The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. It is now vital that businesses review how they handle and manage personal data that they collect.
What is GDPR?
The General Data Protection Regulation (GDPR) outlines the rights and responsibilities that a business has when collecting, using and protecting personal data. For any business that collects personal data it puts focus on the need for transparency, security and accountability by data controllers. The regulation also gives more power to an EU citizen by:
- Providing a “right to be forgotten”.
- Allowing easier access to any data of theirs a business may have.
- Requiring explicit permission whenever the business processes their data.
- Requiring a business to inform them of any data breach within 24 hours.
The recommendation is to take a “Privacy by Design” and “Privacy by Default” approach to data to reduce potential problems with this regulation in the future.
Privacy by Design
This term is used to describe an approach to designing a system that takes privacy into account at every point of the process. It is not about protecting the data as much as it is about designing the system in such a way that the data doesn’t need protection.
Privacy by Default
This term is used to describe the idea of using the strictest privacy settings by default for a user. This will be more noticeable in areas such as social media and marketing email lists, where a business is storing or publishing additional data that is not needed to sign up to the service.
How Does this Impact your Business?
Preparing your Business
The first step is to review their data for any Personal Identifiable Information (PII) they may be storing.
Personal Identifiable Information
This term refers to data that could be used to identify, locate or contact an EU citizen. This can range from date and place of birth to financial or medical information.
It is vital that a business takes inventory of any PII within their business. This review should take into account questions such as:
- How did you obtain the data?
- Was the user notified that this data would be stored?
- Is there any clearly defined reason for this data to still be stored?
- How long do you plan to store the data?
- Is there a retention policy on this data to ensure it removed when the retention period expires?
- Who has access to the data?
- Do third parties outside your business have access to this data?
Reviewing these questions with a GDPR consultant will give you an overview of the issues to be resolved.
Planning for the Future
Your business may need to have tighter controls on some data in order to avoid potential data protection issues going forward. These may include:
- Appointing a data protection officer
- Setting out clear processes for accessing personal data
- Strict policies for deleting, sharing and transferring data
- A process in place to handle data breaches
It is vital that these processes and policies are clearly defined from the outset.
Managing GDPR Going Forward
Monitoring and reporting will be integral to dealing with these changes within your business. For companies currently using SharePoint and reporting tools such as Power BI or SQL Server Reporting Services, these can be leveraged to provide your business with:
- Effective tracking and reporting of data breaches
- Approval workflows to manage data access requests
- Team sites to store documentation on data policies
Microsoft have provided an Activity Hub as a starting point for this here. Consulting with a SharePoint architect who is well versed in GDPR can provide additional changes to better fit your companies needs.
GDPR is a big change for any business dealing with personal data. It is vital that you take a proactive approach to dealing with it. Investing time and effort now into the processes and policies you implement will ensure they are robust and maintainable going forward.
Author: Ian Jones, Software Developer, Aspira