As long as companies are not aware of the type of data they store and where they store these, they are constantly exposed to the risk of penalty as GDRP set to be introduced in May 2018 (link to previous article) includes several tightening changes as to correct data controlling.
It is very important that companies not only examine the areas that are primary sources of customer data such as CRM or marketing systems. Without due care or the development and following of proper data controlling procedures, data and duplicates may be generated and stored in the following places:
- IT systems,
- portable media instruments,
- mobile phones,
- mobile data storage facilities such as pen drives or external hard disks,
- network files,
- data charts and other documents,
- e-mails and archived inboxes,
- community posts,
- audio tapes,
- cloud-based storage places,
- uninstalled or out-of-use IT systems and instruments,
- printed documents and archives.
The above list contains only a few of the assets to the management of which special attention should be paid from a data protection perspective. The area to be reviewed can be stunningly large taking into account that a very large number of companies may be present on individual markets, which control and store a huge amount of data on an overall basis.
Penalties can be avoided
We cannot emphasize enough that preparation for the new regulation to be introduced next spring should be started as soon as possible. In addition to a due diligence of the company from a data protection perspective and the development of a data management policy, it is also of key importance that employees are properly informed and prepared for the integration of the new processes. Compliance with data protection criteria is no longer the isolated responsibility of the IT unit but concerns all employees of the company who manage, use or have access to customer data.