How to forget your clients by Natasha Rawley, Archive Document Data Storage
This article was also featured as a column in the February 2016 issue of LPM. To read the issue in full, download LPM.
Happy new year, LPM readers. Yes, it’s a bit belated – but to those who haven’t received our newsletter, we wanted to say may 2017 be a wonderful year. Now let’s move onto the EU’s General Data Protection Regulation – the deadline for compliance is fast approaching (May 2018) – and this month I’d like to discuss step four of the Information Commissioner’s Office’s 12 steps to the GDPR: individuals’ rights.
This is rather a complex step, so I’ll be covering it over next month’s column as well. The ICO defines the step very clearly: “You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.”
So, main rights for individuals under the GDPR start with: subject access – the ICO states that, under the EU’s information security regime, individuals will have the right to obtain access to their personal data. You need to ask yourself what information you hold on individuals in hard or electronic form – and remember that this includes present or past employees as well as clients.
You should create checklists for your different systems/databases to check when a past employee or client contacts you. The ICO also says that you must provide a copy of this information, free of charge, and that information should be provided without delay and, at the latest, within one month of receipt. It’s all about the process here.
You also need to have inaccuracies corrected – ask yourself, is the information you hold about a person correct? This could be tiny details, such as if their name spelled incorrectly through to a higher level of false or incorrect information you may hold on an individual, which may lead to defamation of character.
How do you currently deal with this? Is there a process in place? This process was brought into place due to large organisations mixing up individuals’ IDs in the past, and it’s here to make sure that the data you hold is not only correct but checkable and changeable.
And then, of course, there’s our good old friend: the right be forgotten. Hands up everyone that destroys both past employees and client information in line with their strict information destruction policy – both hard copy and electronic, from all internal databases and files in archive storage. It’s all about defensible disposition – you must have personal permission for how long to keep information for and stick to your policy.
The best advice I can give you is: test your procedures. Be your own mystery shopper – find out what happens when you pose as a client who wants to be removed from all databases and request files back. How long does this take? Where’s the evidence? Will your systems actually let you do this? Who signs off the confirmation for permission to delete and confirmation that everything has been deleted?
If you need help here, we’ll be adding information to our GDPR toolkit in March. Over and out for now.