Hi All,
With the incoming General Data Protection Regulation go live less than a year away, and the general desire to share information for the benefit of Health and Safety, have you found that people are now looking to reduce the level of information stored and classified to "Comply with GDPR".
At Infosec (IT Security Show) last week, mention was made of likely data subject requests forcing extremely expensive data gathering excercies and resulting in a general desire within organisations to "get rid of data" to ensure that organisations store as little as possible, to the extent of expunging subject data from archived backups & records!
Such requests would require documents relating to the subject, such as emails, records & correspondence mentioning the data subject to be made available, with no fee (reduced from £10), and as such records will have to be made available within a very short timescale.
CCTV also is covered under the regulations.
Obviously a significant document to add to the management systems, available at :
Information Commissioner's guide:
https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment/getting-ready-for-the-gdpr/ (questions)
https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (steps guide)
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ (homepage)
European Directive:
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf (directive)
CIPD
https://www.cipd.co.uk/knowledge/fundamentals/emp-law/data-protection
How will auditors review documents - what about auditing/sharing "supply chain" - already an issue?
What will human resource departments offer as advice/requirements/guidance?
Who will go through and sort archives of data to select what need be kept or not?
Wholesale changes to IT and processes will happen soon if not already.
Thoughts on how organisations can best comply would be welcomed, as I can see the "worms can" well and truly open.
Migration of data storage to a "new compliant system" will probably take/add significant resource requirements to an already busy schedule.