In this blog, we look at GDPR and some of the challenges the new ‘right to be forgotten’ may pose, and how Systems Integration may help with compliance.
What is GDPR?
The General Data Protection Regulations (GDPR) come into force on 25th May 2018. They are designed to bring together existing Data Protection laws across Europe and harmonise them. The Data Protection Act 1998 already protects personal data stored in electronic format or in organised paper files. It provides guidelines to companies about how they can collect, store and process personal data and GDPR re-confirms many of those principles. There are some changes though. Apart from substantially increasing the amount a company can be fined for breaching the regulations and altering the requirements around obtaining consent, GDPR creates three new rights and these are what may be likely to cause problems for companies. The three new rights are: the right to be forgotten; the right to restrict processing; the right to data portability. This blog focuses mainly on the ‘right to be forgotten’ and some of the questions to ask yourself when reviewing how your systems and software can help you to become GDPR compliant.
The Right to be Forgotten
This is also being referred to as ‘the right to be erased’. The perception of the consumer is that this means you, as a company, must delete all of the personal data you hold on an individual at their request. And to an extent, this may be true. Where you hold data purely for marketing and analysis purposes, it should be easy to comply with the request. It can still be complicated though, if you have shared the data with a third party (or even parties) the request to be erased must also be communicated to them.
If you are a company who processes personal information on line, for example on social networks or forums, you are likely to face the most challenges as you must try to comply with the requirement for yourself, and third parties who process the data, to erase links, copies or replication of the personal data.
There is also the question of what happens where you have collected, stored and processed the data in order to fulfil a contract with the individual – such as to provide an ongoing service, or to supply goods or information? The chances are the data will now be held across multiple systems and you may need to hold on to some of that data beyond the end of the contract for legitimate business purposes: in fact you may have a legal obligation to hold onto it. In this situation, the right to be forgotten can be refused although you should be aware that you can only retain data that is needed for that specific purpose: so, for example, is a profile picture really required for accounting purposes?
You also need to communicate to the individual what you are deleting and, more importantly, what you are retaining, why and for how long.
You can find lots of useful information about GDPR and how to be compliant from the Information Commissioners Office
You may already be working with integrated systems that automate many of your processes and it is worth investigating the current capability of those systems and the feasibility of extending and/or further integrating to help with GDPR compliance.
When you are looking at your existing software and systems, it may be useful to ask yourself the following:
Who do I share data with? Consider this question in terms of external and internal stakeholders. With either, you should only share the data that they actually need in order to be able to complete the purpose of their task. So again, accounts don’t need profile pictures or dates of birth, for example. Is your system capable of splitting or screening data, or can anyone who accesses the system see the full customer record?
What do I need to do to effectively delete personal data? If you hold data on several systems and have several data entry points, is all the data held accurate and up to date? Is your system capable of retrieving all the data held on an individual and will deleting it off one system remove it from all others (or not, as appropriate).
How will I communicate with third parties and the individual? When you receive a request under the right to be forgotten, how will this be communicated to both external and internal stakeholders? Is your current system capable of auto generating appropriate correspondence and perhaps triggering an appropriate process?
Subject Access Requests (SAR) Individuals also have the right to request a copy of any data you hold on them (and in most cases you can no longer make a charge for complying with an SAR). Is your software capable of generating correspondence and ID verification processes as well as easily retrieving all of the data you hold across all of your systems and then supplying it in a structure commonly used and in machine readable form, as required by GDPR? Where a company is likely to receive a high number of SARs is it feasible and/or desirable to enable individuals secure access to their data on line?
Archives and Backups How easy is it to access and retrieve an individual’s personal data from your archives and backups? As backups are intended only to be held for a short time and for a legitimate purpose, you may be able to justify not retrieving and deleting personal data from them. A word of caution though – if that disaster does happen and you use a backup to restore the system, you will have to ensure that any data held that has been subject to a request to be erased is retrieved and deleted again. So if it is appropriate to delete a record from a live system, it should also be deleted from a backup.
Archives are a little different as they tend to be around a lot longer and used for a variety of purposes. When taking the decision to archive personal data consideration must be given as to what purposes the archive will be used for. The data stored in an archive must be relevant and limited to what is necessary. Article 21 enables an individual to raise an objection and the storing and processing of the data then becomes subject to a balancing test: the interest in the processing must not be overridden by the resulting risk to the individual’s rights and freedoms. Because archives last for a long time, the security risk is greater and the balance is likely to be in favour of the individual.
Even where you can argue an exception for continuing to store and/or process data in the face of a request to be forgotten, you will need to review the data held to ensure you are only continuing to use data that is absolutely necessary for that purpose. And did you know that a business email address containing an individual’s name classes as personal data and is caught within GDPR?
Working towards being GDPR compliant may provide the perfect opportunity to review all your systems and processes, locking in other efficiency improvements at the same time.
Roar IT offer a free Systems Survey that will help you to carry out an analysis of your systems and software, providing a report that will help you to plan out future actions and developments. To book an appointment, email firstname.lastname@example.org or call Judy on 07472 972439.
Roar IT Ltd – specialists in Systems Integration and Bespoke Software solutions.