I am writing to you to exercise my subject access rights under the EU General Data Protection Regulations 2016 (GDPR). To this end would you please send me, in commonly used electronic form, all and any data that you hold relating to me.Under the GDPR you have no more than one month to do so.
Yours, A Payne
Where do you start? Every person for whom you hold any Personal Identifiable Information (PII) now has the right to request that you produce all information that you hold about them upon request. They might also request that you delete all such information.
If it were as simple as just looking in a nice neat folder structure to pull out the relevant files then that would be easy enough, but unfortunately data tends to be spread across a wide variety of systems in any number of formats. For instance there might be a photograph of a credit card, driving license or passport. And that photograph might be inside a document. And that document might be inside a database; a .pdf in an email for instance. So how can you possibly discover all that?
Well the answer is probably that right now you can’t, but that you are not worried about such trivial things. That is until one of your employees goes to a business lunch and has their mobile phone stolen. The thief easily discovers data on the phone by way of an email, containing a picture of a bank statement. It doesn’t take long before he can glean other data about the owner of the statement and various other pieces of valuable information about other, similar data subjects.
Sooner or later various clients of yours discover they have suffered financial losses and the Information Commissioner finds out that you didn’t report the loss of the phone; You are fined for that. You are then fined again, 4% of total annual global turnover. This is a big hit, not helped by the loss of some of your clients who have lost faith in your ability to keep their data secure. The publicity about your transgression damages your reputation and this is not helped by the one client who suffered a significant financial loss owing to the leaked information and is now going to publicly sue you.
So what can you do about A Payne? To begin with you can clean up your act in readiness for and compliance with the regulation. A Cyber Security audit and remedial action will help you ensure that you don’t fall into the trap in the first place. A critical data scan using specialist software will identify all of Mr Payne’s data across the network in order that you can comply with his, and any other request easily and in a timely manner. Your security consultant will advise as to best practices for the capture, storage, use, transit and archiving of such data in accordance with the regulation, putting you in the clear.
Pixalert critical data auditor discovers data hidden in documents, databases, photographs and email systems. It is not expensive, but could save you a fortune. It could even save your business!
Talk to us now about protecting your business future.