GDPR Compliance Stage 2: Data management
GDPR compliance stage 2: consolidating and using your data
Welcome back to our series of blogs covering the knowledge you really need to comply with GDPR, the EU’s new General Data Protection Regulation.
Part one was a quick introduction to the new regulation, focused on the crucial importance of:
- Identifying all the PII (personal identifiable information) you have, whether as digital files or on paper
- Culling any data you can do without.
The next step covers organising and using this data. In the wording of the new regulation what you do with data is known as ‘processing’.
Create your data governance plan
When the inventory is complete, it’s time to develop and implement a data governance plan. This enables you to define your organisation’s policies, roles and responsibilities for the access, management and use of personal data: a further stage towards ensuring that your data handling practices comply with the GDPR.
Organise and classify
Data classification is an important part of any data governance plan. Invest a little time creating a classification scheme that’s clear, easy to understand and applies throughout your organisation. You’ll be grateful you did so when you start to receive data subject requests – and find that you can respond quickly and simply.
Know your legal obligations
Under the Data Protection Act you already had legal obligations to data subjects (i.e. the people whose data you’re holding). The difference is that now, under GDPR, you have to be much more accountable and transparent, and your legal obligations are much more clearly spelt out.
The big six
The GDPR lists six lawful reasons for processing someone’s data. The key point is that at least one of these must apply before you can do anything with anyone’s information.
The ‘six lawful bases’ are:
- Consent: the individual has given you clear consent to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law. This excludes contractual obligations.
- Vital interests: if the processing is necessary to protect someone’s life.
- Public task: this means that the processing is necessary to enable you perform a task that’s in the public interest. Or it could be necessary for you to fulfil an official function. But only if the task or function has a clear basis in law.
- Legitimate interests:the processing is necessary for your legitimate interests or in the legitimate interests of a third party – unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (You cannot use this reason if you are a public authority processing data to perform your official tasks.)
All in one place
Everything about complying with GDPR is much simpler once you have integrated all your data in one place. A cloud-based ERP (Enterprise Resource Planning) application such as Microsoft Dynamics 365 is perfect for this. With GDPR going live on 25 May 2018, now could be a very timely moment to consider switching. At Fabric we are a Microsoft Gold Partner, perfectly placed to help with that.