Now my old boss used to say that the experts are the ones who read the information first! So having your systems assessed for something quite as powerful as GDPR [General Data Protection Regulations] and ensuring you are fully compliant is most often handed over to an external company with the necessary skills and expertise to advise and make recommendations for your company to adhere to.
GDPR regulations won’t accept the line ‘we have a company that does that for us’
So we started this process because our aims have always been that the owner of information should be in control and we are going to go through our process on here showing the pains and the gains that we can all expect, we want to highlight that GDPR is everybody’s responsibility internally and externally to the organisation this means the owners of the information as well!.
Well known fact – 9/10 people will and do release daily, personal, identifiable information for a discount coupon, not knowing who what is going to happen to this data.
Therefore the regulations are there to protect all individuals and most of the scare mongering so far tells us it’s going to cost us massive amounts of time and money if we don’t comply. In reality it is a mechanism to protect us too. This is an opportunity for us to be clear with what we do with all the data we capture, making sure that the data is assessed as current, relevant and up-to-date and we have controls in place to permanently remove PII [Personally Identifiable Information]when requested or no longer relevant and lastly inform the relevant parties if we have a breach and data is at risk.
So an opportunity that is going to take a bit work, but this level of transparency shows we value our customers information and business and are happy to support and inform them so they can take better control of their information and ultimately their identity.
So first steps for us was to do our PIA [Privacy Impact Assessments] What we needed to confirm – what we do…..
Vaultproof© process is a personal secure virtual data file with key goals:
- Facilitate and supply information in a digital format directly from the hands of the data owner via a controlled environment.
- Ensure the data owner is fully informed and experienced on what actions they are taking with their information and with tag and trace technology they retain control throughout a relationship
- Vaultproof© allows Edu’s to view and confirm current relevant data, open a communication relationship without physical or digital collection and removing the need to store data, giving back time and resources to administrators.
- Record keeping and audit is part and parcel of education and course providers daily interactions, Vaultproof© offers this without compromising identifiable data.
How and why we do what we do – The assessment of our activities current and proposed
This process supplied and flagged up for us the following relevant information we used to document our assessment performance.
- What the options and methods are for individuals to provide consent for the collection of their PII. We confirmed that our customer contract informed the above clearly.
- information we collected and stored complies fully with privacy-related legal and regulatory compliance requirements using GDPR as our measuring tool.
- The risks and effects of collecting, maintaining and disseminating PII have been identified and where possible resolved or removed.
- Protections and processes for handling information to alleviate any potential privacy risks are in place and supporting all our customers to be fully compliant.
Anybody who know me will know that I am a SOP[Standard Operating Procedures] sceptic, as I feel 99.9% are not working documents especially in the services sectors. In services the .1% that is working is the relevant point around “if you do not follow due diligence in your customer interaction you will be in breach of your employment contract and will be removed from your post with possible litigation” that one for some reason catches people’s attention and this is the same type of stick we are running from with GDPR ’fines and prosecution’. So rather than mould GDPR in to a set of SOP’s we went for a new set of WOP’s [Working Operating Procedures] Our contract with our customers!
So, stage one reading points of reference points for you are:
I know there will be plenty more tangents for me to go off on as there is a minefield of information out there, in my next blog I aim to let you know if this is “Working” but I will always aim to bring it all back to basics; the owner of the information must take control and it’s our job to inform and facilitate!
Please comment on this blog any thoughts or findings you come across that will help on this journey of discovery!