28 August 2017
Technology and GDPR
In a contributed byline for GDPR:REPORT, Mike Jones and Toby Bryans, executives at DataArt’s Finance Practice, discuss the impact of the upcoming EU’s General Data Protection Regulation (GDPR) on organizations that process personal data of EU and EEA citizens.
“The re-definition of how data can be collected, used and stored, has technical and systemic implications for organisations. Among other things, there are changes to the legal framework for handling data and new “rights” are granted to the data subject. Both of these will change the way an organisation engages with individuals.
The new legal framework reverses the burden of proof and places it on the organisation. This means Privacy Notices will need active maintenance. Organisations will need to implement version control, keeping a record of which notice applied to which data subject for which product. Without it an organisation will be vulnerable…Similar to Privacy Notices, an organisation will want to have a record of which consent applies to which data subject, for which product and for how long.
These two significant legal issues will drive the development of strong audit capabilities, not just for compliance but to manage potential exposure to claims or possible class actions.
The rights of access, rectification, data portability and the right to restrict processing all suggest there will be multiple new reasons for customer contact. These rights will require the organisation to securely provide access to information about the data they store, how they use it and provide the ability to change it….The right to be forgotten is perhaps one of the more interesting new rights. Beyond the simple question of how to make it happen, it has multiple implications and it’s not a blanket right.”