Bespoke database Web Apps / Applications and Software

Bespoke Database Applications

GDPR and what it means for Database services

The General Data Protection Regulations (GDPR) has a number of key element all of which will need to be thought about if you intend to collect, store and process personal information.  If the data is of a non personal nature (i.e. about your products or parts of your processes, etc.) GDPR doesn't apply.
 
GDPR will become law on 25th May 2018 for all EU countries and is currently being brought into UK law for the same time scales.  There are a few slight changes proposed to the UK version including a lower age of 13 for child oriented data.  This law will still be in place post Brexit.  The law applies to any company globally that processes personal data for EU citizens.
 

What is personal information

Personal information is anything that can identify an individual such as name, postcode, phone numbers, email address and even IP addresses.  There is also even more sensitive personal data which needs more careful handling including biometrics, religious and political views, etc.
 

You will need a nominated data controller, a Data Protection Officer (DPO)

 
As a company handling personal data you will need to appoint a Data Protection Officer.  The role of the DPO is to be the named person responsible for ensuring the law is upheld for all relevant data within your company. The person will need to ensure that processes for capturing, handling  and processing data are within the law and that any breaches of data are reported in a timely manner.
 

People will need to freely consent if you want to collect information about them

 
The law is trying to protect individuals' data from abuse.  It will make changes to the existing data protection law to say that any private individual needs to freely give their permission to have their data stored and give express permission for what that data is used for.  This has many implications for marketing and communications.
 
It will no longer be acceptable for companies to assume someone has opted in by ignoring a pre ticked box or by account inactivity.  People will need to make a positive opt in to specific things the companies wants to use the data for.
 
The forms will have to be clear and the process and words used to sign people up will need to be kept with the records as proof.
 

Peoples right to be forgotten, delete data and request data 

 
As well as the opting in process a private individual will have rights once opted including;  
  • The right to request what data is stored against their name, (this needs to be sent free of charge within 30 days).  
  • The right to have data deleted and;
  • The right to be forgotten (RTBF)
 

Fines for not complying

 
Companies that do not adhere to law can potentially face large fines amounting to 2-4% of global turnover, however there is likely to be some period of querying and testing the law with companies receiving strongly worded letters before large fines are issued.
 

Data breaches need to be reported within 72 hours

 
Where companies lose data or have their data compromised by hackers they will need to report the extent of the data breach within 72 hours to the Data Commission.  The company will also need to notify the people who are involved in the breach.
 

No automated profiling of data

 
Automated profiling of data is not permitted under GDPR, unless express permission has been given by the person being profiled.  This will impact on Direct Marketing companies that rely on profiling to target specific groups of customers.
 
Impacts for direct marketing campaigns, customer data bases, inbound marketing, social media, is going to be all about making sure the people you have information about know that you have it, it's been given freely and they are happy for it to be stored and continued to be used for the purposes specified.
 

Things to check regarding your data

 
  • Who is your nominated DPO?
  • Check all personal data you may hold in your company?
  • How is it collected and who has opted in for what?
  • What do you need the data for?
  • Can you secure the data?
  • Can you provide a copy of the data held against an individual?
  • Do you use cookies on your website. Have you permission to store these?
  • What forms do you have on your website, do they comply?
  • What data do you store in your CRM? Is it up to date and also relevant?
  • How do you do direct marketing what data is used?
 

Why its best to deploy a database / web software approach vs data stored on a spreadsheet

 
The are a number of obvious benefits of using a database and web solution for your data when it comes to GDPR, the main reasons are as follows:
 
  1. Use of a centralised database allows you to store data securely and back the data up.  Spreadsheets are prone to being deleted, copied, emailed out of the organisation, data structures changed, etc.
  2. You have no access control with a spreadsheet
  3. Using a web based database you can record where data came from as part of the dataset.  You can do this with a spreadsheet, but by using a central database and web based software you can build the function into the data capture process.
  4. Respond faster to data requests and RTBF.  With the data being stored centrally it is easier to access, no need to find the correct spreadsheet.  It is also possible to automate the process making it faster to respond to the requests
  5. Easier to define a process.  By using software that is built for the specific process it is easier to maintain than any process wrapped around a spreadsheet which is prone to change.
  6. More structure to the data and what is and is not stored.  Spreadsheets are inherently flexible, new columns and data fields can be added at will by the user. Data based and pre-programmed software remove this danger.
 
Spreadsheets are great for modelling and manipulating data but not as good to run specific structured processes or to secure personal data. Both key requirements of the new GDPR.

Read More Blog Posts ...

Blog Author

Mark Carver, Director of Activ-STEP  has over 25 years of technology marketing experience,  with the last 14 years running his own successful technology marketing agency.  Mark prides himself on his attention to detail and the ability to deliver projects to cost and time pressures.  Mark has completed numerous projects over the past 14 years, whilst at Activ-STEP.  Clients have benefitted from his strategic perspective to marketing as well as an excellent understanding of technology and how it can be applied.

Mark is now using his skills to build web based database applications to help businesses improve their data security, accessability, communication and efficiency.  Mark has built numerous websites and associated applications which have taken the data from a spreadsheet and built a web based apps.

Programming language logos