GDPR – 8 Questions to Get Off to a Better Start
After a study showed that only 15% of people felt they had control over the information they provided to companies, the European Commission knew they had to do something. The General Data Protection Regulation, or GDPR to close friends, was their answer. GDPR protects the privacy of EU residents, but its implications touch any organization that collects data from EU citizens. It may seem like a burden, but it’s also an opportunity to make good Information Governance practices a priority. Let’s take a look at 8 key questions that will help you get your GDPR efforts off to a strong start.
A bit of GDPR vocabulary before we get started
To understand GDPR, you need to understand a few key terms that are at the heart of the regulation:
A data subject is a person whose personal data is being collected, held, or processed.
Personal data means any information relating to an identified or identifiable natural person such as name, address, localization, online identifier, health information, income, cultural profile, and more.
Data processing is any operation performed on personal data from collection to destruction, including recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, and restriction.
A data controller is an entity, a person, or a group, determining the purposes and means of processing personal data.
A data processor is an entity, a person, or a group, processing the data on behalf of the controller.
Now we’re ready to move on to our questions.
1. What’s in your data?
The first step on your GDPR compliance journey is inventorying the data held by your organization. Classify information and identify what is personal, and then what is sensitive, and what is related to individuals under the age of 16. Download our Data Audit Worksheet to get a headstart.
2. Why are you collecting this data?
GDPR requires that personal data be processed only for the purpose clearly stated at the moment of the collection. Data that no longer serves the purpose it was intended for should be deleted. You should also make sure that every record includes the purpose of the collection so that you can demonstrate compliance. If you have piles of old customer data sitting around for no apparent purpose, this could be a problem.
3. How was the data collected?
4. Can you identify when the data was collected?
Including the time of the collection in personal information records is now a requirement. Knowing when data was collected is key to having a data lifecycle policy. When the reason for collection expires, the data has to be deleted unless it is retained to comply with another regulation.
5. Who responsible for identifying the data types you store?
The person responsible for identifying the data types you store is called the data collector. They are also accountable for the purpose and means of data collection. They have to ensure that processes are documented, that the data processor uses of data appropriately, and that proper protection mechanisms and policies are in place.
6. What are you doing with your data?
How is the data you’re collecting being used? Is it only stored? Or is it used? Is this personal data used to send yearly thank you cards to customers or to launch targeted marketing campaigns every month? Is the data sent or sold to third parties? Answering these questions is important as these variables make the difference between having to appoint a data protection officer to monitor compliance, or not.
7. Are mechanisms in place to respect the rights of the data subjects?
Under GDPR, data subjects have rights. Here are some of them:
To be notified within 72 hours of the detection of a data breach concerning them.
To access and review information about themselves.
To give their information to another organization, for example, if they’d like to switch to a competitor.
To be forgotten. Which means they can delete all data collected about themselves.
To correct information.
To restrict the processing of their data. An example of this is opting-out of a newsletter listing.
To object to automated decisions made with data analysis. For example, to be granted a bank loan or not from profiling made with social media data.
One approach to delivering on all these data subject rights is the creation of a portal where data subjects can view their collected data, correct it, delete it, control how they want it processed, withdraw their consent, send it to another organization, and be notified in case of a breach.
8. Can you demonstrate compliance to authorities?
GDPR compliance processes have to be fully documented, compliance audits have to leave a trail, and all personal and sensitive information held has to be listed. A data breach will not necessarily result in a fine if you can demonstrate you’ve met all the requirements.
GDPR – A headache or opportunity? Maybe both?
Now that you’ve answered these eight questions, you are a step further in structuring your GDPR efforts (Download our GDPR Awareness Poster to help educate your coworkers.) Remember that even if GDPR causes short-term headaches, it’s a great opportunity to improve Information Governance practices and increase public trust in your organization. In this era of data leaks and abuse, being trusted and following good business practices have never been more important. Take this opportunity to improve your reputation and grow as a result.