How GDPR Can Benefit Your Organisation
Since coming into law, you, like me, will probably have heard lots of criticism of the GDPR / Data protection as being an added burden on business and just too complex for the individual to use. While it can be a lot to take in at first I want to discuss two of the GDPR rights and how they highlight that good data protection practices of the GDPR are positives both for the individual and for your Organisation.
GDPR is a rights based regulation and provides for individual’s rights, to how their data is processed.
We all have certain rights under the law as citizens, patients, consumers and so forth and these rights allow us to do many things, such as to express ourselves freely or to enjoy protection as consumers. In a data protection context it is not so different. The GDPR provides for rights for those whose personal data is being processed (data subjects) such as the right to be informed, to access their data, to have it rectified or erased, to restrict the processing, to make the data portable, to object, to make automated decision making and profiling.
I won’t go into all the rights, their nuances or exceptions to these here, but the upholding of these rights is not only the law but can be of benefit to the organisation. Here are two examples.
Take the Right to be informed. Customers should never be surprised how their data is used. A sure fire way to lose your customer base is for them to find out belatedly that you have used their personal information in a way that was not compatible to what they originally agreed to and for which there is no legal basis. Therefore by complying with the right to be informed you are not only processing the data legally but following sound business sense in telling the customer the exact ways in which you will use their data.
In complying with the right to be informed you should inform the data subject of how their data is used from their first points of contact through your privacy statement, website consent notices, marketing communications and notices of fair processing (i.e. CCTV) amongst other channels. This ongoing communication on data protection builds a dialogue with the customer on what you do with their information and if you do it correctly it strengthens trust in how you do it as it puts the customer at ease.
On the Right to access personal data, let me put this scenario to you; if someone was holding something important of yours and wouldn’t return it when you asked, you would probably be pretty annoyed. Therefore its common sense that if an organisation processes your personal data they should be transparent and return it on request. The right to access is for the person requesting (the data subject) to see their own personal data. It should never be used as a tool to see other people’s data, as this should be redacted from the returned data of the data subject prior to handover.
Remember too subject access should be completed in a month timespan unless there is an extraordinary delay which will need to be communicated. There are specific exceptions when you may not have to complete an access request however you will need to be clear on these and check they are compatible with current Data Protection legislation and the National Supervisory Authority, if necessary. If you must refuse an access request, you (the company) will need to prove the strong legal basis for not returning it on request to the data subject.
Like the right to be informed, the process of Subject access request is a communication with your customers and all interactions with your customers, regardless of their nature, should be positive and efficient if you want to retain their business.
The ability of an organisation to locate, redact and return information on request in a set timeframe, when done properly is good for your business, in terms of showing inter-departmental processes and flows. An access request to a department will highlight very quickly any gaps in communications between teams or processors and even deviations in storage procedures that need to be addressed. If the response is “I can’t find it but I know it’s there somewhere” then you have a lot of work to do not only in terms of GDPR but for other key company functions that require good record keeping.
If an access request comes and you find out that staff are holding too much information or storing it for too long without reason then it’s a sign that more training is needed on record management and possibly a review of existing procedures to achieve data minimisation and organisational standardisation.
For each right under GDPR you can make a positive for your business that extends beyond data protection. Good data protection is not only the law but can be a value added, a means to deepen the relationship showing accountability, trust and transparency between your organisation and the customer.
Enguard can assist with the issues which GDPR raises from audit, security, staff training to drafting policies and procedure. For further details please call us at Enguard on 0818 252 052 or email firstname.lastname@example.org. We would love to hear from you!
Disclaimer: Please note the above article is an opinion piece based on current sources of information available at time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers.