GDPR Focus – What Information Do You Hold?
The deadline is now fast approaching to identify the missing links and make the necessary changes to comply with GDPR in relation to how you collect, store, manage and use Personally Identifiable Information (PII) within your business.
Following the 2-year post-adoption grace period, the GDPR penalties will become fully enforced throughout the European Union from the 25th May 2018.
Once you start to analyse what the key changes are – you will find that activities and processes your business carries out as part of their usual routine could be considered as serious breaches under the GDPR.
Taking steps now to make the necessary changes will avoid you being faced with fines of up to 4% of your annual turnover or €20 million (whichever is higher).
This is the second of a series of articles we will publish, focussing on the different topics relating to the regulation. With many companies still unclear on what they need to do, here are some thoughts on one of the key points – identifying the information you are holding.
You will need to keep documents of what information you are holding, where it came from and who you are sharing it with.
It’s a good idea to carry out an information audit as GDPR requires that you hold records of all activities relating to the data you process. This is a good opportunity to evaluate what information you gather and establish what is your legitimate reason for doing so in the first place.
This is important as you need to identify what data you hold and who you have shared it with – as you will need to update any inaccuracies with those organisations too.
In order to comply with the Accountability principle with the GDPR regulation, it’s essential to document your findings. Putting effective policies and procedures in place is a good place to start.
So, what information are you holding?
If you can identify an individual from the data held, then the data is “personal information” and will fall within the scope of GDPR. For the purposes of GDPR, PII is defined into two categories; Personal Data and Sensitive Data.
Personal Data
This is any information that relates to an identifiable person (who must be living). They are referred to in the regulation as a ‘Data Subject’.
Personal Data can be obvious like name, address, an ID number, location data, online identifier (such as email address, cookie information or IP address) or less obvious such as information relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.
Sensitive Data
This is when the identifiable information relating to the individual is particularly sensitive. The fines levied when breaches occur with information classed as sensitive are higher and they have additional rules and processing regulations.
Examples of sensitive data include Racial or Ethnic origin, Political opinion (unless the individual is a member of a political party), Religious or Political beliefs (unless the individual is affiliated with a church), Trade Union membership, Genetic/Biometric data, Health-related, Sex-life or Sexual Orientation.
Businesses will need to be mindful of the cost implications to their business relating to implementing the new transparency and individual’s rights policies – which may need additional investment on IT, resources, communications and governance.
This article is not a definitive list of the GDPR regulation, just a thought-provoking article to help raise awareness for identifying exactly what information your business holds.
You can find out more information regarding GDPR on the Information Commissioner’s Office (ICO) Website – the UK’s Independent Authority.
If you require assistance to identify, archive, obfuscate or encrypt your data to comply with the new regulation get in touch with our friendly team.