Due to new legislation introduced by the European Union regarding data protection, there are certain obligations that organisations, companies, and businesses must comply to, or face the sanctions that follow (Tier 1 & Tier 2). Companies must ensure their people, processes , security and technologies adhere to recommended standards. In this blog we will delve deeper into the necessary changes, and how our team here at Excelpoint, and our GDPR Software can help your business.
1 – Data Protection Officer
An organisation of any size may wish to appoint a Data Protection Officer or DPO. It doesn’t have to be a new staff member, it could be an existing one. According to the GDPR, Public Authorities, and Organisations that regularly monitor subjects or process sensitive data/records, as well as Organisations whose local authorities require them to, are obliged to appoint a Data Protection Officer.
2 – Record
The whole orientation and reason for the new legislation is the use, storage and sharing of data. It is vitally important that your business records all of its data activity/activities, consisting of, but not limited to:
- The data stored
- How it is used and processed
- The type of consent granted to store the data
- The data processor and the data controller
- The retention period of said data
In it’s basic and immediate form, Excelpoint’s Information Asset Register will allow the work to record information assets to be distributed across the organisation and will surface visibility of assets, problem area’s and progress towards compliance to the senior management team.Â
3 – Privacy Impact Assessments
To find and identify potential compliance risks, as well as to mitigate and/or resolve said risks, Privacy Impact Assessments should be completed, to ensure no articles or guidelines of the GDPR legislation are infringed upon, avoiding any warnings or sanctions (such as the tier 1 or tier 2 sanctions).
Excelpoint provides two basic forms of assessment covering the ICO recommended steps and Operational / Technical assessment. Once the work has been conducted on the basic assessments, this stage is followed up with a full assessment. The information mapped can record and categorise all of the relevant processes and statements to ensure compliance, such as the personal data, purpose of storing it, the legal basis of processing, necessity and proportionality statement, and risk assessments with ratings, as well as key people involved such as the data owner, the data processor, and any third parties. This full assessment forms the Article 30 Record.
4 – Subject Access Requests
Data subjects can submit Access Requests as well as enquiries to organisations to find out what data/details are being stored that concerns them. The data controllers must be able to confirm the existence of as well as provide a copy of the personal data requested, and answer any queries concerning the data, such as how it is processed and stored. As well as other rights Data Subjects also have the ‘Right to erasure’, an updated version of the 1995 Data Protection Act’s ‘Right to be Forgotten’, which ensures that any unnecessary customer data is deleted or removed, to the request of the data subject in hand, depending on the circumstances.
Our Specific Access Request Manager manages and records all personal data enquiries from start to finish, including the enquirer’s details, the enquiry type, as well as:
- Method of ID Verification
- Enquiry Categorisation
- Enquiry Type and Complexity
- Target Response Date/Deadline
- Automatic notifications to the subject making the request
- Automatic enquiry notifications for the Data OwnersÂ
- Automatic enquiry reminders to ensure compliance with the set timescales
- Records of all interactions regarding the enquiry
This capability can be extended into connection with the actual data repositories in order to automate the process of extracting required data and forming the “package” for the data subject, if required.
Â
5 – Notify
Data protection is of the highest importance, which is why any Data Breaches must be reported to the local Data Protection Authority within 72 hours (3 days) of the breach being found and/or made aware of. Should this timescale not be met, the organisation, business or company could face a Tier 2 fine, which is 10 million euros or 2% of annual global turnover of the previous year, whichever of the two is the greater value. Should the breach be more serious than this, a Tier 1 fine can be awarded, which is the greater value out of 20 million euros or 4% of annual global turnover from the previous year.
Excelpoint’s software solution also records all relevant details of data breaches, as well as automatically and instantly notifies the appropriate internal stakeholders, in addition to storing the details of the investigation and correction actions in respect of each data breach. The system also has the capability to create an incident in your corporate Incident Management system. This means that existing processes and procedures can be embraced.
6 – Privacy By Design
When creating or implementing a new products, projects and services, consider privacy risk. It is important to ensure that personal data is collected, stored and processed/used with privacy taken into account.
The Excelpoint system allows data stores, processes, sharing of data to be recorded, risk assessed, properly protected and all evidence recorded in the Information Asset Register from the very beginning and continue through to live operational use.
Conclusion
More and more businesses are challenged with meeting their legal obligations and are struggling to understand the operational difficulties of rolling out improved procedures, as the GDPR deadline (May 25, 2018) looms. Those that are yet to accommodate the new legislation are at risk; the longer they take, the more of an advantage their competition retains. Many organisations Excelpoint have worked with approached the GDPR challenge as “an obligation” but having been through the process many operational problems and inefficiencies have been uncovered, identified, assessed and resolved, delivering real benefits that were nothing to do with GDPR.
Make these 6 simple changes to your business, and GDPR will be no issue. Are you struggling to achieve compliance? Consider Excelpoint and our GDPR Software. Our team at Excelpoint continuously work to improve our software, so our solution always reflects the latest technology and working environments. For other information on GDPR click here.
