G, D, P and R. Four letters that are terrifying companies across Europe and beyond. The General Data Protection Regulation, which comes into force on 25 May, is the EU’s new measure for protecting the personal data of individuals and replaces the data protection directive. It is both extensive and mysterious.
And therein lies part of the problem. Part of what is worrying organisations is the perceived lack of clarity in what the regulation requires. When you’ve got major outlets like ITProPortal asking “GDPR compliance: Do you know what you don’t know?,” you know people are getting twitchy. Fortunately, the Information Commissioner’s Office (ICO) has outlined some of the biggest changes that organisations will have to deal with to prepare for GDPR, all with the aim of showing how simple the process can be.
Let’s take a look at some of those changes and how they show how tricky the process can be, after which we’ll explain why you needn’t worry about them anyway…
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Individuals have the right to access their personal data and supplementary information.
- GDPR gives individuals the right to have personal data rectified.
- The right to erasure is also known as ‘the right to be forgotten’. The broad principleunderpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
- Individuals have a right to ‘block’ or suppress processing of personal data.
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- Under GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
- GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances.
- GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
- GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority.
So yeah, if you can just get all that boxed off (along with the rest of the regulation), you’ll be well on your way.
Or you could just let Peak help!
Here’s the deal: we know that GDPR is complex and varies in requirements from organisation to organisation. We also know that organisations can’t necessarily be sure that they’re doing everything right and may not know how on earth to keep track of whether they’re staying compliant, let alone how to actually do it.
Fortunately, Peak’s artificial intelligence machine is on top of all things from a data point of view. It’s been designed to hunt-out personal data from anywhere in an organisation’s data footprint. It monitors every table in every database, keeping an eye out for any new data which could breach GDPR. When changes are detected, the data is classified, and the risk factor is assessed to help meet the obligations of GDPR. Any high-risk personal data fields can be flagged for action, with the whole process continuously repeated to make sure that data always remains GDPR-compliant.