From May, GDPR makes the management of personal data for all organisations an intensely regulated process. New specific and stringent regulations give EU citizens enhanced rights over the personal data being held on them. And when it comes to the definition of ‘personal data’, it’s detailed and prescriptive. Every business needs to tackle the data regulation and be compliant or face fines. To help business owners we have created a list of key questions about personal data that your business needs to answer:
Control where your data is and how it’s stored, shared and accessed
What Personal Data is Being Regulated by GDPR?
In effect, every piece of data or information that can be used to identify an individual is regulated. Personally identifiable information (PII) can be
- phone numbers
- email addresses
- social security numbers
- an IP address
- a user name
- a login ID
- a social media post
- a photograph.
Audio visual, geolocation, biometric, ethnic, religious, sexual and behavioural data can also be classified as PII.
And individuals or ‘subjects’ as defined by GDPR can be customers, staff, partners as-well as ex customers, ex staff and ex partners; all are entitled to know, on request, the information being held on them by an organisation – public, private, sporting or charitable.
In effect, every piece of data or information that can be used to identify an individual is regulated by GDPR Click To Tweet
Recommended reading: Is your business ready for GDPR?
20 Key Questions to Ask In Your Business About Handling Personal Data
This wide ranging and far reaching categorisation of data creates security and privacy challenges. Data encryption, security protocols, storage and transmission will be at the forefront of meeting compliance obligations – with every organisation needing to be able to answer these key questions:
#1. Is your data secured?
Is your data secured both physically and electronically and is all access to it safeguarded, logged and tracked?
#2. Are you restricting unauthorised access?
Are user privileges in place to restrict unauthorised access?
#3. Can data usage be restricted only to authorised users with appropriate privileges?
Do you have authorised access with appropriate privileges in place?
#4. Can data collected for different purposes be kept separate during processing?
Can you keep data separate as required?
#5. Can data be pseudonymised/anonymised
Do you have the ability to pseudonymise or anoymise data so that it can’t be used to identify a specific individual?
#6. How are email attachments handled?
When attaching personal information to emails, where do those emails (and the attachments) go before reaching their destination?
#7. What data transmission controls do you have in place?
How often is personal data transmitted? How is it transmitted? Can data be read, copied, changed or deleted by unauthorised personnel during electronic transmission, when it’s being stored, shared and backed up? Where will the data being transmitted end up?
#8. Can data be encrypted?
Is your data encrypted – at rest, in transit or end to end?
#9. Where’s the location of the data storage hardware?
Do you know the geographic location of the hardware that your data is stored on?
#10. Can data be shared securely?
Internally and externally with suppliers, partners.
#11. Can data and activities be audited?
To see if data has been changed, shared, accessed, deleted or in any way interfered with and by whom and from where?
#12. Are there back up plans in place?
So that data can be accessed even after damage or loss?
#13. Are there data retention/deletion policies in place?
Can your company control these policies especially with external service providers?
#14. Are your external service providers compliant?
Are they meeting their GDPR compliance obligations even if non EU companies?
#15. Are your contracts for external service providers up to date?
Contracts need to refer to GDPR requirements such as reporting data breaches quickly.
#16. Have you updated your business terms and conditions?
With respect to collection of personal data and privacy policies.
#17. Are you making it clear to your customers what you will do with their data?
Do prospects and customers know why you are collecting their data and what you will do with it?
#18. Have you implemented active consent to data collection?
Wherever your data collection touchpoints are, have you implemented active consent
#19. Do you have a Subject Access Request (SAR) process in place?
Who will handle the SARs and ensure they are carried out within 30 days as required by GDPR.
#20. Do you have a Data Breach Risk Plan in place?
Have you put in place a serious data breach risk plan? This includes PR and communications, customer communication, regulator communication, data security and so on.
Recommended reading: GDPR is coming and it will be profound
How to Make Sure Your Data is GDPR Compliant
Moving forward personal data will need to be stored securely with auditable data management processes in place. This need not be a complex task but it does need to be carried out to ensure efficient, law abiding, handling of data in the future.
When you understand how, why, where and when you’re holding personal data, and you put your data storage and processes in place, you’ll then be able to better manage compliance, as well as the requests and risks involved.
You’ll be prepared for SARs, you’ll be able to give them access to their data with a copy of the data in a usable and portable form, as required by law. And if individuals want to enact the ’right to be forgotten’ – a right under the law, you’ll be able to identify and erase all of their idata.
It’ll make data breaches less likely but also provide invaluable documented mitigation for the regulator if they do happen and lessen the probability of heavy fines or penalties.
Rinodrive has been built to meet these requirements. It can map and seamlessly ingest your company’s data into a dedicated secure infrastructure where you can start to answer yes to all the questions asked above. Try Rinodrive and discover for yourself that there’s an affordable and easily implemented solution.
Ready to give Rinodrive a go? Signing up for a free trial is just
Have you tackled identifying your GDPR regulated data? What’s your experience so far? Share your thoughts below.
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).