GDPR this is the begining not the end.
Now that the GDPR deadline has passed, everyone can breathe a big sigh of relief that it’s all over. Not quite. As the ICO has said, “The creation of the Data Protection Act 2018 is not an end point, it’s just
the beginning”. Some of the implications of the regulations will now be tested as the public become more aware of their rights. The number of complaints made to the ICO on data protection have almost tripled compared with the same period last year (See FT Article). For many organisations that will come in the form of a “subject Access request” (see previous article).
Retrieving information from databases to fulfil a Subject Access Request.
A Subject Access Request allows a member of the public can apply for information that your organisation holds on them and then ask to either amended, freeze, or delete anything that maybe is pertinent to them. On top of that, the data minimisation component of GDPR (which was the point behind all the consent emails in the first place) requires information to be purged from an organisations system on a regular basis. This means you only keep data that is relevant to your current needs, so that in the event of a breach, hackers can only access 200 records not 2 million. The process of purging data becomes that more difficult when that information is held in different systems, and sometimes duplicated on paper records. You would also need to provide proof that the request has been actioned (a bit difficult to prove that you have deleted a record once it’s already deleted).
The issue with databases.
The inherent problem is that databases are huge vacuum cleaners designed to suck every bit of information in case you might need it. Fields are often cross referenced for convenience and ease of reporting. Most databases don’t allow for a record to be deleted that has dependencies from another module.
With enterprise level software all the relevant communications can be stored in one place. (See Service Modular software). Information such as names, phone numbers, documents, emails, attachments, accounting records, notes and activities can all be found in a single multi -relational database allowing for instant access. This not only provides a standard library of information for the whole organisation, but provides a quick and easy way method to reply to “subject access requests”. If the data subject wishes to act on that information, you then have an adapt tool for or amending, deleting or anonymising their information.
If you need our assistance in getting your organisation GDPR compliant, please see our introductory offer and Services page. Further information is available in our FAQ section. and useful tools in downloads.
Next in the series “GDPR compliant software an example”