The new General Data Protection Regulations (GDPR) comes into force on May 25th 2018 and from that point on, data subjects (i.e. You and I) have new rights related to how our data is managed by organisations.
If you're an organisation that holds data (and which one's don't?), then you need to start getting to know how you're holding this data, so that you can be assured that you're not doing things wrong.
For example; Do you know:
- What kinds of data you hold? (Financial? Personal? Sensitive?)
- Where the data is held? (Saying "The Cloud" is not adequate)
- Who has access to it? (Suppliers? All employees? Partners?)
- What security controls you have surrounding it? (ISO27001?)
- What the retention period of the data is? (6months for CVs? 7 years for client records?)
It's clear that the more we know about someone, the easier it is to do business with them and to provide services that are tailored to their individual requirements. But getting to know someone means collecting more and more information about the data subject. However, that also means we need to know how to keep that data safe and what the rights of the individuals are.
Under GDPR we are required to seek 'Consent' through a Privacy Notice, which is transparent, intelligible and easily accessible; and is written in clear and plain language, particularly if addressed to a child.
Under the new Regulations, Data Subjects have the following 'rights';
The Right to...
- be informed -
- Organisations must provide 'fair processing information', typically through a privacy notice.
- Subjects can request what is being held on them, and won't be charged for accessing it.
- Have information corrected, if it is incorrect. It must be rectified without undue delay.
- Subjects can request to 'be forgotten' and ask for the deletion or removal of their personal data.
- restrict processing
- Individuals can restrict what organisations do with their data and how they process it.
- data portability
- Subjects cab obtain their personal data for their own purposes across different services
- Subjects can object to the use of their data, for example for 'direct marketing' (including profiling)
- automated decision making and profiling
- To prevent the use of automated decision making systems
This privacy notice needs to clearly explain what data you are holding ('informed'), who has access to it and how it is being accessed.
Getting to know you, the Data Subject now requires businesses to know the rights of data subject. If you don't take the time to do this, then you may find yourself falling foul of the GDPR, so doesn't it make sense to start today, getting to know me, knowing you.
As they say in the song ... "Knowing me, knowing you, It's the best you can do".
Written by Gary Hibberd, Managing Director of Agenci.
Agenci provide Cyber Security consultancy services and assistance on GDPR compliance