You may be aware of the forthcoming changes to data protection across Europe. The General Data Protection Regulation (GDPR) will come into force in May 2018. The spirit of the GDPR focuses on protecting the individual, not applying controls onto companies like many other regulations.
For those businesses outside of Europe or the UK, GDPR still protects the rights of the individual even if the company managing the data is non-European. Imagine an American airline selling flights to people in the UK. The airline must ensure it complies with the GDPR, even though it is solely based in the US.
There are seven individual rights within the GDPR framework, the right:
To fulfill these rights as data controllers / processors we should be looking at the way we are currently storing and accessing data. For many years, we’ve all been guilty of keeping data for longer than is necessary and GDPR is a good excuse to finally clean up that data footprint. While it’s true that the quantity of data you have adds flexibility and a finesse to our business processes, it also brings complex challenges across a business in terms of accuracy, security, care of the data held and its proper protection.
You should investigate your current systems and suppliers to ensure they have the tools necessary to be compliant. If someone requests a right to be forgotten and your data is held in paper form as well as digital you have double the job to complete.
Getting all your systems into the digital age make the processes of storing data, removing data and monitoring retention much easier.
Ensuring your data is current and accurate is also important when it comes to the GDPR right to data portability, where data subjects can request a copy of the personal data held on them, for free. You should ensure you have enough information on the data subject to be able to verify their identity when they ask for a copy of their data to be provided otherwise you are opening yourself up to a data breach.
Ensure the security surrounding your data is current and sufficient. GDPR is a threat and an opportunity and with the ICO in the UK being funded by fines from GDPR we in the professional services industry will no doubt be at the top of the list when it comes to being targeted.