The adoption of GDPR has significantly increased general awareness of the importance of personal data, at the same time imposing arduous duties upon businesses. Although the legislation has been in force for years, many companies still keep a record of personal data in a spreadsheet and process the information with very little technological support.
Data protection can in such cases incur disproportionately high costs. It is therefore worth considering automation of this area with an suitable program for the DPO (data protection officer) and the DC (data controller).
What is GDPR/personal data?
GDPR is a regulation issued by the European Parliament and the Council of the European Union that governs the processing of personal data by companies and other legal entities. Since its introduction, GDPR has become synonymous with all data protection regulations – national, EU, and those resulting from international agreements.
Under the legislation, personal data is any information that identifies a specific person. This may include: name, personal identification number, identity card or driving license number, log-in details or video footage. If the data is sufficient to identify a particular person, it is personal data.
This very broad definition means that virtually any company processes personal data which may include information on the following:
- employees,
- shareholders and company owners,
- contractors and suppliers,
- customers, including prospects,
- newsletter recipients,
- other people, including those not affiliated with the company.
Reasons to automate GDPR
GDPR is among those aspects of your business which are worth automating as soon as possible because:
1. The company processes a lot of data.
Data, including personal data, accounts for a substantial part of companies’ assets, and its role continues to grow. Companies are happy to collect data but reluctant to part with it. Consequently, there is more and more personal data being stored and processed. Both the number of data subjects and the scope of data itself are increasing. This means that handling personal data absorbs more and more resources, that is, at least until it is automated.
2. It is worth taking advantage of the company’s standardized method of data collection.
Most companies process personal data that can be attributed to simple categories. For example: a call center may have access to such data of potential customers as: first name, last name, email, phone number, customer number and previous purchase records. Software still performs best when dealing with such well-structured databases. Therefore, automation in this area is certainly possible.
3. It is mandatory to record processing activities.
The company has to keep a register of personal data processing activities that records, in the first place, the operations performed on the data, but also a description of the categories of data subjects and the purposes of data processing and, in the event of an audit, present the register to the supervisory authority. The DPO should make sure that, if necessary, the register is updated on a regular basis. So why not link the software for the DPO to the dashboard for managing the registers?
4. An IT system will protect against mistakes – automation means increased security.
The human factor is accountable for the majority of personal data leaks as well as processing and deletion errors. The need to manually update databases and registers is an unpleasant duty which can be easily neglected by employees, exposing the company to image and financial losses. The control over personal data and datasets provided by a dedicated IT system (e.g. GDPR Productive24) will protect against entering data in the wrong field, repeating records or duplicating entire databases.
5. Informing individuals about their processed data has become easier.
In accordance with the provisions of the GDPR, every person has the right to inquire as to what personal data of theirs is processed by a company. The reply should be provided in writing or electronically within a specified period of time. The software facilitates this process significantly and it also records an order to change the scope of data processing.
6. Deleting data is easier, too.
A request to have one’s personal data erased is a “threat” that many companies are not always able to deal with. A company has to de facto erase its knowledge of a person if it has no substantial legal interest in retaining the data. Even then, it is only permitted to preserve the data that is necessary – in such a situation this must also be adequately justified. When personal data is located in various e-mails, files and network folders, this presents a huge challenge.
The GDPR Productive24 system
GDPR Productive24 is an IT system built on the Productive24 platform that enables secure and effective management of personal data processing in an organization. Owing to the fact that the system was built on the Productive24 platform, it can be instantly and flexibly modified to precisely meet the needs of a given business and the changing requirements or new interpretations of the law. GDPR Productive24 provides:
- Easy access to data
- A system of notifications
- Management of authorizations and requests.
- Risk management.
- Personal data processing registers.
To what extent can GDPR be automated in a company that uses Productive24?
GDPR Productive24 can relieve employees who process personal data in a number of ways. Even at the data entry stage, information can be fed into the system automatically (e.g. from web forms). Another major benefit of automation emerges when a company starts to operate on data. In such a situation, it is possible to fully automate all processing, including the potential instantaneous deletion or anonymization of personal data. The GDPR software can also make changes to all databases linked to it when a given person’s data is updated in one of them. This will significantly facilitate, among other things, marketing and sales activities or the work of HR departments.
The system also “remembers” how long particular data can be stored or processed. Therefore, it can (after a certain period of time) remind the user about the expiration of the period allowing data collection and processing, thereby enabling the processor a to apply for the extension of relevant consents in time or reminding them about the obligation to delete or anonymize the data.
For more about the features and applications of GDPR Productive24, see the article: Productive24 in practice: secure management of personal data
