The advent of GDPR
Why is this all happening? In short, the rules have changed
You will have noticed the ‘We don’t want to lose you’ emails that have been doing the rounds. This is all part of an evaluation of companies’ personal data practices in order to prepare for the General Data Protection Regulation (GDPR) that comes into force on 25 May 2018.
There’s a lot of data out there. And it’s personal
The sheer amount of personal data in existence is staggering, as is the fact that it continues to grow at such a rapid rate. The regulation is a game-changer, calling for real accountability where personal data is concerned, as well as the ability to fulfil the new rights held by data subjects. In other words, the rights of the data citizen are at the heart of the changes.
What is 91ÂþÎÝ doing about it? The boring stuff (Part 1)
91ÂþÎÝ has created a personal data governance team with full executive sponsorship. The end goal was/is to review how personal data is housed, used and looked after. External advisors were brought in to understand the issues for 91ÂþÎÝ as a data controller and processor (of which we are both in different areas) and to identify what needs to be done in order to meet the new requirements.
And? More boring but important stuff (Part 2)
Terms and conditions governing the relationships between 91ÂþÎÝ and third parties were evaluated and updated. Data lifecycles and processes including security, client onboarding and data subject rights fulfilment were analysed and brought into line with best practice by specialist regulatory advisory firm Salvatore Ltd.
To conclude
Overall, 91ÂþÎÝ, along with many other companies are going through this process. This has resulted in it becoming an organisation that understands itself better from a data point of view, and that can only be a good thing. The work undertaken by the personal data governance team and advisors means 91ÂþÎÝ can offer services with confidence and can demonstrate full accountability for the personal data it holds, at the same time as being able to fulfil any personal data-related requests that a data subject may have.