Employees come and go, they create and exchange files and data internally year after year, store email attachments, and download reports. Perhaps they work on and save files on a shared server your organisation backs-up periodically? That’s all well and good, but how do you know whether you are complying with the requirements of the GDPR?
The case for effectively managing any personal data stored within your organisation is two-fold. Firstly, you want to be able to meet any regulatory requirements, and you obviously don’t want the ICO ‘on your case’ for not managing any personal data properly. Secondly, you don’t want to be the next company to make headlines because of a data breach.
6 Legal Bases for Processing Personal Data
Since the GDPR came into effect in 2018, the Regulation requires any organisation processing personal data to have a valid legal basis for that personal data processing activity.
You may only process personal data that is crucial to achieving your goal. This must be clear in advance to the person whose data you are processing. Do you know what the six legal bases for processing personal data are according to the GDPR? Here’s a reminder-
One of the following six principles should apply to your organisation:
- You have permission from the person concerned to process their personal data.
- It is necessary to process data to undertake an agreement, i.e., a contract with the data subject.
- You are processing this data for a legal requirement.
- It is necessary to process this data to protect vital interests.
- It is necessary to process data to perform a task of public interest.
- It is necessary to process data to represent your legitimate interest – this is a processing activity that a data subject would normally expect from an organization that it gives its personal data to.
Since the GDPR came into effect in 2018, four years down the line, this is no longer new information for most organisations. However, when applying the rules, some organisations often overlook data that has been archived or long forgotten. In addition, many don’t know where to start when searching their files or data – this could involve hundreds of thousands of files in various file formats. Of course, you need to know what data you have in the first place, before you can search and review it.
A Possible Solution…
At Nalanda, we created a unique cloud-based data search and discovery platform – Nalytics – to address this issue.
We already knew the solution would be able to locate all kinds of personal information searching across huge amounts of files and data. After further developments to Nalytics functionality, we were then also able to quickly and easily search and extract ID card numbers, passport numbers, and drivers licenses’ from very old, scanned documents.
Nalanda has since then delivered reports to customers showing them exactly what PII data they have, and where it’s stored. The customer then has the option to have the identified data quickly and easily removed/redacted by us to comply with any GDPR requirements as and when necessary.
Would this functionality be useful to your organisation and help improve your GDPR compliance process?