As the clock counts down to the General Data Protection Regulation (GDPR) deadline of 25th May, an increasing number of individuals are becoming aware of the change in law, predominantly through organisations reaching out in a panic to seek consent before they have to delete their personal data that is on file for marketing purposes!
Here at Anana, we have a more prepared approach, as we have always taken data protection within our systems seriously and have kept it baked into all solutions we provide to our customers.
We have worked closely with our customers and have highlighted the steps we follow within Anana for general compliance, and to aid each of our customers with their data protection due diligence. We guide and assist with their processes on how best to follow the principles of GDPR. These steps are as follows:
- GDPR Requirements – We confirm with our customers whether GDPR is a requirement under the services we provide them.
- Data Process Maps – We produce high level data flows of all Personally Identifiable Information (PII) in our systems and services for our customers. This informs us as to what data we hold on our customers behalf, and how it is processed.
- Data Records Management – We create a detailed list of all PII we are processing for our customers. This highlights the purpose the data was collected for, its security controls and retention, where the data is stored, who has access to it and whether the data leaves the EEA, to input into any information audits the customer may be completing.
- Sub-Processors – We produce a list of all processors that Anana use to provide our solutions to customers and demonstrate that we have contractual agreements to highlight GDPR obligations with them.
- Lawful Basis – We clarify that our customers are responsible for controlling their lawful basis for data processing at the point data is collected. Should consent be required within our systems, we plan its implementation with our customer.
- Subject Access Requests – We create a process for our customers to identify and export any PII should a data subject request access to their data.
- Right to be Forgotten – We create a process for our customers to identify and anonymise or delete any PII should a data subject request to be forgotten.
- Data Protection Impact Assessments – We collate all the above to complete a Data Protection Impact Assessment for our customer to demonstrate the solutions compliance with GDPR.
For more information on how we can help with GDPR obligations, please reach out to your account manager, or contact us on +44 (0)8 444 999 888 or firstname.lastname@example.org.