ibd can help you to gain your necessary compliance
The Basics – A deep dive into the GDPR will reveal a plethora of Recitals and Articles that you do not need to know about at this stage. What you really need to know is:
- The 7 GDPR Principles
- The Rights of Consumers (‘Data Subjects’)
- What to do if you are requested to provide the data you hold regarding a particular Data Subject
How closely you are aligned to these 3 areas will determine the level of compliance and what you will need to do to gain and (most importantly) maintain your compliance.
The 7 GDPR principles affecting data processing are as follows:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
- The Organisation is totally accountable and must maintain documentation for every stage
The Rights of Data Subjects are as follows:
- Data portability
- The right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
- Be informed of the existence of automated decision-making, including profiling, as well as the anticipated consequences
What to do if you are requested to provide the data you hold regarding a particular Data Subject
- Requests can come in any form even orally. You cannot ignore an oral request but it is not unreasonable to request it in writing. You can point the Data Subject to use a specific form but you cannot force them to use it.
Stage 2_Validate the Data Subject
- Get them to prove their identity. If they are requesting through a representative, you have to gain proof of the validity of their representative and a clear link between the DSAR and the Rep. Use two-step verification to avoid fraud, if possible.
Stage 3, 3rd party information
- If the data requested comes with attached 3rd party information (eg an email to the DSAR but containing identities of other parties in the cc list) then this has to be discussed and validated with the Data Subject. I particular if the request is for minors (under 16 under GDPR but under 13 in the UK) then the parent or guardian has to provide consent.
- If following the discussion on 3rd party information with the Data Subject, that Data Subject still wants the information then you have to either redact or delete information pertaining to 3rd parties or gain consent.
Stage 5__ Record it for records.
- Always record all DSAR processes and interactions, especially in the case of Vexatious requests (see below)
You have one calendar month to provide the data
You cannot charge for providing data
- However, there may be cases where requests are ‘vexacious’.
- These are multiple recurring requests with unreasonable characteristics.
- In such cases, charges may be levied.
- ICO can be consulted on such matters.
NEED TO KNOW MORE?
If you would like to know more about the finance subject area, please contact the ibd head office on 01223 597 845.
GDPR pages courtesy of Tim Cobley