If you hold personal information on your IT systems then you need to ensure this data is secure.
If you are reading this then you will know that the EU General Data Protection Regulation (GDPR) is now in full force and you need your IT systems to be compliant.
The new GDPR regulations are in place and the deadline to make any necessary changes was the 25th of May 2018.
After this date, the penalty for breaking the regulations will be financially extreme.
Why Do I Need To Comply?
GDPR is a regulation that will be enforced.
The Data Protection Act (DPA), which has now been replaced with the new GDPR regulation carried fines of up to £500,000 for grave breaches.
From May 2018, if your business is found to breach the rules of the GDPR regulation you may face fines of up to €20m or 4% of your annual turnover (whichever is higher).
We think you’ll agree that’s reason enough to take immediate action.
What Do I Need To Do To Comply?
If you hold personally identifiable Information (PII) on your IT systems (e.g name, address, email, telephone number) then you need to ensure this data is secure.
You also need to be able to react to ‘Subject Access Requests’ by providing detailed information relating to the PII records you hold for an individual.
Equally, if individual exercises their ‘Right to Erasure’ you have to stop processing their data, erase it in a timely fashion and be able to prove you have done so.
GDPR gives greater protection to people and more control over what happens to their PII. You should also be aware that the new regulations don’t just apply to how your business collects and holds customer data, it’s equally as relevant to how you hold your employee’s data too.
It’s crucial to establish whether your business assumes the role of ‘Data Controller’ or ‘Data Processor’ as the roles are quite different. Contracts should clearly define the roles and responsibilities as the Controller will be liable for any/all financial repercussions for a breach of the regulations.
You should also consider whether your business has an obligation to appoint a Data Protection Officer (DPO) – for some organisations, this will be mandatory.
Carry out a Data Protection Impact Assessment (DPIA) to identify risks to personal information. Essential when designing new processes that carry a high risk of data breaches.
In summary, businesses must be able to facilitate the following:
- The Right to be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data Portability
- The Right to Object
- The Right to NOT be Subject to Automated Decision Making & Profiling
Help you identify security issues with your systems and provide recommendations to secure your data.
Work with you to identify all the application database tables that hold personal data.
Help you identify why you have the data and if you really need it e.g. do you need customer order details beyond warranty periods?
Code functions to remove or encrypt all of a customer’s data from your IT systems when/if requested. We will also provide audit reporting for these functions.
Write functions to retain data that is legally required i.e. invoice data.
Write encryption/archiving functions for your transactional data so you do not hold customer data beyond legal retention periods.
Write new solutions using the ‘Privacy by Design’ methodology – to prioritise privacy and data protection compliance from the start when a new system is being developed.
Over 10% of our staff are qualified to GDPR Practitioner level. We understand and work with business-critical applications and the data within those applications every day – it’s what we do!
Read our blog post ‘GDPR – Are you ready?’ here
Get in touch
Want to learn more about how we can help your business with GDPR compliance? Then get in touch with our team today.