If you have "purpose" as a drop down list in your ROPA or Data Mapping, you may well be heading in the wrong direction of compliance.
It's always good to try to control and uniform information within our systems; from a GDPR & software development perspective it’s how we can predict what information will be entered and how we can risk assess and classify fields. Nothing grates more than looking down the columns of a spreadsheet (or system) and seeing variations of the same data. However there is one area that has little or no place for a drop down list…
And that is the section that holds "Purpose" for collecting, transmitting and processing data. I am not a Solicitor. I am a Solutions Analyst who has lived and breathed data protection for decades - working primarily on the operational side of Data Protection. I work with various organisations focusing on the implementation of software, data mapping and helping businesses align GDPR with their existing processes. I have seen numerous spreadsheets and systems that capture information around processing activities and they all seem to make the same assumption around "purpose" that is generalised and often in the form of a drop down list.
Deciding the purpose of data within an existing process that's been in place for some time can be one of the most difficult to articulate as it's not always obvious. However, if you can't document it properly how will you let people know the purpose data is being used for?
Entering "business purposes" or "HR purposes" may fit nicely into your spreadsheet or GDPR compliance system, however this is far too general to let you or the individual know the actual purpose their data is being processed. The less information you have in there, the higher the risk of non- compliance.
Here is a good example of a purpose that will be relevant to some businesses:
Sales Enquiry & Customer Service handling via written, telephone, email and/or live chat.
To respond, provide support, make assessments and recommendations around products and services we provide. Provide reporting statistical analysis for staffing levels, identify customer trends and measuring effectiveness of marketing campaigns. Service quality, improvements & identify training requirements.
It may not look so pretty in your excel spreadsheet, but is much more effective in terms of compliance.
If you find this tip useful please like and let me know. you can also find further tips on my website
As a human race, we are constantly striving for easier ways of doing things: simpler, faster and more practical. Thanks to better tech, you can now interact with people globally and instantly with the click of a few buttons.
Likewise, you can also physically move quickly due to advances in transportation technology. When it comes to the age-old practice banking – the same is now happening.
Provided you have the necessities, a passport, residential address and a mobile phone, you can now open a bank account within minutes. This is brought about by a Fintech offering better known as Open Banking.
No one disputes the importance of guarding the privacy of consumer information. But the recently enacted California Consumer Privacy Act (CCPA) threatens businesses with potentially crippling liabilities, while also harming consumers who benefit from innovation (including new ways to use data to offer personalized services and product recommendations) and enjoy free services made possible by data collection, processing and usage.
Over the past few weeks I have read many posts here on linked-in about IT Security and do we go back to the basics and start all over again! I did comment on one of the posts, by saying going back to the basics is not the answer, new technology can protect your business, but everyday since writing this, it really did make me wonder what is required for businesses in today's new landscape. So i decided to go back to the basics and look at it from a different perspective, and each time i got different analysis. Here is why!
Scottish Enterprise and Scottish Development International work to support Scottish businesses to capitalise on data to drive productivity and business growth and to attract global investors, this represents a £20-billion opportunity for Scotland over the next five years. This is quite a bold statement, due to the fact of monetising of individuals personal data again.
Will the PCI and GDPR fines outweigh this 20-billion opportunity over the next 10 years. Breaches and criminal activity has trebled in the last year alone, consumers are now being wise to not share their data due to companies capitalising on their data. What will be the legal stats moving forward when consumers take these companies to court for mishandling, tracking and sharing their data without their consent.
A CEO needs to understand every part and function of the business: accounting, finance, HR, marketing, legal, operations, supply chain, sales, and yes, information technology. Especially considering the dominant role technology is playing in the course of day to day business, as well as in disrupting existing businesses.
CEO’s often rely on their department heads and other senior executives to be deeper experts in their domains (chief marketing officer, chief financial officer, chief information officer, chief technology officer, etc.) but they ultimately have to weigh in and make the final decision on crucial investments and strategy.
Ethics is a reflection of our commitment to doing business the right way. We emphasise trust and transparency - and we reward our people based on not only what is achieved, but how it is achieved.
As the threat landscape continues to grow at exponential rate, the lack of trust, privacy & security concerns grows at the same rate. There are inherent risks in sharing data, however, which is why it is critical to develop processes and governance underpinning the technical connections brings the need for guardrails to support protections for the privacy and security of personal data create a formidable infrastructure challenge.
Plans to introduce a new digital reporting equipment for personal income tax evaluation have been placed on hold after HM salary & Customs said it obligatory to center of attention its efforts on making ready for Brexit.
The General Data Protection Regulation, commonly known simply as the GDPR represents a significant modernisation of data protection law and one that takes into account significant new developments in technology and new uses of personal data that simply did not exist at the time of the current legislation, the Data Protection Act 1998.
The GDPR brings with it a number of changes and improvements to data protection law including:
Enhanced documentation and record-keeping requirements
Enhanced privacy notice (or "fair processing notice" requirements;
Enhanced rights for data subjects
New rules requiring the appointment of Data Protection Officers;
A mandatory requirement to notify the ICO (and data subjects in certain cases) of any data breach to subjects data
Tough new penalties for failure to comply with the law.
All our business packs now include a living (live) document for GDPR policy that is continually being updated until the implementation on the 25th May 18.
Our best selling pack at only £100. Includes company policies as well as GDPR audit report, business continuity template, SAR's requests, SAR's Letters, Data Processing Agreements and Privacy Cookie Policies.