Simplifying the complexities: how to manage data under GDPR, part two
In this blog series, we are taking the wordy General Data Protection Regulation (GDPR), breaking it up and decreasing the confusion that exists by providing straightforward practical advice. GDPR’s full official wording can be found here.
In the previous blog, we took a quick look at three important articles within GDPR; Article 15 – right of access, Article 16 – right to rectification, and Article 17 – right to erasure, and discussed what’s required for compliance. Onto the next three…
Article 18 – Right to restriction of processing
This article relates to requests from individuals for data not to be processed by your organisation, which includes not communicating with them for any reason outside of the request. During these times, you may store the data but it cannot be used for any purpose or passed on to a third party. If a customer has requested for their data to be rectified as per Article 16, information cannot be processed until after the amendments have been made. If customers are happy for their details to be stored but not processed, you must be able to migrate data to a system where it will not be processed or have it clearly tagged so that it is not used. Output Management Solutions, for example, are able to create ‘DO NOT MAIL’ lists and will cross-reference details on any communications that are processed to ensure they are not sent to those that have not consented.
Article 19 – Notification obligation
There are two strands to this. Firstly, any changes made to personal data – amendments or deletion –must be advised to the data subject, as well as any recipients to which it has been disclosed (unless this “proves impossible or involves disproportionate effort”). Any changes in consent from the customer must also be communicated. Secondly, if requested, you must provide the data subject of the third parties their information has been shared with. Whatever is demanded, you have 28 days. It’s important for firms to have databases or CRM systems that can flag when data has been amended. This ensures that it isn’t missed and subjects and third parties can be contacted within the timeframe. Communication templates streamline the process and ensure that all the necessary information is provided and can be sent physically or digitally.
Article 25 – Data protection by design
This article can be viewed as being all encompassing. In essence, GDPR states that an organisation processing and controlling data must build data protection into its internal processes. In order to be compliant, you must be able to provide evidence of the specific steps taken to build data protection compliance into processes. For an organisation that has invested in GDPR-compliant technologies, such evidence can be easily provided. By simply adopting the solutions, you have already taken steps to make your internal processes more compliant. In the event of any investigation, cite the usage of these tools, as it will go some way to proving that you have taken appropriate steps towards data security.
In the next blog in this series, we’ll run through the seven steps you should take to bring you closer to GDPR compliance.