Sound Governance for Personal Data
by Clare Chalkley, Vice President - Legal Services, Integreon and
Claire Frazer, Director - Legal Services, Integreon
Data is on everyone’s mind these days. Personal data, data security, data privacy, data breaches, data governance – all these terms dominate today’s headlines and C-Suite discussions.
Data is often thought of as a mass of information, but data defines anything from a single piece of identifying information to a seemingly infinite supply of emails, documents, graphics, multimedia recordings and more.
Due to sheer volume and frequency of mention, data has become an abstract technical concept, but data itself is not abstract. Data has real effects on people’s lives and on a company’s reputation. Data is what proves identity and individuality, and as such it is not a collective thing. Each piece of data can be linked to a specific individual and organisations at fault for loss or reckless treatment of data can face severe penalties.
For purposes of privacy and security, organisations must have a clear understanding of the data they hold
and be prepared to justify why they have it, how they use it and who they share it with.
Personal data is defined as identifying information relating to a living person. That data can exist in many different formats across multiple systems such as:
In force since May 2018, the GDPR regulation safeguards EU citizens’ rights to access and control their personal data. A driving principle behind GDPR is to provide individuals with more control over and access to their personal data stored by entities with which they interact. Under certain circumstances, GDPR can also award individuals the right to be forgotten and to have their personal data erased.
- Hard copy / paper and electronic documents
- Human resources files
- Email systems
- Company laptops
- Server data
- Recordings of phone calls
- Closed-circuit television (CCTV) footage from security and other video cameras
- Messages sent on via internal messaging systems, via SMS, WhatsApp
- Client databases
- Sales databases
To establish a strong data governance policy, organisations need to understand the following:
- What data is collected and who does it belong to?
- Why it was collected?
- How and where it is stored?
- Who has access to it?
- How it is shared and used?
- How long is it being retained and is it purged when retention is no longer required?
DSAR (Data Subject Access Request) is a term introduced in the GDPR legislation. A DSAR provides
individuals with a mechanism to obtain copies of the personal data an organisation holds on them. Since May 2018, DSARS have become widespread and very common. Individuals can “DSAR” an organisation (in writing or verbally) as many times as they like (within reason) and pay no fee. The organisation then has one calendar month to respond to the DSAR, with the day of the request’s receipt counting as Day 1, regardless of the DSAR’s scope. Some individuals intentionally “DSAR” a company repeatedly as an act of defiance or retaliation. As the circumstances in which an organisation can refuse to comply with a DSAR are very narrow, the pressure is on.