Complying with personal data rights

Businesses holding personal data need to ensure their procedures are fit for purpose and compliant under the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.

The upcoming legislation will also authorise individuals with new rights over how their personal data is handled by their employers.

According to research by analytics institute SAS, who polled 2,000 working adults, 50% expressed wishes to activate their rights over personal data when the legislation comes in.

Those aged between 45 and 54 were most likely to issue a request, with 21% aiming to activate their new rights within the first month. 

13% of those aged 18 to 24 would also submit a request to their current employer.

Among those surveyed, people want the rights to:

  • access their personal data (64%)
  • remove their personal data from certain systems (62%)
  • rectify inaccurate or incomplete personal data (59%)
  • contest the accuracy of their personal data (54%)
  • seek human intervention if they disagree with an automated decision (43%).

Research also explored which businesses would be most likely to receive a request to remove or provide access to personal data from staff.

Social media companies (39%), retailers (33%), insurers (33%) and supermarkets (30%) saw the highest percentage of staff likely to request the removal of their data.

Charles Senabulya, vice-president and manager for SAS UK & Ireland, said:

“Overcoming this challenge presents an opportunity for organisations as they form a new type of relationship with their customers that is bound by integrity, understanding and respect for their individual choices. 

“We are entering a new data era that requires a firm grip of customer data, one that rewards consumers as well as protects their right to privacy.”

Compliance requirements for businesses

All businesses within the EU will be impacted by GDPR and, if found non-compliant, may result in potential fines of up to €20 million – or 4% of annual global turnover.

To comply with the rules, employers must have tools in place to allow the storage of personal data as well as lawfully keeping and processing the data.

Some of the processes will become necessary for employers to manage personal data include:

  • data protection impact assessments based on questionnaires
  • complete list of systems and related to risk rating
  • predefined list of controls in addition to existing controls
  • policy management and life cycle tracking on all policies to monitor policies and improve communication
  • clear overview of roles and responsibilities
  • link systems, processes and business owners in data flows.