All companies that are working with European clients have to be in compliance with the General Data Protection Regulation (GDPR) from May 25, 2018. Some companies are already trying to be compliant with GDPR, some of them even do not know what that means.
Besides, all of them must be in regulations with GDPR, there are also other recommendations to show that your company is not abusing personal data.
We need to be aware that personal data owner acceptance is only valid for the reason of current business, for what you got the person’s consent. So you are not allowed to use their personal data for other purposes.
Everything is clear and your company is following the regulation.
But can you prove this? Are you sure that your company is compliant with regulations?
Are you sure that somebody in your company who is not familiar with regulations (maybe you will hire a new person) is not performing a breach?
This is what I will write about today.
Transparency of data processing and management is very important. You can control compliance with GDPR or ISO27001 (information security standard).
To be able to perform these actions you need to have logs or even better Audit trails.
Audit trails will show you exactly what you were doing with personal data.
SO LET US START FROM THE BEGINNING.
WHAT IS PERSONAL DATA?
It is the data that helps us without putting too much effort to recognize, identify the person that this personal data belongs to.
This can be primary name, surname, address, email address but also other data like voice, phone number, educational titles, photos, health information….
So you need to be very careful what personal data is in your case.
STEP 1. HOW TO START?
- Prepare list of Evidences where you keep personal data.
- Analyze what kind of personal data you are keeping?
- What are you doing with this data (process, management, testing….) or why you need this personal data?
- Who has the permission to access these records?
These are the first questions that you need to answer, to be able to move forward.
STEP 2. – ASK YOURSELF IF YOU REALLY NEED ALL THIS DATA?
Keep only the personal data that you need.
If the answer is YES, then you need to answer the following questions:
- Are you allowed to perform the whole process and jobs on kept personal data? If you have a contract that allows you to do that, everything is ok.
- If you do not have a contract that allows you to do that, then you need to get the consent of personal data owners.
STEP 3. – YOU KNOW WHAT YOU ARE DOING AND YOU ARE ALLOWED TO DO IT.
How you and personal data owners know that all this is true and that you are not using their personal data for other purposes?
This answer is more difficult.
How can you show that everything that you are doing with personal data is what you are allowed to do?
You need to implement mechanisms that will track your actions and processes of personal data.
You can use logs. If you use logs you need to have log management. Because there are so many logs, you cannot check and read all of them.
I recommend that you use AUDIT TRAILS.
Audit trails is mechanism that will track all your actions and all values in one place.
You will know what data you have in records, how this data was changing, who was performing actions over data and the time that this action was performed.
Also when your owner of personal data will demand to erase their personal data, you will be able to show that you performed this action.
When Auditor for GDPR will come to check the compliance, you will have all the things ready:
- What kind of personal data you are keeping and processing and why?
- Where are you keeping this data?
- Owner acceptance that you are allowed to manage personal data records.
- Finally, the most important, you will show them that you are doing exactly only those actions that you are allowed to perform.
In CONTROL+ we also thought about that, so we created Audit trails module where we are gathering all actions and values done over data in Control+, also actions on personal data.