How to fully secure Personally Identifiable Information so it's GDPR safe
As the GDPR launch date rolls ever closer, many small businesses are only just realising they still have some work to do when it comes to compliance.
One of the biggest changes for SMEs surrounds Personally Identifiable Information (PID) and an individual's Right to be Forgotten. These regulations are expected to have a huge impact on organisations that hold data covered by the GDPR.
Here we look at what PID and the Right to be Forgotten really mean, and how you can ensure you are on the road to compliance.
What is Personally Identifiable Information?
This is any information or data that could put any person in Europe at risk, regardless of whether you store it, just process it, or work or use that data in Europe or not. It’s important to note that it’s not just information like a person’s name or date of birth anymore, but metadata, IP addresses, mobile IMEIs, cookies, and biometric data too. Plus, there’s sensitive personal data, which is a special category of personal data that will be subject to additional protections and restrictions and includes racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, health, sexual orientation and data concerning the person’s sex life, genetic data or biometric data.
What is the Right to be Forgotten?
This essentially means that every individual (or data subject) has the right to obtain the removal of any personal data from your business without undue delay. Additionally, it means that any data you held should be erased in the following circumstances: the personal data is no longer necessary for what it was collected for, the individual objects to the processing of their data and there are no legitimate grounds for the processing, or the data has been unlawfully processed.
What are the impacts on small businesses?
The regulations in relation to both of these terms will put extra pressure on businesses and organisations of all sizes as they will need to look at how they retain data, as well as how they find it and use it.
1. Data will need to be analysed and organised systematically
Currently, many organisations do not know whether the data they have is actually stored and, if so, where it would be located. Added to this, they may not know what the data is made up of or how it is processed. If you don’t know these two things, compliance with the GDPR is going to impossible.
The impact to your business could be large, in terms of time and resources. SMEs will need to organise and analyse data to ensure they are aware of compliance issues and how they will rectify them. They will also need to have IT systems in place to ensure the data is managed properly going forward.
A good first step to compliance is to conduct a data discovery exercise. With this, you’ll be able to map out where any data covered under the GDPR is located, where it is coming from and going to, and the processing that it goes through. Once the data is analysed and classified you can look at how you manage access to the data, ensuring that you are taking the necessary security measures in line with the GDPR to keep it protected.
2. Data will need to be easy to correct and remove
Data protection rules state that you must:
- Acquire data and use it fairly
- Only need it for one or more explicitly specified and legal reasons
- You must keep it safe, accurate, secure, and up to date
- Make sure it is relevant and accurate
Out of all these rules, one of the most important is that you must keep data for the length of time it is necessary for its intended purpose, and no longer. You also need to ensure an individual has a copy of the data you hold on them and can request you change or remove their data in a reasonable amount of time.
For this reason, the right to be forgotten must be written into your business processes, IT systems, and organisational training. This may mean almost starting from scratch, and working with your HR, legal and IT people to create new processes. Data classification and organisation is key, and being able to take corrective actions (to delete or update data) expeditiously is of paramount importance.
How to lessen the impact of GDPR right now, and moving forward…
The Information Commissioner’s Office has come up with some recommendations for businesses looking to lessen the impact of the GDPR.
1. Always think about whether you need to collect information about people. Only ask for details when necessary.
2. When you obtain Personally Identifiable Information, people should know who you are and what you’re going to do with that information. It should be clear and prominent at the time of requesting information.
3. Once you have collected PID, you are legally obliged to keep it secure. Ask an IT provider for advice on encrypting information and anyone with access to this information should be trained to keep data secure.
4. Use written contracts with subcontractors at all times to ensure that any Personally Identifiable Information you share with them is looked after properly and in line with the GDPR.
5. Always give customers a clear choice over receiving emails of any kind from your company and give them the opportunity to easily unsubscribe.
6. Websites that show third-party content (like adverts) should act as a single point of contact for content displayed on the site. Ensure you have adequate procedures in place if a customer objects to your third-party content.
7. Only collect the information you use. If you no longer require the data then stop collecting or using it and dispose of it in line with the regulations.
8. Understand that people have a right to access the information you hold on them. Ensure your team know what a ‘subject access request’ is and how to deal with it.
9. Encourage customers to check the information you hold on them. For example, provide access to account details online and allow them to update and correct records that are wrong.
Interested in learning more about how changing your IT systems and processes can help you comply with the GDPR? We can help! Give us a call or contact us using our online form now to arrange a quick chat about your requirements.