The GDPR Series – The Accountability Principle
Entry 2 of 6
Welcome to the second of our 6 part series on GDPR. With so much emphasis on the new regulation and the May 25th deadline drawing closer, we wanted to offer you some assistance in addressing the key questions around the new requirements. As you know, acceptcards are experts in payments... but not so much in data protection regulations, with this in mind we've invited our friends from Legacy IT Consultants Ltd to write this guest series on our behalf. Enjoy!
The General Data Protection Regulation (GDPR) is an EU regulation that seeks to strengthen and unify data protection for all EU residents. The Accountability Principle is the most significant addition to the Data Protection legislation, covering how data is stored and processed.
Data should be…
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, legitimate purposes and not processed for any other purposes
- Sufficient for and limited to the purposes of the legitimate processing (only collect the data that you need)
- Accurate and up to date
- Not retained for any longer than is necessary to perform the processing and any subsequent statutory requirements
- Protected against unauthorised or unlawful processing, accidental loss, destruction or damage
In practice, this would seem to be an onerous change for organisations, but it really should not be.
Let's examine each of the above points....
- This means that you must have a reason for the processing that you undertake, it must be legitimate, and you must inform the individual what that processing would be in advance.
- The data that you collect must be for a specific purpose, and not used for any other purpose, for instance, if you do not inform the individual that their data may be used for marketing then you cannot use it for marketing.
- There has been a tendency in the past to collect data ‘just in case’ – if you do not need to know the individual’s favourite sports team, shoe size or place of birth for the processing that you are about to undertake, then do not ask for it.
- Ensure you have a process to collect and implement changes to the data, for instance change of address, marital status, etc.
- This may be the clause that causes most problems. The concept of deleting data is alien to many organisations, and a lot of CRM systems, both bespoke and off the shelf, have neither the ability to remove an individual’s data nor the functionality to delete aged data. For many transactions the statutory requirement to keep data will be six years in order to defend complaints. Beyond this the data should be deleted, or anonymised so that it cannot be traced back to the individual.
- Security, both within your organisations, and within any third party organisations that you will legitimately share data with, is paramount. Firewalls, threat detection, encryption, all of these and more can contribute to the security of your data.
The GDPR requires that you can demonstrate how you comply with the principles, for instance by documenting the decisions that you take about a processing activity. We will capture a customer’s previous address if they have not lived at their current address for more than three years so that we can execute a credit check. This reasoning should be documented alongside other data mapping activities in your Evidence Library.
For more information, advice or assistance on the GDPR please visit the Legacy IT website here or email them at email@example.com
Author: Mike Madden - Legacy It Consultants Ltd.