Back to Blog

Knowing Me. Knowing You... GDPR

Post by |

Knowing Me

The new General Data Protection Regulations (GDPR) comes into force on May 25th 2018 and from that point on, data subjects (i.e. You and I) have new rights related to how our data is managed by organisations.

If you're an organisation that holds data (and which one's don't?), then you need to start getting to know how you're holding this data, so that you can be assured that you're not doing things wrong.

For example; Do you know:

  • What kinds of data you hold? (Financial? Personal? Sensitive?)
  • Where the data is held? (Saying "The Cloud" is not adequate)
  • Who has access to it? (Suppliers? All employees? Partners?)
  • What security controls you have surrounding it? (ISO27001?)
  • What the retention period of the data is? (6months for CVs? 7 years for client records?)

Knowing You

It's clear that the more we know about someone, the easier it is to do business with them and to provide services that are tailored to their individual requirements. But getting to know someone means collecting more and more information about the data subject. However, that also means we need to know how to keep that data safe and what the rights of the individuals are.

Under GDPR we are required to seek 'Consent' through a Privacy Notice, which is transparent, intelligible and easily accessible; and is written in clear and plain language, particularly if addressed to a child.

Under the new Regulations, Data Subjects have the following 'rights';

The Right to...

  • be informed -
    • Organisations must provide 'fair processing information', typically through a privacy notice.
  • access
    • Subjects can request what is being held on them, and won't be charged for accessing it.
  • rectification
    • Have information corrected, if it is incorrect. It must be rectified without undue delay.
  • erasure
    • Subjects can request to 'be forgotten' and ask for the deletion or removal of their personal data.
  • restrict processing
    • Individuals can restrict what organisations do with their data and how they process it.
  • data portability
    • Subjects cab obtain their personal data for their own purposes across different services
  • object
    • Subjects can object to the use of their data, for example for 'direct marketing' (including profiling)
  • automated decision making and profiling
    • To prevent the use of automated decision making systems

This privacy notice needs to clearly explain what data you are holding ('informed'), who has access to it and how it is being accessed.

Getting to know you, the Data Subject now requires businesses to know the rights of data subject. If you don't take the time to do this, then you may find yourself falling foul of the GDPR, so doesn't it make sense to start today, getting to know me, knowing you.

As they say in the song ... "Knowing me, knowing you, It's the best you can do".

Written by Gary Hibberd, Managing Director of Agenci.

Agenci provide Cyber Security consultancy services and assistance on GDPR compliance

About the Author:

Gary Hibberd was appointed as Managing Director of Agenci back in 2012. Gary’s passion for all things cyber was sparked in 1985 when he began his career as a programmer. As a result of that passion Gary went on to become a renowned expert on ISO 27001 and GDPR. Today, Gary is a passionate practitioner and regular speaker on cyber security.

Gary speaks across the Globe to both large and small business as well as private and public organisations. He loves to engage the next generation of cyber experts speaking in schools, colleges and universities. As part of his busy life Gary has authored books on cyber security and business continuity as well as contributing to government initiatives on cyber security and counter terrorism. If that wasn’t enough in his personal life Gary is an avid obstacle race participant and fitness fanatic. Gary can count the Worlds Longest Obstacle race amongst his many personal achievements.

| See all our contributors
Back to Blog