GDPR and right of access
If you have not yet heard anything about GDPR (acronym for General Data Protection Regulation), it's a new regulation (effective from May 2018) regarding your business handling data about individuals. There is a lot of noise at the moment to scare businesses, but very little concrete solutions offered, for a problem that is in fact very straight forward to handle.
Your GDPR journey will start with a 1-day audit (or more if your business is larger) that will very likely tell you that your business needs to comply. The audit is obviously not just technical. The 1/2 day workshops we're about to launch will provide all materials to start.
Once you know GDPR applies to your business, one of the items you will have to deal with is the request from individuals to obtain:
- confirmation that their data is being processed;
- access to their personal data;
- and other information (example: the source and recipients of the data, the envisaged retention period for the data etc.)
I already hear you saying: "it won't happen to my business, we're too small for the Data Commissioner to start prosecution". You are right, the real risk will in fact come from individuals and their solicitors who will see this as a golden opportunity. Before I forget, you staff has the right to request what you hold on them.
The good news is that you have one month (was originally 40 days) to produce the information.
So, let's say your business uses one of the big names in CRMs. These so-called "standard" systems are in fact tool kits, customised by the addition of fields to map existing processes as opposed to imagine a better way to run your business. They may be on the cloud, they are still heavily customised.
My first piece of advice: start budgeting, because you will need to add reports that contain relevant data, who has access and why you keep it. And, budget more, because all your data is not stored in the same system. You may also weigh the risk and budget of doing nothing and deal with it within the month the first request comes. There surely won't be more than one request at the time...
Our approach at Wandsoft is transparency, so the GDPR shift for us is minor. Wandsoft has one comprehensive solution, and once we've asked the needs, we usually have one of our 45 modules ready to handle the problem. Customer change request becomes standard feature of the package, with parameters to activate or not. We are also tracking what our own staff does to ensure they only deal with what they are asked for.
On the CRM and ERP side of things, we've added screens to map relevant parts of the system with retention period, reason for storage etc. So as far as data access is requested, it'll be available at the click of a button. For paper copies of private information, you will still need to open the filling cabinet and make the photocopies yourself. There is probably a start-up to offer such service, an alternative is to store a version in our document management system.
Since Wandsoft has only one version, any future GDPR related additions made to the system will be flagged for your attention. It'll be up to you to decide if they are relevant to your own business.
My second piece of advice: for the budget you are going to spend on making your system able to cope with for this legislation, why not consider an alternative that will cost you less in the long run?
We'll be happy to discuss your SME GDPR needs... You can reach us on +353 1 9059010 (Eire/UK) +32 2 808 02 08 (FR/BE).
Chief Innovator - Wandsoft