With the countdown to the GDPR compliance well underway, have you considered how much time data management will add to your day?
Given the complexity and volume of personal data many organisations have on file, it’s likely that even the most efficient data management processes will be time consuming. And with non-compliant organisations facing hefty financial penalties as well as risking reputational damage, it’s easy to understand why data management under the new regulation is a source of anxiety for some.
digXcel is a new automated solution that helps organisations streamline personal data management processes, by putting control of data into the hands of its owners, the data subjects. This includes managing consents, subject access requests, data deletion requests and data breach notifications.
The digital platform features two portals: one for organisations and the other for individuals, the data subjects.
The Organisation Portal is designed to help organisations meet their GDPR requirements without interfering with ongoing operations. While the Individual Portal enables data subjects to exercise their rights under the new regulation.
digXcel for Organisations
When the GDPR replaces the existing data protection framework under the EU Data Protection Directive on May 25th, organisations are obliged to:
- Obtain and process information fairly
- Keep data for one or more specified, explicit or lawful purposes
- Keep data safe and secure
- Keep data accurate, complete and up to date
- Ensure data is adequate, relevant and not excessive
By and large, the principles of the current Data Protection Acts of 1988 and 2003 will still apply. However, there are some key changes.
Most notably, the regulation has been extended to include organisations who operate outside of the EU, but process or control data belonging to EU citizens. Any organisation found in breach of the regulation can be fined up to 4% of their annual global turnover or €20 million (whichever is greater).
Additionally, if a data breach is detected, both the data controller and data processor can be held accountable. Data processors must report personal data breaches to data controllers. While data controllers must report the breaches to their supervisory authority and in high risk cases, affected data subjects.
Another significant change is that the conditions for consent have been strengthened. Consent forms must be accessible and laid out in simple, intelligible terms. Withdrawing consent must be as easy as giving it, and organisations should record evidence of this consent and keep consent requests separate from other terms and conditions.
digXcel affords organisations the ability to:
- Manage data subject accounts and access the Data Subject Portal.
- Manage fine-grained consents and integrations with third-party processors and systems.
- Manage access requests and data portability via integrations.
- Manage communication with data subjects regarding possible or actual data breaches affecting their personal data.
The Organisation Portal includes a number of modules including the Consent Management Module which enables organisations to manage fine-grained consents and integrations with third-party processors and systems.
With digXcel, software developers can also easily add GDPR compliance support and functionality to websites, cloud services or application software with its data protection SDKs and APIs. Website plugins and integrations are available for popular platforms including WordPress, Magento, Sitefinity, Mailchimp, Campaign Monitor, ensuring organisations can streamline workflows and sync data. This is particularly important to marketing departments.
digXcel for Individuals
The main aim of the GDPR is to protect EU citizens from data and privacy breaches, and the new regulation is centred on the principle of empowering individuals to know and exercise their data privacy and protection rights.
Data subjects, individuals who own this personal data, have:
- The right to be informed
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
- The right of access
These rights, while not all new, emphasise the need for transparency over personal data use.
The right of access is of especial importance to organisations as they prepare for GDPR compliance because the timescale for processing access requests has been shortened from 40 days to less than one month.
The digXcel Data Subject Portal includes a number of modules that provide individuals with functionality to exercise their rights. They can:
- Review and manage their personal data at any time.
- Review and manage their consents
- Request copies of their personal data
- Request the deletion of their personal data
By putting control of personal data into the hands of its owners, digXcel optimises transparency, providing long term peace of mind for both the individual and the data controller.
If your organisation is compliant under the existing EU Data Protection Directive, then the transition into GDPR compliance should be relatively smooth. That being said however, unless your procedures and processes for reviewing, recording and protecting personal data, as well as communicating consent and breaches with your data subjects, have been tried and tested, the road to GDPR compliance might be a little bumpy.
When it comes to fulfilling data subject requests, Recital 63 of the GDPR stipulates that ‘Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.’
digXcel goes beyond this. It is not only a complete and unified solution for personal data management, but also an effective tool for building trust, satisfying customers and enhancing reputation.