A Word on Trust
With GDPR in force, I believe that Trust is a new platinum standard for organisations. Stakeholder trust in how personal data is handled can be an important business differentiator. Tech companies can support their customers in delivering this trust, whilst at the same time differentiating and embellishing their own brand. This article highlights some of the key aspects to consider in achieving this. In essence, it is about the marketing messages you can create around GDPR.
The GDPR states that personal data should be accurate and, where necessary, kept up to date; it also states that inaccurate data should be erased or rectified without delay.
What can you promote to your customers in this area? Some aspects could include:
- Intuitive guidance on data entry within user interfaces, including field constraints and error-checking.
- Automated consistency checks to validate chunks of new data against business rules on a scheduled basis, with exceptions reported.
- Use of workflows for data approval where verification by another person could be merited.
- The use of intelligent classification tools to assign metadata to content if your solution stores electronic files.
- Providing customer self-service for the management and update of their own personal data in a secure manner; this is indeed specifically encouraged by the GDPR.
Allied to this, is the need to cater for data minimisation: ensuring that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Therefore, offering flexibility to rapidly adjust data fields is important.
Protecting the integrity and confidentiality of personal data is embedded within the GDPR. This requires appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Things to promote to your customers would include:
- Granular access controls and user permissions with regards the handling of personal data.
- Comprehensive audit trails and alerts.
- Offerings around the pseudonymisation and encryption of personal data.
- What is available in terms of business continuity, resilience, backup and recovery.
- Physical controls around your premises if you store data on site.
- Advertise standards you conform to and are accredited for such as ISO/IEC 27001 and 27002, ISO/IEC 27017 and 27018, the Cloud Control Matrix, PCI-DSS etc.
- Your ability to provide all necessary information to support data protection impact assessments they may undertake when introducing your technology.
As a further note on standards, there is the ISO/IEC 27552 extension, currently in draft, that will explain how to ‘enhance’ (adapt and extend) an ISO/IEC 27001 Information Security Management System and the associated ISO/IEC 27002 controls to manage privacy as well as information security. There is also the BS 10012 Personal Information Management System, which is a best practice framework for a personal information management system that is aligned to the principles of the EU GDPR. It outlines the core requirements organizations need to consider when collecting, storing, processing, retaining or disposing of personal records related to individuals.
Another important consideration for security is your supply chain. This will involve full guarantees on security and other matters from your sub-contractors where they are involved in the processing of personal data, including full transparency with your customers, related to who you use for what purpose, any outsourced storage locations etc.
Retention and Disposal
The GDPR has the core principle of storage limitation. It states that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Whilst it does also state that data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research or statistical purposes, subject to the implementation of suitable security arrangements, there will be the need to remove certain types of personal data at the end of their retention period. These retention periods will be defined by your customers, based upon a mix of legal and regulatory obligations, business need and privacy considerations. There is also the data subject's right to erasure (to so-called ‘right to be forgotten’) in certain circumstances.
If you provide software solutions, whether managing content or structured data, it is therefore important to offer your clients capabilities to manage the disposal of superseded or ‘out-of-retention period’ personal data. This could include:
- The maintenance and application of retention policies to content or data sets.
- Depending upon circumstances, the ability to determine which personal data can be expunged whilst not necessarily removing a person’s whole record.
- Facilitating the actual destruction rather than just "deletion" of content or data.
- Workflows to facilitate disposal approval.
- The ability to place a legal hold on disposal activity for certain content or data sets.
- The maintenance of relevant audit trails.
- The ability to provide pseudonymisation or anonymisation capabilities for personal data retained for longer-term archival purposes.
You can also ensure that formal arrangements are in place to delete or return all the personal data to the controller, as required, after the end of the provision of services relating to the processing of that data.
Data Subject Rights
The GDPR expands the rights of data subjects to control how their personal data is collected and processed.
Your customers would value any support you could give in areas such as:
- The right of access to personal data which have been collected concerning him or her, enabled by the capabilities you provide to classify, search for and retrieve data.
- The right to rectification without undue delay of inaccurate personal data, as discussed above.
- The right to erasure, as also discussed above.
- The right to data portability, enabled by the provision of intuitive and secure capabilities to provide the data subject (or perhaps a designated third party) with their personal data in a structured, commonly used and machine-readable format.
- The ability, if your solution does so, in certain circumstances to stop automated individual decision-making, including profiling, and enable human intervention.
As already stated, self-service is highly desirable; the GDPR states that, where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.
Accountability and Transparency
In supporting your customers’ compliance efforts with GDPR, and entering a “partnership for privacy”, it is important to be able to demonstrate the measures and governance you have in place for your own business and operations. Such things could include:
- Privacy Notices
- Policies for Data Protection, Information Security and Records Management
- Staff Training on policies, procedures and processes
- Sub-Processor agreements
- Your own Data Subject Request Handling processes
- Data Breach and security incident management processes
- Maintenance of Records of Processing Activities under article 30 of the GDPR
Generally, be prepared for all customers who are the data controller, to provide any required information and contribute to audits as needs be, including inspections, conducted by the customer.
Now that the GDPR is in force, it is a primary determinant in how a business operates, particularly in ensuring that data protection by design and default is hard-baked into culture, processes and systems. The trust you gain from helping your customers meet their obligations will hopefully, in turn, be rewarding in terms of both reputation and revenue.
About the Author: Reynold Leming
Reynold Leming has worked in the information services and records management industry for over 30 years. He sits on the Executive of the UK Information and Records Management Society, currently serving as their Conference Director. He is the owner of Informu Solutions who provide information governance consultancy services and software systems for maintaining Records of Processing Activities under article 30 of the GDPR and data inventories and audit rails within an Information Asset Register.