To understand the principles behind GDPR, you need to consider that any data that you hold has been loaned to you by the owner, and they are in control of who has it and what they do with it. Consent must be freely given for the use of any personal data and the use for this must be made clear.
The subject (the person whose data you have stored) has specific rights with respect to their data. These include:
You should not underestimate the task of controlling personal data in line with the GDPR and appropriate database functions will be required by anyone with any volume of records. To implement compliance within a database system, the following functions will need to be reviewed and implemented where necessary:
The technical measures required to maintain compliance will include installing and maintaining security systems such as firewalls and regular software updates, and encryption of mobile devices and stored data.
To address the requirement of data erasure, whilst maintaining database integrity, can be addressed through tokenization of data. This is the process of substituting personal data with a 'token' such as a number or pseudonym to remove individual identifiers, allowing transactional data to remain while adhering to General Data Protection Regulations. This process must also ensure that the process of erasure cannot be undone.
A further technical requirement of GDPR is the right to portability. To comply, data must be made available in a manner that can be loaded into alternative systems using commonly available electronic formats. To meet this requirement, Open Standards should be used where they exist, and it is likely that this requirement will generate future open standard data interchange formats. Within this scope is not only the textual data but other files, documents and images.
It is imperative that businesses take steps to ensure they are ready for GDPR. Existing systems need to be evaluated to ensure that the regulations are met. Should you need to transition to new software to meet these demands, do consider that it can take between 9 and 18 months to re-platform following the selection of a provider.
OpusVL are also supporting a series of informative GDPR events. These are free, but spaces are limited. You can find out more by visiting https://gdprready.co.uk/
To find out how we can help, you can visit our main website or get in touch on 01788 298 450
Posted by Lauren Westley on 13/10/2016