Mark from All My Systems talks about how you need to change the way you collect and store data to be GDPR compliant.
GDPR applies to personal data, but what exactly is personal data?
It’s any data which relates to an identifiable person
This could be things like..
- Purchase records
- Feedback forms
- Mailing lists
Basically, any data which can be used to identify a person
So, where do I start?
Well, first of all, you need to review your current data protection policies, then, identify all the systems you store data in, such as
- Email databases
- Finance systems, and
- HR systems
Then, identify exactly what data you’re collecting and how you use it. Look at each field you collect and why.
So, I know about the data I hold, what next?
You must have gained consent for each person’s record you’ve stored
Consent must be freely given, specific, informed, and unambiguous. So….
- People must opt-in to giving you data. You can’t make assumptions or use pre-ticked boxes.
- To be compliant, your system must show exactly how you obtained consent
Also, you need to be able to deal with requests
- All staff must be trained and understand their responsibilities for GDPR requests
- People now have the right to be forgotten and it is expected that this will happen immediately. You must be sure that you can do this on your system
- People have the right to ask for a copy of all the data you hold about them. You’ll need to know how to find all that data, and then present it to people in a machine-readable format.
Have a look at Don’t Fear GDPR – Episode 13