A new article from Integreon brings us a new year reminder of the importance of looking after personal data. Called Sound governance for personal data, it is written by Clare Chalkley and Claire Frazer of Integreon’s London office.
The article’s focus is on two things. One is the power of the Data Subject Access Request, that is, the right given by the GDPR (though it builds on much older rights) to control what data is kept about them. The other is the ever-present risk of data breaches. These come in many forms, but the one which most closely affects individuals is the exfiltration of their personal data from a company which knows a lot about them.
As I write, Travelex remains unable to operate its currency exchange computers – bad news for the business, but bad news also for those whose data, including credit and debit card data, has been kept by Travelex (and may still be kept by them – it is not yet clear that any data has been removed and published to add to the company’s ransom problems).
DSARs and data breaches have this in common – they both require a business to be able to say, in pretty short order, what data they hold about individuals. Whether the business faces a demand directly from an individual or wakes up to a duty to notify them that their data has been compromised, the starting-point is knowing what data was held, and where, what has been taken, and what must be said to the regulator and the individuals about it.
The Integreon article’s closing paragraph includes this:
Data breaches will occur, DSARs will be issued and these may seem like an impossible, unfair burden for the organisations affected.
The answer, the authors say, lies in “robust data governance, tried and tested procedures…and the right resources engaged to analyse and review the documents”. If you don’t have those resources, Integeon will be pleased to provide them.