In a previous blog article we looked at the first of the 4 stages you should follow when getting ready for the GDPR. To recap, these are:
- Discovery – identify what personal data you have and where it resides
- Management – govern how personal data is used and accessed
- Protection – establishing security controls to prevent, detect and respond to vulnerabilities and data breaches
- Reporting – executing on data requests, reporting data breaches and keeping the required documentation
In this blog posting we are going to look at stage 2 – management
The GDPR provides data subjects – individuals to whom data relates – with more control of how their personal data is captured and used. Data subjects can, for example:
- Request that your organisation shares data that relates to them
- Transfer their data to other services
- Correct mistakes in their data
- Restrict certain data from further processing in certain cases.
In some cases, these requests must be addressed within fixed time periods.
In order to satisfy your obligations to data subjects, you will need to understand what types of personal data your organisation processes, how and for what purposes. The data inventory discussed in our previous blog article is a first step to achieving this understanding.
Once that inventory is complete, it is also important to develop and implement a data governance plan. A data governance plan can help you define policies, roles and responsibilities for the access, management, and use of personal data and can help you ensure your data handling practices comply with the GDPR.
For example, a data governance plan can give your organisation confidence that it effectively respects data subject demands to delete or transfer data.
To find out more, or to discuss your GDPR obligations, please contact us.