The new General Data Protection Regulation (GDPR) has been pulling the plugs on all discrepancies and data mishandling that used to happen till now. Under the new rule applicable throughout the EU (European Union), all gaps in the process management and global strategy and leadership have to be adhered to the legislation.
It entails a huge shift in the strategic leadership and management.
Here are the steps:
The first step for any other step is being aware and acknowledging that GDPR has been rolled out. Organization leaders and C-suite officers have to come to terms to comply by every rule that the law lays down. Of course, strategic leadership and management people have to burn the midnight oil and check the company’s risk register and to identify an area that needs improvement.
You have to have even little details regarding what data you possess and who you share data with. Have authorities handing global strategy and leadership conduct an information audit as to what data you possess. If you are sharing information with the next company, you ought to tell them if some of your data are faulty. You have to abide by the accountability principle of the GDPR which asks to be able to prove effective policies and procedures in place on demand.
#3. Communication: New data has to be included in the privacy notice including the legal basis for possessing of data, its processing, the data retention period, and a suggestion for people to complain to ICO (Information Commissioner’s Office) if they find something out of place.
Check your procedures for these individual rights as stated by GDPR:
• The right to information
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• The right not to be subject to automated decision-making including profiling
The data portability law is new. Here’s the applicability of it:
• The personal data provided to a controller by an individual
• The data processed for the performance of a contract or individual consent
• The data processed by automated means
You need to provide data in a machine-readable form and it must be free of charge. Align your global strategy and leadership as to how to provide data if some layman asks for it and who will make decisions about data deletion and the location of data that has been requested to be deleted.
#5. Grant Access Request: Here are the rules you must be prepared for:
• No charges to be levied for compliance with an individual request
• The current 40 days period has been reduced to a month for the reply
• Requests that are complex or unfounded can be refused or charged
• With refusal, you are supposed to let the party know the grounds on which you are refusing and that they could complain to a higher authority or seek a judicial remedy- all within a month’s period.