The General Data Protection Regulation, coming into force in May 2018 is an evolution of the existing Data Protection directive from 1995, harmonizing and unifying, under a common framework, the customer rights covering the handling and processing of personal and sensitive personal data.
Spanning over 99 articles, the GDPR covers the rights enjoyed by individuals and the responsibilities levied upon data processors and handlers, including simplified access to information being held, strictly controlled customer-driven consent for treatment, use and transfer of said collected data, enhanced rights to be permanently forgotten and a significantly expanded sanction framework or defaulting organisations.
There is simply no escaping the reach of GDPR, regardless of the size of the organisation. Larger entities, especially those with more than 250 employees have the added onus to maintain documentary evidence on how, why and for how long individual information is being collected and processed, the appointment of a dedicated Data Protection officer and systematic descriptions of the technical security measures adopted to prevent leaks or breaches.
However, smaller and even micro enterprises of any size are equally tasked with similar positive opt-in consent, data handling reporting, full and correct response to Subject Access Requests within a set timeframe of a calendar month, at no cost to the requesting individual and the prevention of destruction, loss, alteration, unauthorised disclosure of, or access to data held.
The impact in the case of SMEs is obvious and far from indifferent – the additional workload required due to the one-size-fits all approach may prove too onerous and taxing on smaller entities which may, beyond not having the required internal processes and resources, also require the entire overhaul of the storage and management of their customer information.
What is becoming ever more apparent, with the May 25 2018 deadline looming ever closer is that the overwhelming majority of organisations are simply not ready and cannot realistically hope to not fall foul of the provisions and the serious penalties contemplated by the GDPR.
The solution? Innovation through automation – and the Aqubix GDPR Auto provides a unique solution through which the impossible task of having to attempt to manually comply with the framework and the maintenance of ongoing records is automatically handled, maintaining full audit trails, notifications and providing automated reporting, all the while centralising, in a secure repository, the management of all personal data held.
Starting from the initial embedded legal audit assessment, GDPR Auto enables operations of any size and type to carry out a fully automated audit on the data held, including the identification of the ideal policies to implement and providing templates required.
In turn, with processes in place, GDPR Auto allows for the individual and bulk opt-in consent and re-consents where applicable, across all aspects of the data being held. This feature enables the instant identification of what data is authorised for specific use, instantly excluding non-permitted utilisation and the requirement for individual assent for purposes not yet contemplated and agreed to by the customer, ensuring full compliance with the legal provision.
All such information transactions, be they positively authorised or declined are held in a tamper-proof, secured audit trail, managing the entire repository of data being handled and the instant ability to demonstrate compliance with GDPR. In the event of breaches or lapses, GDPR Auto will in turn instantly raise alert-based notifications requiring immediate action.
The audit trail further includes the full list of actions undertaken by the DPO, whether these were prompted by the system or manually overwritten, enabling a seamless reporting trail for use both at corporate and especially at regulator level if and when the need arises.
Beyond ensuring internal compliance for the management of data being held, GDPR Auto also automatically registers and handles SAR requests as received from individuals, and the servicing of portability requests, allowing for the peace of mind that timeframes as stipulated by the regulation are strictly adhered to without further taxing and straining internal resources.
These customer-driven requests will also trigger notifications, delivered both within the system as well as via email to the concerned departments to ensure prompt action, as will the additional requests for data removal, complying with the right to be forgotten, as well as requests for anonymisation and pseudonymisation, each coming complete with fully recorded and audited action-determined history.