Securing Steps For Personal Data
The General Data Protection Regulation (GDPR) is a European regulation intended to strengthen and unify data protection for all individuals within the European Union (EU), including around the export of personal data outside the EEA.
The GDPR aims primarily to give control back to citizens and residents of their personal data and to simplify the regulatory environment for international business by harmonizing regulation within the EU.
Focus Areas For IT Fortify Security
Six Pillars Of Compliance
Our parent group has identified six “pillars” of the law as the key focus areas for which IT ensures compliance. They are:
Implement the necessary functionality in relevant systems to ensure that personal data can be deleted for one or more individuals upon the following set of events:
- Client-Based Events, e.g., Program Termination
- Membership-Based Events, e.g., Account Cancellations, Deletion Requests, Account Inactivity, etc.
- Data Retention-Based Events, e.g., Expiration of Retention Periods, whether required by law or for data we hold on behalf of a client
Consent to Processing
Implement functionality to explicitly obtain (can’t be implicit or assumed) opt-in consent from a member, if the member’s data is used for any marketing or profiling purposes. This will include:
- The system (front-end and back-end) capability for a user to capture and manage their consent preferences
Restriction of Processing
Implement the necessary functionality that allows the marking of stored personal data so that the system limits future processing and use of the data for any purposes beyond the provision of the service. Restriction of this data should be performed upon valid requests from customers. A valid request includes:
- The processing by cxLoyalty is unlawful but a data subject objects to erasure
- The data subject disputes the accuracy of data and so the data would be restricted until its accuracy was verified
Implementing the necessary data minimization measures for personal data stored on our systems. Frequently, data minimization will be particularly relevant, where a particular system does not require personal data to perform its role. However, it may still be relevant for production systems if, for example, we identify that a production system is holding excess data.
Data minimization measures may include:
Anonymization or pseudonymization of personal data, i.e.
- removing or encrypting personal data
- or replacing identifying fields within a data record with one or more artificial identifiers or pseudonyms.
This can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field.
Right of Access by the data subject
Implement the necessary functionality to extract on demand all the personal data held on the database for an individual member and provide this data to the customer in an electronically readable format e.g. CSV, XML, HTML, JSON, etc.