There are three technology-based goals that GDPR aims to achieve:
1. Organisations to take ‘appropriate technical and organisational measures’ to protect data
The Information Commissioner’s Office is clear that when developing these measures, organisations must pay attention to the ‘nature, scope, context and purposes of processing’ involved. “We recommend that you carry out a risk assessment to understand the full impact your technology can have upon individuals’ rights,” says Eric Hughes of EMH Technology. “Many business owners have carefully thought through their marketing strategy and operational processes. Technology plays a vital role and has often been overlooked.”
2. Individuals’ rights to be protected by the technological environment
GDPR is very clear about the rights of individuals. To enable your organisation to meet this obligation, your technology should offer the following functionality:
- Connect people to their personal data
- Identify personal data by type, and by processing purpose (there are six acceptable bases for processing personal data, including legitimate interest, contract and consent).
- See the full information lifecycle
- Perform search and retrieval of information
- Allow update, redaction, anonymization, suppression and erasure of information held as needed
- Transmit personal data from one technology stack (software/product combination) to another
3. A proper approach to technology design and deployment
These system design requirements help data protection to flow into technology:
- Accountability
- Recording of processing activities
- Default data protection
- Impact assessments for data protection
- Breach notification
In summary
Organisations controlling personal data need to implement appropriate technical and organisational measures to demonstrate that they are GDPR-compliant. “Technology has always had an essential role in data protection,” says Eric Hughes. “The new regulation is formalising best practice rather than introducing revolutionary measures.”
GDPR isn’t going away and customers are more aware of their rights regarding their data than ever before. EMH Technology works with clients to establish a web portal for GDPR management. This provides a central place to document and manage your GDPR obligations, including:
- Data processing activities
- Risk assessments
- Data access requests
- Data breaches
Please contact us if you would like to find out more about a web portal for GDPR management.
Or to discuss how your technology supports your data protection requirements, contact us for an initial discussion without obligation.