The GDPR legislation coming into effect in May 2018 grants more rights to the individual regarding any personal data held by an organisation, and every business needs to be able to address and manage these rights in order to be compliant. One such ruling is that the individual has the right to request from an organisation details of the personal information they hold, and the reasons why they hold it.
At a glance, this may seem straightforward, but when you consider the vast amount of data that is collected over time – through voluntary submissions or marketing and research – and the number of ways in which this information is collected, it is not so simple.
Often, an organisation will have gathered an enormous amount of personal data on an individual, but may not even know just how much they have, or even where it is stored. However, this must change, as, if an individual presents a legitimate request for the data held, that organisation needs to be able to address it adequately.
Under the General Data Protection Regulation, an individual has the right to request data, but also:
- The right to be forgotten
- The right to have access to that data in a readable format
- The right to object to profiling
In broad terms, this means that, if an individual requests the data you hold about them, your organisation needs to be able to identify all of that information, access it, reproduce it for the individual, and explain both why you have it, and how it fits into the legal framework under GDPR as legitimate interest or lawful processing. This needs to be done within one month of the request.
In order to proactively prepare for such eventualities, you need to take the following steps:
Understand what needs to be done to comply with legislation regarding lawfulness, processing conditions and legal obligations
This requires an assessment of the organisation’s data processing policies and systems, and establishing the legal basis on which grounds you process the personal data you hold.
The grounds for lawful processing are:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Put in place an IT solution that enables you to carry out any data request
This requires being able to physically carry out the request within the given time period.
The challenge for organisations will be to know what data they have, where it is stored, and how to retrieve it.
One advisable action to take when first preparing for GDPR is to audit the data you hold, and look at minimising it. Unnecessary personal information should be safely and securely deleted. It stands to reason that the less data you hold, the less you have to account for.
For example, if you have a legitimate request from one of your clients or customers, or an applicant applying for a job, they will want to know what information you hold on them. If you remove that information, you no longer have the requirement to supply it to that individual, so that is the end of that conversation.
If, however, you keep all the information about a person on file, you need to be able to know what is included in that information, where it is, how to access it, and also understand why you have it and how having it complies with legislation.
You then also need to put in place an IT solution that meets compliance, enabling you to find exactly what you, and the person requesting the data, are looking for, and provide it to them in a readable format in a way that doesn’t result in undue costs or disruption to your business.
Running test cases will enable you to see where any data gaps lie, and where IT upgrades or fixes need to be put in place.
Depending on the outcome of this data request, an individual may also exercise their right to be forgotten, ie, to have all personal data you hold on them securely erased from your files. This too will require auditing your IT set-up to ensure that this can be done without affecting your overall system, and that minimal information regarding the fact that this individual has made such a request is stored correctly and accessible to the Data Controller or Data Protection Officer, without being categorised as ‘held’ data.
Help is at hand
Apart from the resources required to address data requests in a timely fashion, your IT set-up may be where most of your costs related to GDPR compliance will need to be invested.
It may be possible to upgrade the data protection systems you already have in place, but it is advisable to seek the advice of a certified GDPR consultancy. They can provide the practical help that will ensure you meet compliance standards on time, including performing gap analysis, a data protection impact assessment, and risk / audit advice. They can also advise you on data storage, data compartmentalisation and access control.
This will help you to identify the steps you need to take and the processes to put in place to be ready for GDPR.
Find out what you need to do to take the first steps towards GDPR compliance and how certified GDPR experts pebble.it can help by downloading our free GDPR-readiness checklist: