If we use compliant software, will that make us compliant?
Posted on 26th April 2019 at 11:25
We are regularly asked this seemingly simple question…
If we use compliant software will that make us compliant? Our answer is always the same, No unless! Unless what?
Let us explain!
GDPR has been enforced since the 25th of May 2018, the confusion is still apparent and the urgency to tick the GDPR compliant box is considered by many as the end goal.
You must understand!
You will never be GDPR compliant, you are always being GDPR compliant.
You cannot tick a box and then you become compliant.
Everyone of your staff is responsible for your compliance.
And most importantly
Any GDPR compliant software will only be compliant if you use it in a compliant fashion after you purchase it.
What does that mean?
GDPR is all about data and to be compliant you must follow the rules that will allow the data you hold to be considered appropriately managed, quite simply….
“Any piece of software, system or application will be compliant until you start to use it inappropriately, by adding non-compliant data into it”
To be compliant you must be able to answer these questions?
What data you have?
Why you have that data?
Who has access to that data?
Who you share that data with?
How long you will keep that data?
How your data is protected, safe and secure?
Now back to the Unless!
We have already said that GDPR revolves around data and it’s compliance is crucially based on the management of it.
The socially media aware world we live in means that an awful lot of data is generally freely available “Online” and many businesses still think they are able to harvest this information as it is available online, something that if they then stored in their compliant software would make that software non-compliant as they have no permission to store, control or process.
Any business must fully understand that if they use data that is readily available online to progress their business, for instance email an advert to people who they had obtained online and then stored in their software, then that simple action would make them and their software non-compliant.
We did however say unless and the unless is simple….if you can justify that the data you have is:-
Obtained legitimately.
The subject is fully aware that you have it.
The subject is fully aware why you have it.
You have implemented “Appropriate Technical and Organisational Measures” to protect its integrity.
Then as long as this GDPR compliance journey is followed whilst the data is maintained then your Compliant software should hold compliant data.
Share this post:
