Is your business prepared for GDPR?
Having just attended the GDPR Conference Europe, I came away with the feeling that a lot of businesses have not prepared for or are even aware of GDPR. We believe live-docs is a solution to the impending regulatory problem, particularly in respect of Legacy Data
Having sat through an extremely informative and in-depth conference on GDPR, in London last week, a common theme was that a lot of businesses have not really prepared for this. Indeed, it was stated that those organisations that had not yet started to prepare for GDPR would not be ready when it is enforced in May 2018. So GDPR is LAW, and will NOT be affected by Brexit!
There will be severe penalties for organisations that breach the GDPR, 4% of global turnover or 20 million Euro’s, whichever is greater.
It replaces the 1998 DPA and as an example, Subject Access Requests (SAR) for which a £10.00 fee can be charged by the recipient is to be abolished. SAR will be free and they must be responded to within 30 days, (down from 40 days). At the conference, an NHS manager from the North of England explained that his NHS trust received 500 SAR a month. They can charge £10 per request at the moment, which whilst not covering their costs, goes some way to help. Come May 2018, they will have to satisfy the SAR within 30 days without making an admin charge. Clearly, there will be an increase in SAR because of the removal of this £10 charge, and even if some of the SAR are ‘spurious’ or ‘repetitive’, (in which case the regulation allows for the recipient to note as such and be exempt from the 30 day notification) the SAR needs to be investigated and therefore, in this example, the NHS trust will incur additional costs.
Another element of the regulation concerns the rights of the individual or data subject:-
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (AKA the right to be forgotten)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
To take one of the rights stated above in more detail, e.g. 6, the right of data portability, this allows individuals to obtain and re-use their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
To give you a possible example. Let’s say a lawyer represents a client in a court case and the client decides to change lawyers. The Lawyer is obliged to collect all the data and ‘port’ it to the client or maybe their new lawyer. The regulation asks for the personal data to be in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine-readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data. This information must be provided free of charge.
Imagine it is a complex case and the data relating to it is stored in archive boxes in a warehouse, perhaps some of it has been archived and is considered legacy data. The boxes must be retrieved from the warehouse, the pertinent files extracted and digitised to enable them to be ‘ported’ to the client or their new lawyer.
Legacy data can be anywhere in a business, as well as the example above of paper files in archive boxes, it could be on shared drives, e-mail systems, old computer systems, all may contain Personal Data that must comply with the regulation. Unfortunately, the old concept of security by obscurity now no longer applies.
Our Company CH Digital, can provide enhanced digitisation services or advice to those organisations wishing to digitise themselves and our product live-docs, can handle all aspects of Legacy data and being cloud-based and built on ‘open source technologies’ using Linux OS and PostgreSQL, we believe that it will comply with the requirements of GDPR, particularly in the context of legacy data.