With GDPR (General Data Protection Regulation) looming on the horizon, we are increasingly speaking to customers about how they can adjust their systems and processes to accommodate the replacement to the old Data Protection Directive.
On 25 May 2018, the new regulations will come into play and have wide ranging implications for businesses large and small. With potential fines for breaches becoming more significant than those currently available.
You’ll find lots of information online about the new regulations and bringing your systems in line doesn’t have to be time consuming or expensive. We’ll look at how we’ve been helping our clients adjust their systems to accommodate the regulations and avoid potential pitfalls.
The definition of what constitutes personal data has significantly changed, so the data you have collected in the past such as IP address, reference codes, mobile device information or even gender can now be defined as personal, especially when combined with other data.
Your software consultant can help build systems that extrapolate and compare all your data sources and provide a “single view” of that data. This will help you define whether the data you have collected, in combination, could be defined as personal data and would therefore fall under the regulations.
With your single view of data, you can easily determine whether you really need to be storing that information for the purpose it was originally collected.
It will become a requirement to report data breaches to the Information Commissioner and to those individuals affected by any breach.
Your IT department will be monitoring your networks for any potential data breaches, however should a breach occur then a procedure needs to be in place to prepare and disseminate an accurate breach notification. There are time limits in place to make these notifications so it is important that plans are made in advance.
The right to be forgotten
Individuals now have the right to have their data deleted from your systems. It is therefore important that you have in place procedures to manage those requests to delete data.
Your software consultancy can work with you to ensure your systems can easily and quickly accommodate requests to delete data and that by deleting data other parts of, what can sometimes be very complicated databases, are not affected in adverse ways.
It’s important to remember that often your data backups would fall under the right to be forgotten regulations so the process of deleting data should include those too.
The requirement to obtain consent from individuals to process and store their data has been tightened up. You must now obtain clear and affirmative consent, so pre-ticked boxes are no longer considered as consent.
You will doubtless need to change your various end user interfaces to change the consent mechanisms as well as record that the consent has explicitly been given. Your software consultant can help make the changes required to become compliant.
Whatever stage you are at in your GDPR compliance journey we can help adjust your systems and processes to accommodate the new regulations.