Key GDPR Questions for Every Business to Answer Now Part 2

Aimed Business Thoughts GDPR systemsLast time questions over controlling and processing data and what informed consent means under GDPR.

This time it’s questions about having the right GDPR systems and processes in place to respond effectively and in a timely manner to requests.

GDPR Systems and Processes

Do I have systems to provide copies of the data held on an individual? And can I do so within a month of the request and be able also to rectify that record if necessary within a month. If you are a small business and manage to take a 2 week holiday or travel extensively, it’s worth noting that the month starts with the date of presumed delivery. So in reality the time available to provide the data could be 10 days or less.

Do I have systems in place to enable an individual’s record to be erased? This is not as easy as it sounds as the best way to ensure that someone is not re-added to a computer system is to keep a record.

Additionally do our systems allow us to restrict processing of that record. This gets over the deletion issue, but needs a failsafe that the record is not processed. Where many people can access a system such as a CRM, the tagging needs to be clear to avoid erroneous processing by another team member.

In good email marketing systems this could be the master list of unsubscribes that prevents that address being re-added in a data upload and in a data send.

Computer says no?

Increasingly we automate procedures for cost efficiency or to segment our customer base.  This ensures they receive only those messages we think they are interested in. But if these decisions are made by computer, what is the human intervention when challenged? So if you are using say data mining without human intervention and a decision is made, what is your process for appeal by the individual/recipient and how do you override it.

The computer says no is no longer allowed without a human agreeing with it. Again this is not as easy as it appears. The 2008 crash was caused by only a few in the financial services industries challenging what their computer said when the decision was based on complicated mathematical models. In other words they didn’t know enough to know the answer was wrong or highly risky.

What’s next

Now is the time to review your GDPR systems and to challenge all of your assumptions over speed of response and automated decision making. Next time is governance and accountability.