Designed and built with care, filled with creative elements

Top

GDPR Individual rights – Business impact

For small businesses in particular, serving an individual’s rights, involves doing three things. It requires reviewing existing systems and processes, training staff in GDPR awareness and updating published privacy policies and notices.

This is a preview lecture from our online course ‘GDPR – In nutshell’, for the full course please visit https://www.udemy.com/gdpr-in-a-nutshell/

In this lecture, we’ll discuss the business impact of the GDPR in regard to data subjects’ rights. I’ll speak about reviewing existing systems and processing. I’ll propose staff training for GDPR awareness and I’ll talk about updating privacy policies and notices, typically on your website.

Let’s consider the business impact of the GDPR.

Under the GDPR, it’s the data controller’s responsibility to notify data subjects of their rights. Normally, this is done via a privacy notice, that’s made readily available on the organisation’s website.

For small businesses in particular, serving an individual’s rights, involves doing three things. It requires reviewing existing systems and processes, training staff in GDPR awareness and updating published privacy policies and notices.

Let’s consider these in a little more detail. What about your existing systems and processes? Do existing systems and processes allow your organisation to identify and isolate all copies of all personal data relating to an individual data subject?

It’s trickier than it sounds. Think of some of the backups that you might have. If I exercise my ‘right to be forgotten’ by your organisation, will existing processes plough through all of the backup copies of any personal data that you hold on me? If you can’t meet this requirement, then systems and processes need to be created and/or updated in order to provide this capability.

Let’s consider staff issues. Staff processing personal data need training on a data subject’s rights under the GDPR. They need to be able to recognise and properly respond to a subject access request. For general office staff, this requires an awareness and understanding of the GDPR’s obligations. Plus, a knowledge of any organisation specific policies and processes that serve a data subject’s rights.

For specialist staff, say in sales, marketing, customer service, support or information security. Those staff dealing with personal information usually require more in-depth, domain-specific training on the GDPR and its impact on your business.

What about privacy policies and notices? Most organisations need to update their privacy policies and notices to comply with the GDPR.

For more information security explainer videos subscribe to the CHL YouTube channel. https://www.youtube.com/channel/UCthdDUWBZrmnTOkmxwm5HKw

Questions about this course?
Start a conversation today.
Email David Chapman chapman@chl.co.uk

Post a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.