How to manage data under GDPR, part one
The General Data Protection Regulation enforcement day is quickly approaching. On May 25th, all businesses that collect data on any EU citizen will have to conform to the new law. Despite its looming presence, many firms, particularly smaller ones, are not prepared for its requirements. Compliance with the law necessitates huge changes in how data is collected, stored and processed.
The full official wording of the regulation can be viewed here and its depth is arguably why so many haven’t implemented all the necessary changes and confusion still exists. So, in order to cut through the noise and provide small businesses with straightforward practical advice, we’ve done the hard work of reading the regulation and have identified the key points.
Article 15 – Right of access
This article relates to managing requests from customers and other stakeholders about the data you hold on them – both digitally and physically. Requests can include them simply wanting confirmation that their information is being stored and processed, or they may ask to see exactly what data is held. Anyone is entitled to make such a request to any organisation. Data must be provided in a readable format and sent via the channel of the requestor’s preference. Typically, there can’t be an associated charge and businesses must respond within 28 days.
Companies must have access to tools that can search and consolidate all data into a readable format. This ensures that all customer information can be effortlessly found when needed, with templates available to streamline the creation of correspondence down to a few clicks.
Article 16 – Right to rectification
An individual has the right to request that information held on them is amended or rectified without delay. This also means that any data held that is incomplete must be completed as part of the request. Organisations have 28 days to fulfil requested amendments.
Once data has been rectified, the legislation also states that the data subject must be informed that it has been completed. In most cases, the request for rectification will follow from a request to provide information on the data held.
In order to rectify and amend all information held on an individual, you need to be able to access all the data in question easily to ensure that none is allowed to slip through the net. Solutions that provide Robotic Process Automation will ensure nothing is missed.
Article 17 – Right to erasure
The ‘right to erasure’ is also known as the ‘right to be forgotten’. The broad remit to this article is that any individual has the right to request that any data held on them is deleted. It should be noted that this Article must be adhered to if there is no compelling reason for the data to be held.
Again, completing this request requires tools that can access all the information stored on a customer. Data could be split across multiple programs and documents, so ensuring that everything is deleted isn’t necessarily straight forward. Moreover, any incomplete or duplicate information must be deleted as part of any request.
In the next blog in this series, we’ll take a look at some other key articles – right to restriction, notification obligation and data protection by design.