this page as it becomes available.

For specific product information click here.

MRI does not determine the lawful basis for processing. It’s for the data controller – our clients – to decide what the right lawful basis for processing personal data is and to make that clear to the data subjects in its privacy policies and processes. Consent is just one of several different bases for data processing.

Yes. MRI utilises state-of-the-art data centres for its cloud-based offerings. As of April 2018, MRI utilised data centres in London, Ireland, Germany, Chicago, Virginia, Georgia, Singapore, Netherlands, and Sydney for its production and backup environments. We will add additional information, specific to the MRI products that you use, on this page as it becomes available.

For general reference, MRI’s UK data centres are:

You can find MRI’s privacy shield status here.

For product specific information click here.

Although we cannot guarantee against all potential loss of Personal Data while processing, MRI has and will continue to institute technical measures which are appropriate to ensure a level of security which takes into account the nature, scope, context and purposes of processing of Personal Information. Where such measures cannot be accomplished automatically, we will recommend additional steps that can be taken (by either MRI or you) to continue to enhance the security of the Personal Information.

To provide one example to illustrate this, within a product suite there may be transactional records that contain Personal Information that cannot be automatically deleted or anonymised by the user real-time. These records additionally contain PDFs associated with these transactional records, for example a rent invoice. As such, MRI will provide a new routine for this product that purges the PDFs and anonymises the transactional record. This routine will operate as an automatic overnight process and will purge and anonymise based on a record retention policy value (i.e. 12 years) that you set within the system configuration and based upon your record retention policy.

MRI has and will continue to institute organisational measures which are appropriate to ensure a level of security which takes into account the nature, scope, context and purposes of processing of Personal Information. Specifically, MRI maintains a document information security plan which outlines the physical, technical, and organisational security guidelines, including outlined training, awareness and employee vetting procedures. MRI’s information security plan also outlines the encryption of client data, disaster recovery and business continuity plans, vulnerability testing, security audits, and data breach procedures.

As one example, MRI maintains employment policies relating to the handling of Personal Information, which ensures that access is restricted to authorised personnel only. These policies include password requirements, user authentication, and confidentiality obligations. MRI regularly trains its staff and management on these policies and monitors compliance with the same. Additionally, MRI’s Information Security Team and Data Privacy Practitioner(s) regularly monitor the policies, training and compliance with the same.

For specific product information click here.

You can protect the Personal Information of your data subject by establishing suitable controls and policies with respect to this information within your organisation which are aimed at preventing unauthorised access to the software and infrastructure where the data will be stored. Your controls may include education, and training to users about the importance of protecting the data, user authentication policies, user roles, privileges, security rights, segregation of duties and access management.

In addition, MRI provides its customers with tools which enable you, as the data controller, to set security controls to protect the Personal Information within your company. These tools will vary based on the products and delivery mechanism purchased (i.e. SaaS/cloud-based v. on-premise installation).

For specific product information click here.

MRI is committed to protecting the security of the client data within its systems. MRI has processes and protection in place to investigate any potential data breach, notify affected client(s) of such breach, provide information to the client related to the data breach, contain and correct the data breach, and to mitigate the effects of the data breach. Additionally, if a data breach were ever to occur, MRI will work with its clients to comply with the clients’ own obligations under GDPR.

For specific product information click here.

You will need to identify through your record management policies where that Personal Information is held (for example in structured and unstructured data fields) and then use the reporting features of the software to provide this, which could be a mixture of screen copies, spreadsheets or reports. Please contact MRI’s support team if you are having trouble extracting this information. Support will be provided in accordance with your governing agreement in place with MRI.

For specific product information click here.

Most of our products provide you with the ability to delete Personal Information manually from the user interface within the active system. For those records that cannot be deleted using the user interface, you may have the ability to anonymise it so that it no longer identifies that individual by overwriting the fields that store the Personal Information, thus eliminating the data as Personal Information. If you have questions about deleting or overwriting such information, please contact MRI’s support team. Support will be provided in accordance with your governing agreement in place with MRI.

If you need to permanently delete or overwrite information stored within MRI’s backup data centres, please contact MRI’s support team as the process differs based on the length of time the Personal Information has been residing within the system. Support will be provided in accordance with your governing agreement in place with MRI.

For specific product information click here.

MRI does not proactively delete Personal Information while you are still a client of MRI’s. If during that time you need to delete Personal Information, you will need to make those changes through the user interface or contact MRI support for assistance. Support will be provided in accordance with your governing agreement in place with MRI. While you are a still a client of MRI’s, MRI will make regular backups of the database for backup and data restoration purposes.

Once you are no longer an active client and your contractual term has expired, MRI will remove your database, including all data, from its active environment and the database will not be included in periodic backup logs that are captured in the future.

For specific product information click here.

MRI protects the privacy and security of the Personal Information that is entrusted to it. In order to maintain that privacy, we do not allow any of our clients to audit our systems or records, as such an audit could expose Personal Information of other data subjects and other clients. However, MRI does maintain records and information that are necessary to demonstrate its compliance with the data protection laws applicable to it in the processing of Personal Information. This information can be made available to our clients upon request.

If you feel that an audit of MRI’s systems is fundamentally required for your organisation, then we encourage you to reach out to your Account Manager to discuss alternatives. Such alternatives can only be considered if your database is housed within a dedicated SaaS environment, which you will need to purchase, and will come with restrictions.

Many of our products provide you with the ability to correct Personal Information manually from the user interface within the active system. To start, you will need to identify, through your record management policies, where the Personal Information in question is being held and then update it.

If you are unable to perform this task within the user interface, please contact MRI’s client support for assistance.

MRI has a Data Privacy Practitioner(s) who oversees the organisation’s privacy practices and ensures ongoing GDPR compliance. The Data Privacy Practitioner can be reached at DataPrivacyPractitioner@mrisoftware.com.

Where MRI is required by law to perform certain activities, we generally do not proactively contract for the same requirements. Where the obligations are not imposed automatically, or the client is required to have them outlined in contract, MRI does have a contractual addendum related to GDPR that you can obtain through your Account Representative. As such an addendum relates directly to MRI’s security and internal policies, we do not often incorporate a client’s data security addendum without revision.